Risk Matrix

The construction of a risk matrix is a fundamental part of the procurement process and is key to quantifying risk.

The construction of the risk matrix usually comprises the following broad steps:

Figure 6: Risk Matrix Development

The first step is to compile a list of all the risks that may be relevant to the project. This will provide a means for monitoring the evaluation and allocation of risk throughout the procurement exercise and will eventually build up into the risk matrix.

The development of the risk register is an iterative process and must be revisited throughout the project.

The risk register must be as comprehensive as possible. For large projects, this process is likely to be a complex exercise as the number of separate risks and the scope of interrelationships involved may be substantial. Workshop sessions incorporating both public and private sector experience will help to achieve a comprehensive coverage of all risk areas.

Having identified all of the relevant risks to be included in the risk matrix, it is necessary to quantify and assess the timing of the possible consequences.

The best approach is to use empirical evidence whenever it is available, when it is not, commonsense approximations should be used.

Quantifying the impact of project risks can be made easier by banding the risks together into a smaller number of categories according to their impact. According to the HMT Orange Book Guidance on the Management of Risk, a categorisation of high / medium / low may be sufficient. Alternatively a more detailed analytical scale such as "insignificant / minor / moderate / major / catastrophic" may be preferable. The amount of time and resources that are devoted to quantifying risks should relate to their likely materiality.

Even when it appears that costing a risk is impossible at first, it should be listed in the matrix, to be revisited and refined when information becomes available. Risks should not be ignored.

When assessing the consequences of any risk, thinking should not be restricted to the direct effects. Consideration should be given to the wider knock-on effects, particularly when the event causes delay and is on the critical path. This requires care as there will be interaction between different risk events.

The ultimate objective is to be able to add up the consequences of all risk elements to obtain the net present value of the risk adjusted costs and benefits of the project. It is important to make a sensible assessment of when the consequence of each risk will arise as this will affect the NPV of that consequence.

Care must be taken to avoid double counting the same risk, e.g. incorrectly counting the cost of insurance products available to cover a particular risk (whether taken up or not) as well as counting the impact of the risk covered by such insurance.

A key practical issue is how to arrive at the relevant probabilities, in a manner that is reasonable, consistent and transparent. Out-turn costs from previous similar procurements (and comparisons with original estimates) is an ideal source of information, if available. Otherwise, predictions should be based on experience of past events together with any foreseeable changes or developments which would deliver improvement.

Estimating probabilities will inevitably require the use of assumptions - it is important to ensure that such assumptions are reasonable and fully documented, as they may be open to challenge later on in the procurement process.

The Treasury Orange Book Guidance on the Management of Risks also provides examples of the categorisation of the likelihood of risk realisation. A simple categorisation of high / medium / low may be sufficient, otherwise a more detailed scale such as "rare / unlikely / possible / likely / almost certain" may be more appropriate. There is no absolute standard for the scale of the risk matrix - the Authority should make a judgement about the level of analysis that it finds most practical for its circumstances. The probability of the risk occurring is multiplied by the quantification of the impact to give the expected value of the risk.

Table 1 below shows how probabilities can be used to derive the expected value for the cost of a risk.

Table 1: Likelihood of Risks and Expected Costs

The objective is to follow reasonable procedures at all times, to be as systematic as possible and to record the decision making process to facilitate subsequent audit.