risicomatrix voorbeeld

Risk matrix example

 

Risk matrix: what can you do with it

A risk matrix is a simple but effective tool for mapping, evaluating and prioritizing risks. In most management system standards (ISO 9001, ISO 27001, ISO 14001, ...) it is a mandatory process to be carried out. A risk matrix is usually presented in tabular form, with Consequence on one axis and Probability on the other. The different cells in the table show the combination of the two criteria, often shown in color. 

Measures must be taken to reduce (mitigate) a risk. By reducing the consequences or by reducing the chance.
Example. There is a real risk of unwanted access to sensitive data in a server room. The chance can be reduced by a lock on the door, camera surveillance, etc. The consequences can be reduced by putting the sensitive data in a better equipped data center. And to use the server room only for less sensitive data.

 

Risk matrix applied

The risk management method below is widely used. By incorporating these into software tooling, it is much easier to implement it (together!) within your own organization.
 

  • Step 1

Inventory of all processes and assets within your own organization. An overview from a management system or CMDB - Configuration Management DataBase is then useful.

  • Step 2

Risks are mapped out for each process. MAPGOOD, for example, is a widely used method. It is useful to analyse and assess risks together (in a risk carousel) with different disciplines, from different angles

  • Step 3

The outcome of this step is a classification of the risks. Both the probability of occurrence and the impact of occurrence are estimated on a scale of 1 to 5. 
The outcome of this step is an overview of risks on a scale from I to IV, indicated in colors according to the table below. This clearly shows which risks are negligible, acceptable or unacceptably high.

vca basisveiligheid

  • Step 4

The identified risks are compared with the established acceptance criteria. If the risks do not meet the set acceptance criteria, appropriate measures must be taken: avoid, reduce/mitigate, transfer or accept. 

  • Step 5

The treatment of the risks with the measures described is laid down in a risk treatment plan. The risk treatment plan is the overview for the follow-up of the measures to be implemented. This will later also record the effectiveness of the measures.

  • Step 6

Of all risks, the residual risk must be accepted by the (higher) management after treatment

 

 

 

Start your free trial now

We don't have 'shiny leaflets'. Get behind the buttons right away and experience the convenience, overview and productivity improvement.
We help you online and enrich you with the experience and best practices of other users.

Start Now