“Planning for risk” may sound like a contradiction of terms, but it’s something everyone does. People generally don’t face a lot of individual risk, so it’s easy to manage the risks we know about. We get health insurance to cover illnesses and life insurance to protect our families. However, it’s not something we tend to keep track of or categorize. Companies are different, however. They should track and categorize every threat because the threats a business faces are so numerous and come from so many angles.
Many organizations do this via a risk matrix. A risk matrix is a basic way of turning risk into data. Creating a risk matrix allows us to adjust our responses to risk based on the potential threat level—as well as the way it might impact other risks. Financial firms, for example, face many risks that directly contradict each other. If they invest, they stand a risk of financial loss due to a bad investment, but if they fail to invest, they stand a risk of financial loss from lost opportunities. Creating a risk matrix helps them balance those situations.
Measuring Risks in the Financial Service Sector
Risk assessment matrices are a standard part of risk assessment in any industry. They can be completed for a specific task or for a company as a whole. Primarily, they compare the probability of a risk to its impact and establish a priority level for its management. This allows all threats to be broken down into one of the following risk combinations:
- Low Probability/Low Risk – A low probability low/risk scenario involves very little risk that an event will happen and even if it does, it is one that can be easily managed. A specific financial industry example of this is that of a lower level employee, without access to client account information, who becomes the victim of a social engineer who is able to get them to provide their employee password. It’s low probability because it’s unlikely someone with minimal access will be targeted. It’s low risk because even if the event is successful, the company will not suffer serious losses and the problem can be easily recovered from.
- Low Probability/Medium Risk – This is a situation where again, the likelihood is improbable but the risk is slightly higher. Consider the scenario from above, but this time, the individual’s password gives access to sensitive but low-level client information, like email addresses.
- Low Probability/High Risk – This scenario represents one where the likelihood is improbable, but the risk is one which could disrupt business operations. Again, consider the scenario where the employee is tricked into giving out sensitive data. Only this time, the employee gave them administrator level access to the company’s computer network.
- High Probability/Low Risk – High probability means it’s very likely to happen, to the point where it’s pretty much expected. In a financial firm, an example of this would be a trader who purchases a minimal amount of bonds—then the Fed raises the interest rate only days later. This is a scenario that is likely to happen, but the company has benchmarks in place to prevent major losses.
- High Probability/Medium Risk – The risk is likely and could potentially disrupt company operations. In this case, change the above example from bonds to stocks. It’s much more likely that the stock market will be volatile and there will be losses. The probability is high and there will be higher losses.
- High Probability/High Risk – This is a situation where the threat should have been obvious and imminent. An example of this would be a financial firm putting every spare investment dollar into oil futures. There’s a high probability that this will not pan out and the risk to the company’s financial standing and reputation will not be recoverable.
These categories allow you to turn potential risk into data. This way, you can get a risk map of your company, so you can see where areas of weakness lie and prevent them before they make it to the high risk/high probability stage. The earlier you catch a threat, the easier it is to contain.
Turning Threats into Data
Categorizing threats is easier said than done. In this instance, we can use an example from a hypothetical stock trader who works for a financial firm, who has decided to focus solely on commodities. To simplify, the risk will be broken down into standard ERM categories which can be numerically graded on a scale of 1 to 10.
- Hazard – 1/1 – Hazard risk indicates the potential for outside uncontrollable risks. For example, a typhoon may cause the place where the commodity is primarily mined to be unusable. However, this would make futures of this commodity more valuable, balancing out the difference. In this case, there’s’ a low probability of this happening and also a low risk.
- Financial – 10/10 – There’s a high probability of loss in trading commodities and high risk in investing all the funds into the project. This is an area of high probability high risk that needs to be reviewed.
- Operational risk – 10/5 – Having a policy of only trading commodities represents a high probability of the company being fined due to poor company policy. This could damage the company’s reputation, leading to future financial losses as well.
Now, all those scores on the risk matrix are added up and averaged. The overall score for this scenario, with 1 being the least risk and 10 being the most, is 6. That would weigh in on the high side of risk, meaning that adjustments need to be made before the plan can be implemented.
This is a very simplistic approach to risk matrices, but still one which can be adjusted to fit most organizations. The process requires you to look at all sides of risk and establish acceptable baselines for each. It’s a way to prioritize risk reduction efforts while eliminating major threats.
Clearspeed offers this option through our Remote Risk Assessment program. With our technology, you can get a heatmap of human risk in your organization, so you can make better decisions. For more information, contact us.
Image Source | Flickr user Dako Huang