The consequence/likelihood matrix (also referred to as a risk matrix or heat map) is a way to display risks according to their consequence and likelihood and to combine these characteristics to display a rating for the significance of risk.
A consequence/likelihood matrix is used to evaluate and communicate the relative magnitude of risks based on a consequence/likelihood pair that is typically associated with a focal event. (ISO 31010-2019).
Operative words include communicate, relative magnitude, and focal event.
ISO 31010 (Table A.3 – Applicability of techniques to the ISO 31000 process) provides 34 techniques that can be used to analyze risk.
A consequence/likelihood matrix is described as a qualitative/semi-quantitative/quantitative technique that requires low effort. The consequence/likelihood matrix is similar to a Bow Tie analysis, which is also described as a qualitative/semi-quantitative technique that requires a low effort to apply.
The consequence/likelihood matrix is one step above Brainstorming or the Delphi (expert opinion) Method, which are qualitative and only used to elicit views and identify risks (not analyze them).
A consequence/likelihood matrix needs to be developed to suit the context. This requires some data to be available in order to establish realistic scales. Draft matrices need to be tested to ensure that the actions suggested by the matrix match the organization's attitude to risk and that users correctly understand the application of the scales.
The use of the risk matrix needs people (ideally a team) with an understanding of the risks being rated and such data as is available to help in judgments of consequences and their likelihood.
According to ISO 31010-2019, the strengths of the consequence/likelihood matrix include the following.
It is relatively easy to use.
It provides a rapid ranking of risks into different significance levels.
It provides a clear visual display of the relevant significance of risk by consequence, likelihood, or level of risk.
It can be used to compare risks with different types of consequence.
According to ISO 31010-2019, the limitations of the consequence/likelihood matrix include the following.
It requires good expertise to design a valid matrix.
It can be difficult to define common scales that apply across a range of circumstances relevant to an organization.
It is difficult to define the scales unambiguously to enable users to weight consequence and likelihood consistently.
The validity of risk ratings depends on how well the scales were developed and calibrated.
It requires a single indicative value for consequence to be defined, whereas in many situations, a range of consequence values are possible and the ranking for the risk depends on which is chosen.
A properly calibrated matrix will involve very low likelihood levels for many individual risks which are difficult to conceptualize.
Its use is very subjective and different people often allocate very different ratings to the same risk. This leaves it open to manipulation.
Risks cannot be directly aggregated (e.g., one cannot define whether a particular number of low risks, or a low risk identified a particular number of times, is equivalent to a medium risk).
It is difficult to combine or compare the level of risk for different categories of consequences.
A valid ranking requires a consistent formulation of risks (which is difficult to achieve).
Each rating will depend on the way risk is described and the level of detail given.
All subjective assessments (influenced by personal feelings, tastes, or opinions) are a function of design, analysis, and administration. That is true whether it is used to evaluate psychology, learning ability, or a recent stay at the Holiday Inn.
The output is normally a two-dimensional graph with consequence plotted on one axis and likelihood on the other. This type of graph is the most simplistic form of a matrix. When risk management professionals apply color to the two-dimensional graph, they call it a “heat map," which is used more generically in other professions to describe maps, charts, tables, or other visuals clustered with colors.
Identifying the relative magnitude of risks can be accomplished in a table. The table is usually in the form of risk ranked high to low. Clustering is normally used since the risk ranking (if qualitative scales are used) is relative numbers, not absolute measures.
“Members of the Board, the staff has developed a risk-based prioritization for major assets associated with this production facility. The results were provided in your agenda package. In that list, you will see the prioritization clustered with the assets with the highest risks at the top of the list and the lower risks at the bottom of the page,
For this exercise, risk is described as the product of the consequences and likelihood of occurrence. The prioritization was performed following good practice and consistent with considerations provided in ISO 31010. This approach was chosen as an initial step to identify where additional resources may be needed first, to develop understanding among staff who will do the implementation, and as a communication tool. More advanced and time-consuming methods can be used if desired.
The prioritization was based on the combination of consequences and likelihood. The likelihood of occurrence is more unpredictable than the consequences. We recommend you give some additional emphasis on assets and associated projects with higher consequences, regardless of whether they fall outside the higher-ranked area. These have been indicated on your prioritized list.
I will now be glad to provide additional information or answer any questions. Thank you."
Core elements of this article were taken directly from ISO 31010-2019.