Review of the strengths and weaknesses of risk matrices

Risk assessment and risk matrices are powered tools used in risk management and help guide in the process of decision-making in organisations. Nevertheless, risk matrices have their own weaknesses and strengths. This paper provides a critical overview of the development and use of risk matrices in different field with an example of the risk matrix used by the National Health Service (NHS) in England. Risk matrices are helpful tools for risk assessment as they use quantitative measures to ensure consistent method of determining risk but organisations should adjust the design and size of risk matrices to suit their needs.


Introduction
All over the world, nations and organisations are attempting to reduce risks, to improve safety and to extend lives. Indeed risk reduction has become a principle goal of modern governments and almost in every organisation. It is obvious that people, including government officials, often lack risk-related information. They often know little about the nature and magnitude of the risks at issue, and they often know little about the various consequences of risk reduction (Sunstein, 2002). Since risk cannot be eliminated, the main problems people face, individually and collectively, are how much risk they should live with and how they should go about managing the risk. If a set of strategies have been chosen that will allow the abatement of a particular risk, the question of what level of risk should be chosen arises. If abating the risk costs nothing, the obvious answer is zero, get rid of the risk. But risk abatement almost always does cost money and time (Glickman and Gough, 1990). To answer these questions, analytical tools and risk ranking schemes must be used to distinguish lower risk activities / incidents from higher risk activities / incidents. One of the risk ranking methodologies is known as the risk assessment matrix. existence and as human bei own deaths dangerous sit The Internatio developed a distinguishes risk -for wh -and decidi management 2005).

Definition
There is no c risk -neit understanding common, how and possibilit The definitio (1992) is "the occurs during particular ch statistical risk probabilities" Fischhoff  quantitative instruments in which hazards are first identified and then allocated to a box on a twodimensional grid for which one axis measures the likelihood of a specific incident and the other the potential severity of consequences.
The issues identified by Cox are certainly not confined to the United States, and indeed usage of risk matrices has spread in the United Kingdom and Europe from industry to all manner of public and private agencies ranging from hospitals to small-and medium-sized enterprises, local and central government bodies, and professional institutions

Risk assessment matrix
A common method used for risk ranking utilises risk matrices; these are typically 4x4 or 5x5 matrices, having event consequences along one axis and event frequency along the other. Each block on the risk matrix represents some level of risk, and blocks presenting similar risk are often grouped together into one of four or five risk regions (Altenbach&Brereton, 1998) Risk matrix is defined as "a mechanism to characterise and rank process risks that are typically identified through one or more multifunctional reviews (e.g. process hazard analysis, audits, or incident investigation" (Markowski and Mannan, 2008), and is also defined by Cox (2008) as "a table that has several categories of "probability," "likelihood," or "frequency" for its rows (or columns) and several categories of "severity," "impact," or "consequences" for its columns (or rows, respectively)".
In most cases, the frequency axis of the matrix has numerical values associated with it, typically spanning several orders of magnitude. Often, the consequence axis is based on a qualitative scale, where consequences are judgment based. However, the consequence scale generally has implicit quantitative values associated with it, which may or may not be recognised. Risk regions are often arbitrarily assigned (or assigned on the basis of symmetry). This presents a problem in that if the blocks of the risk matrix are incorrectly grouped, then incorrect conclusions can be drawn about the relative risk presented by events at a facility (Woodruff, 2005).Three types of risk matrices are commonly used for risk ranking. A purely qualitative risk matrix will have its blocks defined in descriptive or qualitative terms. A purely quantitative risk matrix has its blocks defined in measurable or quantitative terms. Relative or absolute numerical scales are used on quantitative matrices, whereas scales on qualitative matrices are relative but not numerical. The third type of risk matrix is a hybrid: a semi-quantitative matrix with one scale (usually frequency) expressed quantitatively, while the other scale is expressed qualitatively (Emblemsvag and Kjølstad, 2006).iNTeg-Risk (2008) clearly states the importance of using scoring systems in risk assessment and management which generally requires the application of specific scores or scales. They highlight that in practical use, conventions such as using 5x5 risk matrices and/or a colour-code can be beneficial

4.1.1.Qualitative risk matrix
The qualitative risk matrix is basically task and or hazard analysis with some relative judgments made in order to categorise the hazards. When the 3x3 matrix is used, both the frequency and consequence of each accident scenario are then estimated on simple relative scales, such as low, medium and high. The risk for each scenarios is the product of the frequency rating and consequence rating, this indicates that the qualitative risk in this case falls into nine distinct regions or frequency x consequence pairs: Low x Low, Low x Medium, Low x High, Medium x Low, Medium x Medium, Medium x High, High x Low, High x Medium, High x High. Clearly Low x Low region has the lowest risk, while the High x High region has the highest risk. The intermediate regions are more difficult to interpret because some regions are directly comparable and others are not (Altenbach, 1995) In the Environmental Protection Agency in the USA (EPA) technical guidance for hazards analysis adapted by DOE-STD-3009-94, the risk levels from the 3 by 3 matrix are grouped into three categories: High (Major Concern), Medium (Concern) and Low (No Concern), as indicated in the Figure.1 below, and also Table 1 shows the risk groupings from the EPA. It is notable designing dir risk regions. a numerical highest. Som are denoted indicate that w with respect t risk of these may in fact b only relative connected by is risk grade 2 is grade 1, an And it is note have risk gra implied equ information c risk than Me Medium. very useful for distinguishing qualitatively between the most urgent and least urgent risks in many settings and are certainly much better than doing nothing, for example, than purely random decision making. Donoghue (2001) also supports the idea that, the risk assessment matrices are effective tools in making decisions in regard to the control of occupational health risks. He states that, the control measures can be applied in an iterative fashion until the risk has been reduced to an acceptable residual.
The imagery of risk matrices is powerful, which may, along with their alleged and apparent simplicity, explain their popularity among agencies that are responsible for mainly lesser hazards,1 and therefore are likely less qualified in risk, but who nonetheless feel the need to be seen to be proactive in managing risk. Inter alia, and as observed, though not sanctioned, in the new international guidance on risk assessment (ISO 31010), it is said that matrices are also widely used to determine if a risk posed by a given hazard is or is not acceptable. Ball and Watt (2013) also concur with Cox (2008) that one of the leading arguments in support of risk matrices, which is that they are simple to use and transparent, is false. As determined here, all positionings of hazards on the matrix are subject to innumerable considerations, some of which even the rater may not be wholly aware. Yet, and it is another serious matter, requisite explanations and justifications are seldom, if ever, attempted.
It is this latter issue, of the consistency of use of risk matrices as applied to what are normally seen as beyond-the-workplace hazards. A growing number of authors, highly experienced in risk assessment, have questioned or had cause to investigate alleged shortcomings of risk matrices, mainly on technical grounds. In addition, standards-setting institutions have warned of the potential for subjectivity and inconsistencyas have researchers in occupational safety (Ball and Watt, 2013).

Conclusion
Risk assessment and risk management techniques are being developed in many fields as an aid to safety investment decision making. Expanding responsibilities and limited resources compel policy makers to make difficult choices about the prioritisation of risk reduction measure and what safety standards to aim for. The need for mechanisms to help policy makers set priorities has been increasingly felt, and during the last few decades techniques of risk assessment and philosophies of optimisation have been developed. Risk matrices are very effective and widely used tool in making and improving risk management decisions, however the question of how ideally risk matrices should be constructed to improve risk management decisions is ongoing. It is not easy to answer, because risk matrices are typically used as only one component in informing eventual risk management decisions and also because their performance depends on the joint distribution of the two attributes probability and consequence.
A risk matrix can be a useful tool to present the results of simplified risk analysis, helping one to gain insight into the relative risk of various scenarios that might be encountered in a given system. When developed quantitatively with axes constructed to be relevant to the facility and operations being studied, risk evolutions can be defined logically. Logic based risk evaluations can facilitate management decisions such as the authorisation of operations. It can also help optimise resources by showing where to concentrate efforts for more detailed analysis or for risk reduction activities. Using 3x3, 4x4 or 5x5 matrix, will be useful to some organisations and might not be for others i.e. when 5x5 matrix is used, the matrix will have 25 blocks (risk grades), the more blocks for representation, the more likelihood of the risk matrix producing different levels which would produce more risk ranking grades. Therefore, organisations would be able to allocate the low, moderate, high and extreme risk groups to the appropriate levels of responsibilities within the organisations. The wider options for the probability and consequence scores on a risk matrix should give more scope to differentiate within the risk group the probability of a certain risk occurring and the consequence of the risk occurring within the low, moderate, high and extreme groups for the different levels of responsibility. whereas by having 3x3 matrix, there will be only 9 blocks for the risk grades, which in some cases might not be useful when making decisions or allocating resources. However, if the descriptions of the consequence and likelihood scores are difficult to classify then the scores cannot always be well interpreted. For example, Table 1 (appendix 1 NHS Risk Matrix), where it shows the consequence scores, by looking at the column where it says; Service Business Interruption; the difference between Major and Catastrophic scores; Catastrophic score leads the Business to a permanent loss of the business while Major score can only cause the business to be interrupted for one week. In such a case, the extreme description should be more than one week and permanent loss. Cox (2009) argues that risk priority scoring systems, although widely used (and even required in many current regulations and standards), ignore essential information about correlations among risks. This information typically consists of noting common elements across multiple targets (e.g., common vulnerabilities).These common features induce common, or strongly positively correlated, uncertainties about the effectiveness of different risk-reducing measures. It is easy to use this information, in conjunction with well-known decision analysis and optimization techniques, to develop more valuable risk reduction strategies, for any given risk management budget, than can be expressed by a priority list. Thus, there appears to be abundant opportunity to improve the productivity of current risk-reducing efforts in many important applications using already well-understood optimization methods.To sum up, risk matrices are a useful way of ranking risks, but organisations should adjust the design and size of risk matrices to suit their needs.