Benefits of inclusive risk matrices
Consider how widely risk matrices are being used in different organizational settings. Why is it that risk matrices continue to be the method-of-choice for many risk managers?
In another article I discuss the criticism of risk matrices and the counterarguments, so let me focus here on why inclusive risk matrices are, in fact, an effective tool for communication and decision-making in varying organizational and project contexts. With an appropriate application, they can do a much better job than other methods and help overcome common issues related to risk management culture and leadership.
Collaborative risk analysis does not only side-step shortcomings of the traditional risk matrices found in the forgotten spreadsheets, but, in fact, can correct several of the involved biases. An inclusive approach to risk management utilizes efficiently experts as instruments (see for instance Hubbard 2020, pp. 64-67, 281, 313,), as it reduces individual subjective biases and increases the reliability of risk analysis. It also helps to bridge the gap between the decision-maker and the risk manager, which is rarely achieved with static spreadsheets.
So let’s look at what risk matrices are good at
Inclusive risk matrices can effectively synthesize past experiences and expert judgments.
Learning from mistakes and continuous improvement are core principles in the ISO 31000 risk management guidelines. Inclus started as a Lessons Learned system and its collaborative assessment engine provides a smooth and timely process for collecting expert views on emerging risks and their priority. Past experiences, of course, are incomplete source of data, but are often the best starting point, especially when a sufficient pool of experts with various backgrounds can contribute.Dynamic risk matrices leverage experts as instruments combining various quantitative and qualitative information.
Experts have their own sources and standards. A smart risk manager respects that know-how. Experts do not only provide their best estimates, but also future projections and argumentation together with their suggestions for the courses of action.Dynamic risk matrices using aggregated estimates of the community of experts, do not rely on “subjective guesswork”. On the contrary, they can correct several individual biases such as overconfidence or the lack of expertise.
Gathering more expert input, will ultimately increase the reliability of the risk analysis and decrease the role of individual shortcomings. This is not true because the majority would always be right (as they are not), or because we could trust averages (as we cannot). Rather, it is because a collaborative dialogue ensures that there’s a sufficient exchange of views that will lead to the best possible combination of information for decision-making.
It’s essential to understand that this point extends beyond the argument against averages. Risks that are ranked higher based on average can only highlight the most common concerns among the personnel (and also reduce individual inconsistencies), but looking at the spread of answers, as well as each business units’ or expert groups top concerns, will often reveal crucial and very detailed risk information across the project or organization.
Aggregated estimates by the group of experts combine quantitative and qualitative information, experts’ future projections, and value statements concerning the direction of the company. Dynamic risk matrices enable unique argumentation and a dialogue process that can be utilized across all industries.Interactive risk matrices can be an effective tool for communicating and building common understanding across functions, country units, and project organizations about the organization’s success factors and risks.
Often, we expect to know what our colleagues think, value, or plan to avoid in their work, only to find out later that we didn’t. Effective communication requires resources and attention, something that is easily forgotten when stakeholders are many.
Despite the criticism of Probability & Impact matrices (to which Inclus is not limited) –understanding what can happen, how likely it can happen, what it will mean for us, and how to deal with it, can remain relatively simple and provide well-applicable input to support decision making in several instances.
However, there is no need to assimilate risk matrices with any specific set of questions. One might use any other questions depending on the context. It’s still all about finding the staff’s top concerns and prioritizing them to act upon them. While resilience and continuity -driven colleagues can analyze organizations’ preparedness, interdependencies, or quantify potential losses, risk-driven internal auditors might want to analyze the quality of set controls.A collaborative risk analysis process will tackle risks that are derived from the organization itself.
Poor communication, division of labor, ways of working, cultural habits, and the organizational structures can challenge the success of any team. A collaborative sense-making process about the key success factors, risks, and the organization’s direction, can greatly improve collaboration, commitment, and increase the odds of succeeding.Inclusive risk matrices are an effective medium for collaborative decision-making.
Creating positive side-effects to participants, such as a sense of belonging, in the process. As an active participant in the process, I am being acknowledged for my position and expertise, I can contribute to the shared goals transparently by sharing my knowledge. This creates a sense of belonging and meaning while increasing commitment to set objectives. Ultimately, it’s up for the team to decide what type of approach they want to use in decision-making. Inclusive analysis tools can support other approaches using risk matrices, such as multi-criteria decision making.
Author
Valtteri Frantsi
Partner & Head of Customer Success
valtteri.frantsi@inclus.com
Inclus Ltd
References
Hubbards, Douglas W., 2020, The Failure of Risk Management, Wiley, New Jersey
Deloitte, “Enterprise risk management in Finland”, 2022