The three lines of defence model

 

The three lines model is a risk management approach to help organizations identify and manage risks effectively by creating three distinct lines of defense.

Also known as the three lines of defense model, the three lines model was originally defined by the Institute of Internal Auditors. The IIA based the model on the idea that three lines of defense work together to provide structure around risk management and internal governance. The model clearly defines roles, including oversight by a governing body, senior management and independent assurance.

This model applies to all organizations and aims to serve the following purposes:

• Adapt to meet organizational objectives.
• Focus on risk management to meet and achieve objectives.
• Understand the roles and responsibilities of all positions in the model and their relationship with one another.
• Execute measures to align activities and objectives to the stakeholders' interests.
• Foster structured collaboration and communication across various lines of defense.

Breaking down the three lines of defense (3LoD)

The three lines defense model is widely acknowledged as the governance model of risk. It uses a comprehensive approach to manage risk. Its implementation varies among industries and by company sizes.

Business units, compliance, audit and other risk management employees are among the groups that make up the three lines of defense and each has a specific function. Here is a breakdown of the three lines:

First line of defense: Management

Management, department or process owners -- or anyone on the front lines -- are the first line of defense. Their primary responsibility is to control and take ownership of risks associated with daily activities. They also execute risk controls, develop internal policies, own processes, supervise employee policy execution and monitor risk factors with decisions and actions.

Second line of defense: Risk management and compliance

The second line of defense provides oversight and support to the first line. It includes risk management compliance areas, such as a risk manager, compliance officer or information security officer.

The second line of defense is responsible for implementing the company's risk management program and monitoring the process and application of these policies. Managers involved with the second line also identify emerging risks within the daily operation of the business.

Third line of defense: Internal and external audits

The third line of defense includes both external and internal auditors. Their main responsibility is to ensure the effectiveness of the first and second lines of defense. This line of defense also reviews and evaluates the design and execution of the risk management program. Internal auditors typically report to the board, regulators and external auditors about the company's risk management design and operation.

Key roles in the three lines model

The three lines of defense model establishes a clear division of roles and responsibilities for accountability and transparency. The IIA lists four key roles in the model, along with the breakdown of responsibilities in each role. Organizations often differ in their distribution of responsibilities, but, according to the IIA, the following are high-level overviews of each area.

The governing body

This group accepts responsibility for managing the organization on behalf of the stakeholders. Its responsibilities include the following:

• Establish the organization's vision, mission, values and strategic objectives.
• Engage stakeholders to monitor their interests.
• Maintain open communication about the goal accomplishments.
• Foster a culture of inclusivity and accountability.
• Establish the organization's risk appetite and supervise risk management including internal security controls.
• Monitor ethical, statutory and legal requirements.
• Create and manage an independent internal audit process.

First-line management roles

First-line management roles lead and direct all actions of the plan, including managing risks and applying resources to the risk goals of the organization. Responsibilities include the following:

• Identify, own, manage and mitigate risks in daily operations.
• Maintain communication with the governing body and report all risks, including planned, actual and expected outcomes, in relation to the company's objectives.
• Create and manage appropriate frameworks and procedures for the management of operations and risk. This includes internal controls.
• Ensure ethical, legal and regulatory compliance.

Second-line management roles

The second-line defense management offers support and expertise to monitor any risk management. Responsibilities include the following:

• Create ongoing processes, systems and entities for improvement to the risk management process.
• Monitor and support the first line in managing risks.
• Achieve risk management goals, such as internal control, information security, sustainability and quality assurance.
• Research and report the effectiveness of risk management, including internal control.

Third line of defense: Internal and external audit roles

Internal auditors have primary accountability for risk management to the governing body. Responsibilities include the following:

• Notify the governing body of any issues with the independence and objectivity of the risk management program.
• Provide management and the governing body with independent and unbiased assurance on the effectiveness of the risk management controls.
• Take appropriate action to put protection in place when necessary.
• Report findings and recommendations to the governing body.

External auditors provide additional assistance to protect the interests of the stakeholders and ensure regulatory compliance. Responsibilities include the following:

• Review statutory and regulatory compliance and stay current on new rules and regulations affecting the organization.
• Add external sources to meet requests of the management and governing body to assist with internal sources.

Relationships between the 3LoD roles

The relationships between the roles in the three lines of defense model are built on collaboration, oversight and independence. Each line plays a distinct part but interacts closely to ensure risk management and governance function effectively. The three lines interact with each other in the following ways:

First line interactions

• Interaction with the second line. The first line collaborates with the second line by seeking guidance on risk management practices, risk management compliance requirements and control frameworks. It might also report on risk-related matters to ensure alignment with organizational objectives.
• Interaction with the third line. While the first line operates independently, it provides information and access to the third line for independent assurance activities. This allows internal auditors to evaluate the effectiveness of risk management and control processes.

Second line interactions

• Interaction with the first line. The second line offers expertise, tools and resources to assist the first line in managing risks. This line might conduct training sessions, provide guidance on risk assessments and support the execution of controls.
• Interaction with the third line. The second line collaborates with the third line by sharing information on risk management activities and outcomes. This partnership enables internal audits to assess the effectiveness of the organization's risk management framework and make recommendations for improvement.

Third line interactions

• Interaction with the first line. The third line reviews the first line's risk management and control activities through audits and assessments. It provides feedback and recommendations to enhance the effectiveness of these processes.
• Interaction with the second line. The third line assesses the second line's oversight and support functions, ensuring that risk management and compliance activities are effective. It collaborates to identify areas for improvement and ensure alignment with organizational objectives.

Besides the three lines, the governing body maintains communication with all three lines to monitor risk management activities, receive assurance reports and provide strategic direction. This oversight ensures that the organization operates within its defined risk appetite and achieves its objectives.

6 guiding principles of the three lines model

To optimize the effectiveness of the three lines model, organizations should adopt a principle-based approach. The IIA lists these six principles to guide an organization's three lines model for risk management:

1. Governance. This gives accountability to the stakeholders and structures the organization's leadership and integrity. The organization can make risk-based decisions for the health of the organization and its stakeholders. Using recommendations from the internal audit function helps encourage the ongoing development of these risk management procedures.
2. Governing body. This group ensures that the necessary procedures and frameworks are in place to safeguard the interests of the stakeholders. It also makes sure that moral, ethical and legal standards are upheld.
3. Management and first- and second-line roles. The first-line roles ensure products or services are delivered safely to the customers. The second line helps manage the risk by offering expertise and monitoring and managing any regulatory issues or unethical behavior. The second line offers a broader responsibility, such as enterprise risk management, but the first line is responsible for managing the risk at a higher level.
4. Third-line roles. Internal audit gives an objective assurance that risk management initiatives are effective. Internal auditors use independent systems and expertise to review risk management processes. The third line reports findings to management and the governing body to make any needed improvements.
5. Third line independence. Internal audit is an independent body that provides credibility and authority to its findings. Internal audit isn't associated with management so it can provide findings that are free from bias to prevent any interference in organizational planning.
6. Creating and protecting value. The main goal of all these roles working together is to prioritize the stakeholders' interests. They align activities through cooperation and communication. All risk-based decisions should be transparent and reliable with the alignment of these areas.

Benefits of the three lines model

The three lines model helps organizations proactively manage and address risks with enhanced governance and resilience. This model helps an organization establish a foundation for growth and success. Some of the key advantages of this model include the following:

• Clear accountability. All roles and responsibilities are defined for each of the different lines of defense. The risk management duties are also allocated appropriately so there is clear ownership of risks at all levels of the organization. This helps minimize any gaps in risk oversight.
• Objective analysis. The third line provides independent and objective assessments of the risk management processes' effectiveness. The external perspective gives stakeholders confidence that risks are managed adequately. This perspective also manages insights into continuous improvement.
• Improved communication. The three lines model promotes structured communication and collaboration within the different lines of defense for the audit committee. It encourages sharing information, insights and best practices for a more effective risk management strategy for the overall organization.
• Increased governance. The risk management and compliance functions in the second line help establish and enforce consistent risk management processes. This ensures the organization follows relevant regulations and industry standards and minimizes legal and reputational risks.
• Efficient resource allocation. Distributing the risk management responsibilities across the three lines ensures that organizations allocate resources more efficiently. The operational staff can focus on day-to-day risk management and dedicated risk management and audit professionals can oversee the overall risk landscape.
• Complete risk awareness. The model looks at the holistic view of risk and considers both strategic and operational risks. By looking at these risks from a comprehensive perspective, the organization can proactively manage any emerging risks and capitalize on opportunities. The model also encourages a culture of risk-aware decision-making.
• Increased stakeholder confidence. Effective execution of the three lines of defense model increases the confidence of stakeholders, including investors, customers and employees. A transparent and well-structured risk management framework, validated by independent assessments, builds trust with investors, regulators, customers and other stakeholders.
• Continuous improvement. The three lines model encourages continuous monitoring and improvement of risk management processes. By adapting to new risks and changing business environments, organizations enhance their resilience and maintain effective risk management strategies.

Challenges with the model's effectiveness

There are numerous benefits to the three lines model, but there are also some challenges and potential drawbacks. Organizations can address these challenges with careful planning, continuous communication and training.

Some of the three lines model effectiveness challenges include the following:

• Skills and knowledge gaps. Operational staff in the first line of defense can lack the skills and expertise needed for comprehensive risk management. Organizations must provide training and support to ensure effective risk identification and mitigation.
• Too much focus on compliance. A focus on meeting regulatory requirements instead of managing risks specific to the organization can lead to dysfunctional outcomes.
• Change management. Introducing the three lines model requires change management efforts to get buy-in from employees at all levels of defense. Some employees might resist change and question the model's effectiveness.
• Resource allocation. To get adequate resourcing, organizations need to distribute risk management responsibilities across different lines. This requires personnel, training and technology. Finding the right number of resources can be a challenge if companies do not have separate risk and audit departments.
• Risk ownership. Creating clear risk ownership across different lines is challenging. Staff in the first line of defense might not fully embrace their role in risk management. This can lead to insufficient risk identification and mitigation.
• Scalability. The three lines model can be challenging to execute in a large organization with a diverse risk landscape. Larger organizations' risks evolve constantly, so adapting the model to fit the organization's specific needs is a complex process.
• Reporting. Organizations need to determine how to quantify and assess the effectiveness of each line's risk management efforts. These metrics should show the stakeholders the value of the risk management activities.
• Role ambiguity. Organizations sometimes struggle to clearly distinguish responsibilities among the three lines, leading to inefficiencies in risk management. Overlapping duties between the second and third lines can also blur accountability.
• Potential for bureaucracy. The three lines model has the potential to increase bureaucracy because of its layered structure, which can cause inefficiencies. To mitigate this, the second line must refrain from excessive involvement in day-to-day risk activities when the first line is performing effectively. This ensures the second line's contributions are truly value-adding and not redundant.

The future of the 3LoD model

The three lines of defense model is continuously evolving to remain relevant in a rapidly changing risk landscape. Some key trends shaping its future include the following:

• Enhanced integration and collaboration. The traditional separation between the three lines is evolving into a more integrated and cooperative framework. Companies are moving toward dynamic risk management approaches that integrate cross-functional teams.
• Greater agility and adaptability. Since modern risks, such as cyberattacks and climate change, are constantly shifting, the risk management framework is also becoming more agile. This evolution lets organizations quickly identify, assess and adapt to emerging challenges.
• Integration with advanced technologies. The integration of advanced technologies such as artificial intelligence, automation and data analytics is transforming the 3LoD model. These technologies enable real-time risk monitoring, automation of assurance tasks and enhanced data-driven decision-making. By adopting these technologies, organizations can achieve more efficient and effective risk management processes.
• Upskilling across all lines. With the increased complexity of risks and the adoption of new technologies, personnel in all three lines will require continuous upskilling in areas like data ethics, cyber-resilience and AI governance.
• Emphasis on strategic risk management. Internal audit's role is evolving beyond mere assurance and is increasingly encompassing strategic advisory functions. This future-oriented approach will see internal audit providing value through proactive risk anticipation and strategic insights. This will require auditors to build stronger skills in data analytics, advanced risk assessment and effective stakeholder engagement.

Summary:

The three lines of defense model is a risk management framework that divides responsibilities for managing risk within an organization across three distinct groups. It aims to enhance clarity, accountability, and overall effectiveness in risk management by clarifying roles and responsibilities, providing independent assurance, and fostering collaboration.

Here's a breakdown of the three lines:

1. First Line of Defense:

Responsibility:

Operational management, who own and manage risks directly within their respective business units.

Activities:

Designing, implementing, and operating controls to mitigate risks in day-to-day operations.

2. Second Line of Defense:

Responsibility:

Risk management and compliance functions, which provide oversight and support to the first line.

Activities:

Developing risk management and compliance policies, frameworks, and procedures, and monitoring their implementation.

3. Third Line of Defense:

Responsibility:

Internal audit, which provides independent assurance on the effectiveness of the first and second lines.

 

Activities:

Conducting independent audits and assessments to evaluate the design and effectiveness of risk management and control activities.

Key Benefits:

Improved Risk Management:

Clearly defined roles and responsibilities lead to more effective risk identification, assessment, and mitigation. 

Enhanced Accountability:

Each line is accountable for its specific role in the risk management process, fostering a culture of ownership.

Independent Assurance:

The third line provides an objective assessment of the overall risk management framework, ensuring its effectiveness.

Increased Efficiency:

By clarifying roles, the model helps avoid duplication of effort and promotes collaboration between different functions.

In essence, the three lines of defense model provides a structured approach to risk management, ensuring that all levels of an organization are actively involved in identifying, assessing, and mitigating risks to achieve its objectives. 

Used sources:

https://tinyurl.com/5xhm6ave

https://tinyurl.com/2n2jxmra

https://tinyurl.com/55yhyhnr

https://tinyurl.com/2s4d3429

Identifying and Managing Corporate Risk

 

Every organization faces risks, and they want to reduce it as much as possible. Unfortunately, it is cost-prohibitive to eliminate it completely. And honestly, I don’t think it is possible to get rid of it all. Risk is inherent in everything. What’s important is deciding how much risk you are willing to accept and the amount you are going to spend to reduce it. 

Initial investments addressing risk typically yield significant gains, but as one tries to achieve zero risk, the costs are nearly infinite. Companies want to be somewhere in the middle of this curve.

Another way to look at this is to reverse the axes. As the risk goes toward zero, the cost rises higher and higher. Look at the amount of risk and how much money you have to reduce it. Either way, one starts with high risk, and the more money spent, the lower the risk goes, but it becomes very expensive. In Curtailing Bureaucratic Growth, I discuss this concept more and include three anecdotes to illustrate the extremes of driving risk to zero.

The Space Shuttle Challenger Accident

When I talk to people about the 1986 Challenger accident, they get upset because NASA knew of the risk of ice forming on the O-rings. How could they move forward knowing this risk existed? I view it the opposite way. If there is an accident, I think it’s a bigger condemnation of NASA if we didn’t know of the risk beforehand. I say “we” because I used to work there. I mean if we didn’t understand our systems well enough and a problem came up that we were unaware of, I think that would be very negative.

When we flew space shuttles, hundreds maybe thousands of risks existed that were non-zero for losing the system. The job was figuring out the probability that the risk would manifest itself. We can’t drive it to zero. It might be one in a million, but it must have some value. I say that when an accident happens, you hope it was one of the things you thought of before. Then, you go back and assess it. Was the likelihood of it happening really understood? Are there ways to reduce the probability more? What is the possibility that it will occur again? We must think about these things.

In an airliner, they usually talk about a risk of 10-10 for any single incident, 10-9 for a single major subsystem, and 10-6 for any combination of systems that could be disastrous for an airliner. They don’t talk about making the risk zero. There is some probability that some bad things can happen, but they try to manage it in such a way that the situation is resilient under a combination of factors.

Communicating Risk to the Public

People have a difficult time talking about non-zero probability. Another example relates to the car industry. Car companies gather an enormous amount of information from accident scenes. And ultimately, it boils down to how much are they willing to spend to save a life. They cannot completely remove the risk, so companies have to run the numbers to find the appropriate tradeoffs. When court cases go to trial, it has been shown that it is hard for juries to understand the concept of limiting expenditures and accepting some risk. Their initial reaction is that car companies should be willing to spend near infinite dollars to save every life. Car companies are continually reassessing the risks, but as we know, accidents happen.

There is a famous court case called the Ford Pinto Case, where during discovery it appears that Ford computed the costs of a fix to a fatal flaw was about $200,000 per life. Ford decided this cost was too much, sparking quite a bit of discussion and analysis.

Tools for Formally Managing Risks

How does one make these tradeoffs? The aerospace industry, when building airplanes, rockets, and missiles, developed a process for tracking and measuring risk, and each company calls it by a different name. I have yet to find a consistent term, but people refer to the tool as risk matrices, risk cubes, or risk heat maps. The goal is to try to understand all the risks, visualize them, and objectively manage them.

One axis represents the probability of the event happening, and the other is for the consequences if the event occurs. In this image, the hot spot – high probability and large consequences – is in the upper-right corner. Some people reverse the axes, but I prefer this version because I like the concept of visually driving the risk down.

The approach is to take every item that could be a possible issue and map it. The example above is for a flight vehicle on a drone project and only deals with one problem. By looking at the legends for the matrix, you see that E5 – likely to occur on a flight, resulting in injury – is a bad place to be. The response for this is a fast CAPA (corrective action / preventative action) request. Red and orange items require corrective action in order to drive them to yellow or green. Yellow and green items can always improve, so identify those, but they may not require attention. For every issue, companies must decide where on the graph they want it. How much risk are they willing to accept based on the data?

Some things might happen on a flight like a dropped communication signal for a few seconds. This is fairly likely to occur, so the design must assure that it is only a minor inconvenience. If something is expected to happen, one doesn’t want to be in a situation where a dropped communication link for a second means losing the vehicle. This requires a CAPA request.

Once a CAPA request is made, the item is investigated, which results in a description of the issue and an initial analysis that includes a possible timeline, cost estimate, and an engineering action change (EAC). In this example, the corrective action lowers both the probability and the consequences.

While heat maps can contain only one item, most companies choose to map multiple items to assess the various issues.

It’s easy to see how useful this tool is for evaluating risks. Some of the benefits are that it is easy to see the status of current risks, and it creates a culture of finding and reporting risks. Everyone is trying to populate these maps with everything they can find, so don’t shoot the messenger. It’s vital to your organization to have a handle on all the potential risks to make informed and objective decisions. Work as a team to allocate the budget to drive the risk down and to the left, toward green.

What typically happens with program management meetings is everyone comes together periodically, maybe once a week or month. They map all the items and come up with CAPAs and goals for where they think the issues can get to once completing the EACs. Then, they assess the available budget for risk reduction. It’s also common to compare what the chart looked like at the last meeting and to show arrows of the movement of the issues.

While this may look analytical, it requires calibration. Some issues may report yellow, but they aren’t on track yet and are without a plan for recovery to green. Decisions must be made on how to allocate resources. 

Throughout the years, I find that when you include these risks in proposals that people have more confidence in you because you’re trying to identify gaps for success and what can be done to ‘buy down’ those risks. I’m a firm believer in showing it. Others disagree and want to hide it. To me, I think understanding what your risk factors are can build trust in the person you are working with.

Adding Time

This next example comes from a university risk auditing committee assessing and mapping the top 20 risk factors and ensuring each item had a reaction plan. The axes’ labels changed to likelihood and impact, but the model is still red, orange, yellow, and green, albeit a pale green. Notice that the circle sizes vary. The larger the diameter, the faster the issue will escalate into the risk.

Item 1 is almost certainly going to happen and the impact will be extreme, but it won’t occur quickly. Item 17 will rarely happen, but when it does, it will be fast and have severe consequences. This approach is another way to look at risk.

Startup Risks

This final example comes from Seeq, a software startup I’m leading. About six months into the program, we created a list of what we thought the potential risks were in the areas of technology, marketing, execution, fundraising, and partnerships. We wanted to assess our risks and obtain funding such that we could drive our exposure to the lower-left corner.

Agile Methodologies

At Seeq, we use an agile approach – a term that comes from the software industry – to address risk. We take small steps with many experiments along the way so that we can assess the situation as it unfolds. When something works, we invest more in it and stop funding the ones that don’t work out.

The Lean methodology, which is a subculture in agile, was developed by an industrial engineer at Toyota in the 1950s. It is a business model that focuses on continuous improvement and respect for people. Stephen Blank is credited with launching the Lean Startup movement. His philosophy is that startups require different processes than larger organizations. He advises not investing heavily in startups until you’ve really reduced the risk and worked with customers to understand how to solve their problems.

Lean Canvas resulted from Lean Startup, and that is where you summarize on one page all the risks of a startup. As you talk to angels and early investors, try to put that money against the largest risks to reduce them.

Bottom Line

Managing risk is vital to running any business at every stage of the process. Using risk management tracking tools allows corporations to objectively capture and track the risks, driving them to green.

https://tinyurl.com/4ftsb4bm

Are we there yet? Evaluating NFP outputs, outtakes, outcomes & impact

 

Evaluation – Part 2

Evaluation is one of the central elements in the EDM (Evaluate, Direct, Monitor) Governance Model, but its role in governance (and management) is often obscured by the use of other terms, like ‘problem-solving’ or ‘decision-making’. The importance of evaluation in non-profit governance is highlighted in the extracts from AICD’s NFP Governance Principles illustrated below.

Part 1 (https://bit.ly/41GhRCr) in this 2-part series on Evaluation mainly focussed on directors using evaluation measures to address their performance and conformance roles. The diverse nature of evaluative activities carried out across the organisation would acknowledge the wide scope of work implied by the following definition of ‘evaluation’. That broader scope is the theme explored in Part 2 of the series.

As well as seeking recognition of this wider scope of evaluation activities, the shift of emphasis in recent years towards the evaluation of outcomes and impacts also requires that we understand these terms, so that shared understandings inform board and management deliberations.

Integrated evaluation framework

There are many types of evaluation activity and numerous methods to choose from. Evaluation is used in virtually all aspects of organisational life, yet there are few organisations with (monitoring and ) evaluation frameworks or policies to guide directors and staff in this key aspect of their work.

There are numerous ways one could approach the development of an integrated framework, and each has its merits and drawbacks. Looking through multiple lenses may help to overcome some of these drawbacks (think blind people each touching a different part of an elephant). Here are just some of the lenses that could be employed in thinking about evaluation in a non-profit entity.

Working with directors and managers in many organisations, the existence of ‘evaluation silos’ has been evident. It is often the case that people involved in internal audits see no connection between their work and that of their colleagues involved in program evaluation, risk management, performance management, tendering, or project management.

Much of the evaluation literature focuses on development projects or education, and there is relatively little which is overtly identified as relevant to evaluation across the non-profit organisation. Some boards have adopted a monitoring and evaluation framework to bring structure and consistency to evaluations conducted by or for the board, however, these tend to focus on indicators attached to their strategy, along with selected dashboard elements (like solvency and membership trends).

Thinking of evaluation only in terms of directors using data from monitoring activities to determine whether and how well strategic and operational outcomes were achieved, and to guide future strategy, is a limited view of the role played by a spectrum of evaluation activities, some of which are described with different names.

Boards wishing to ensure that a coherent approach to evaluation is taken throughout their organisation may wish to consider the development of an integrated evaluation framework, which will help to ensure that the results of evaluative activities are presented to directors in a more coherent form. For such a framework to apply across the spectrum of evaluation activities undertaken, it would doubtless need to focus on a set of evaluation principles rather than any single approach. Here are two sample sets of such principles which may offer starting points for your organisation’s Monitoring and Evaluation Framework.

Critical thinking

In Bloom’s (original) Taxonomy of Educational Objectives, evaluation was at the top of the hierarchy of thinking skills – the pinnacle of critical thinking. Perhaps partly in recognition that evaluation did not necessarily solve problems or result in innovation, Bloom’s Revised Taxonomy (2001) added ‘creating’ to the top of the hierarchy.

The EDM (Evaluate, Direct, Monitor) Governance model already recognised that evaluation was not the last or highest step in governance thinking. Once the ‘What?’ and ‘So What?’ questions have been answered via monitoring and evaluation, the ‘Now What?’ question remains to be answered by the board setting directions for future action (creating). (See header image above.)

Evaluation for quality

A parallel can be seen in the operational uses of evaluation, where conclusions drawn about the value, standard, or status of a matter within a given ‘silo’ are only some aspects of quality assurance and precursors to quality improvement.

Given its significant role in shaping the insights which inform future plans and activities, the recent shift in evaluation practice to an outcomes focus is a welcome development.

Thinking of evaluation only in terms of directors using data from monitoring activities to determine whether and how well strategic and operational outcomes were achieved, and to guide future strategy, is a limited view of the role played by a spectrum of evaluation activities, some of which are described with different names.

Evaluation logic

Attempting to devise an organisational evaluation framework or model that accommodates this wider collection of evaluative activities could run the risk of oversimplifying various parts of the evaluative ecosystem. Failure to seek a coherent framework, however, could miss the opportunity to see relationships and patterns offering significant insights into organisational development opportunities and enhanced quality management. The logic framework suggested below packs a lot of detail into a single chart, but hopefully offers insights that will be helpful to your board and senior managers as they seek to improve the efficiency and effectiveness of your non-profit or for-purpose entity.

When we recognise our organisation as a system comprising interdependent sub-systems and relationships, we break down silos and challenge narrow views about how people, systems, processes, and technology interact to achieve our purpose/s or execute strategy.

Measuring success, progress, and impact

The evaluation methods, metrics, and milestones identified in your evaluation plan will benefit from looking beyond mere outputs, to identify lessons learned along the way (outtakes), outcomes achieved for stakeholders, and the longer-term impact of your strategy, service model, and campaign activities (where applicable). Identifying your evaluation criteria after the initiative or program has concluded runs the risk of hindsight bias clouding the picture. Using a logic framework like the one suggested above should help to avoid that risk.

https://www.aes.asn.au/talking-about-evaluation
https://www.councilofnonprofits.org/tools-resources/evaluation-and-measurement-of-outcomes

https://balancedscorecard.org/bsc-basics-overview/

https://www.criticalthinking.org/pages/index-of-articles/1021/

https://tinyurl.com/yresy54e

Risk Assessment Matrix

 

Summary

A risk matrix analyzes project risks based on likelihood and severity. Once you map your risks, you can calculate overall impact and prioritize risks accordingly. In this piece, you’ll learn how to create a risk matrix template and how to use the information from this analysis tool to develop a comprehensive risk management plan.

Risks are a part of any project, and there’s no surefire way to know which ones will occur and when. Sometimes, you'll get through an entire project without experiencing a single hiccup. Other times, you’ll feel like all the odds are against you. Without the help of a crystal ball, the only way to prevent project risks is to proactively prepare for them. 

A risk matrix helps you analyze risk by assigning each event as high, medium, or low impact on a scale of one through 25. Once you assess the severity and likelihood of each risk, you’ll prioritize your risks and prepare for them accordingly. In this article, we’ll explain how to create a risk matrix template and offer helpful tools for turning your results into action.

What is a risk matrix in project management?

A risk matrix is a risk analysis tool to assess risk likelihood and severity during the project planning process. Once you assess the likelihood and severity of each risk, you can chart them along the matrix to calculate risk impact ratings. These ratings will help your team prioritize project risks and effectively manage them. 

Types of risks

As part of the process, you’ll need to brainstorm a list of risks to chart in your risk matrix. The risks you may face will likely fall into these categories:

• Strategic risk: Strategic risks involve performance or decision errors, such as choosing the wrong vendor or software for a project.

• Operational risk: Operational risks are process errors or procedural mistakes, like poor planning or a lack of communication among teams.

• Financial risk: Financial risk can involve various events that cause a loss of company profit, including market changes, lawsuits, or competitors.

• Technical risk: Technical risk may include anything related to company technology, such as a security breach, power outage, loss of internet, or damage to property.

• External risk: External risks are out of your control, like floods, fires, natural disasters, or pandemics. 

There are other risk categories to consider depending on your work industry. For example, if you have government clients, then you also want to brainstorm legal risks. If your company sells a physical product, you may have to think about manufacturing risks.

How to create a risk matrix template

When creating your risk matrix template, you’ll first identify your scale of severity, which you’ll place in the columns of your matrix. ​​The scale of severity measures how severe the consequences will be for each risk. In a five-by-five matrix, there are five levels in your scale of severity. 

• Negligible (1): The risk will have little consequences if it occurs.

• Minor (2): The consequences of the risk will be easy to manage.

• Moderate (3): The consequences of the risk will take time to mitigate.

• Major (4): The consequences of this risk will be significant and may cause long-term damage.

• Catastrophic (5): The consequences of this risk will be detrimental and may be hard to recover from.

You’ll then identify your scale of likelihood, which you’ll place in the rows of your risk matrix template. The scale of likelihood identifies the probability of each risk occurring.  

• Very likely (5): You can be pretty sure this risk will occur at some point in time.

• Probable (4): There’s a good chance this risk will occur.

• Possible (3): This risk could happen, but it might not. This risk has split odds.

• Not likely (2): There’s a good chance this risk won’t occur.

• Very unlikely (1): It’s a long shot that this risk will occur.

When you place a risk in your matrix based on its likelihood and severity, you’ll find the level of risk impact. The risk impact is both color-coded from green to red and rated on a one through 25 scale. 

• Low (1-6): Low-risk events likely won’t happen, and if they do, they won’t cause significant consequences for your project or company. You can label these as low priority in your risk management plan.

• Medium (7-12): Medium-risk events are a nuisance and can cause project hiccups, but if you take action during project planning to prevent and mitigate these risks, you’ll set yourself up for project success. You shouldn’t ignore these risks, but they also don’t need to be a top priority.

• High (13-25): High-risk events can derail your project if you don’t keep them top of mind during project planning. Because these risks are likely to happen and have serious consequences, these are most important in your risk management plan.

 You don’t have to stick to the labels above for your risk matrix template if they don’t feel right for your company or project. You can customize the size and terminology of your matrix to your needs.

How to use a risk matrix

Once you’ve created a risk matrix, you can use it as a comprehensive analysis tool. The best part about a risk matrix template is that you don’t need to change it for every project. Once you have one, you can reuse it and share it with others. 

1. Identify project risks

You’ll need a list of potential risks to make use of your risk matrix. In this step, you’ll determine what risks may affect the specific project you’re working on. 

To come up with relevant risks for your project, you’ll need to understand your project scope and objectives. This includes the project’s:

• Timeline

• Budget

• Resources

• Constraints

Using your project scope as a guide, think of risky situations that might affect your project. If you’re not sure where to start, try brainstorming techniques like mind mapping or starbursting to list as many risks as you can under each risk type. 

2. Determine severity of risks

When you created your risk matrix, you defined the criteria for your risk severity and likelihood. Now that you have a list of project risks, categorize them using the matrix criteria. Start with the scale of severity and go through each risk you’ve listed. Consider the following questions:

• What is the most negative outcome that could come from this risk?

• What are the worst damages that could occur from this risk?

• How hard will it be to recover from this risk?

• Which of the five severity levels most closely matches this risk?

You may not always have the perspective you need to know how severe the consequences of a risk are. In that case, work with other project stakeholders to determine the potential risk impact.

3. Identify likelihood of risks

Once you’ve defined the severity of each risk, you’ve completed half of the risk analysis equation. Next, identify the likelihood of each risk. To do this, consider the following questions:

• Has this risk occurred before and, if so, how often?

• Are there risks similar to this one that have occurred?

• Can this risk occur, and if so, how likely is it to occur?

Team collaboration is also crucial in this step because you may not have a good idea of similar risks that have occurred in past projects. Make sure to reference past projects and analyze the probability of each risk with your team in order to create a more accurate mitigation plan.

4. Calculate risk impact

The last part of your risk analysis equation is to calculate risk impact. The equation you’ll use is:

Likelihood x severity = risk impact 

Place each risk in your matrix based on its likelihood and severity, then multiply the numbers in the row and column where it lands to find the level of risk impact. For example, if you think the risk of a data breach is of major severity (4) and probable likelihood (4), you’d multiply four by four to get a risk impact of 16. This is considered a high-risk impact. 

5. Prioritize risks and take action

You should now have a risk impact level on a scale of 1–25 for each risk you’ve identified. With these number values, it’s easier to determine which risks are of top priority. When you have risks with the same risk impact score, it will be up to you and your team to determine which risk to prioritize. Risks with equal risk impact may require equal attention as you create your action plan. 

Your risk response plan should include steps to prevent risk and ways to mitigate risk if unfortunate events occur. Because so much goes into project planning, the best strategy when tackling risks may be to divide and conquer.

Risk assessment matrix template

The size of your risk matrix template determines how closely you can analyze your project risks. A larger risk matrix template offers more room on the risk impact spectrum, while a smaller risk matrix template keeps your risk impact rating simpler and less subjective. 

Each square in your matrix represents a risk level of likelihood and severity, so you shouldn’t make your risk matrix smaller than three squares in length and width.

A five-by-five risk matrix is ideal so you can further analyze each risk. Once you chart your risks along your finished risk matrix template, this matrix creates a larger color spectrum to see the impact of each risk as high, medium, or low. 

The example below shows a five by five risk matrix template.

Pair your risk matrix template with a work management tool

You can use the same risk matrix template when measuring risk across multiple projects. However, it’s important to remember that the risks you face will evolve. The environment changes, technology becomes smarter, and the workplace grows. Every project faces unique risks, and you must reevaluate these risks year after year.

https://tinyurl.com/2s3vy782

How To Use a Risk Assessment Matrix (With Example)

Risk management tools, such as a risk assessment matrix, can help identify the risks associated with a project and how to address them.In this article, we explain what a risk assessment matrix is, explain the benefits of using one and show you how to use one to evaluate potential risks to your project.

What is a risk assessment matrix?

Many companies use a risk management tool, such as a risk assessment matrix, in the risk evaluation process to determine the right steps in business decisions.A risk assessment matrix can come in the form of a chart, where you plot the severity of possible risk on one axis and the probability of this event occurring on another. You could also format your matrix as a table by listing your potential risks in rows and entering the probability and severity information as columns.By providing a visual representation of complex data, you can use a risk assessment matrix to facilitate and simplify the risk evaluation process and help you make more informed decisions related to your business.

The benefits of using a risk matrix

There are several benefits to creating and using a risk matrix to evaluate projects, including that they help:

• Identify areas to reduce risk quickly and easily
• Explain specific risks in a clear way
• Prioritize and group project event outcomes
• Outline a foundational resource for subsequent detailed analysis

How to use a risk assessment matrix

To use a risk assessment matrix during the risk evaluation process effectively, take the following steps:

1. Identify all potential risks

The first step in the risk assessment process is to identify potential risks. To maintain a structure that is easy to manage, the risk assessment process offers a way to prioritize risks by evaluating potential risks. After you identify all risks, the next step is to order risks from most impactful to least impactful.

2. Sort risks according to probability and impact

Now you are ready to sort risks according to their probability and impact.

Probability

This describes the likelihood of a risk occurring. You can use different approaches to sort risk probability. Some companies, for instance, assign potential risks a probability percentage that ranges from 0%—that is, no possibility of the risk occurring—to 100%, in which case the risk is certain. Or, you can sort risks according to categories, such as:

• Unlikely: Put potential risks in this category if they are highly unlikely to materialize.
• Seldom: This category is for uncommon risks that have a small chance of materializing.
• Occasional: Sort risks in this category that have a roughly 50-50 chance of taking place.
• Likely: If a risk is probably to occur, you should place it in this category.
• Definite: This is for risks that are going to occur. When coupled with high impact, you should regard this kind of risk as a priority, and address it right away.

Impact

This aspect of risk points to how severe the impact will be if a potential risk actually manifests. The impact of a specific risk materializing could influence various aspects of the project, and potentially, the company as a whole. In project management, companies often evaluate risk impact according to the negative effect it may have on three important aspects:

• Schedule: Will it negatively affect time frames for delivery?
• Cost: Will you have to adjust the budget?
• Technical performance: If the risk occurs, how will it affect performance?

As is the case with evaluating the probability of a risk, you could sort the severity of risk impact in the following ways:

• Insignificant: Place risks that will have little to no negative impact on a project in this category.
• Minor: Place risks that may have a slight negative impact on a project but will not likely cause any major disruptions in this category.
• Moderate: This category is for risks that pose a moderate threat to operations.
• Critical: Place risks that pose a significant threat to the successful execution of the project in this category.
• Catastrophic: This category is for risks that will in all likelihood jeopardize the whole project and significantly impact daily operations should they occur. These risks are high-priority.

3. Decide on risk ranking

Next, plot the risks according to their probability and impact on the risk assessment matrix. After you plot the information, you will have a clear visual representation of what priorities the potential risks should have.For instance, risks that are very likely to occur and will have an extremely negative impact on operations will appear as the highest-priority risks on the matrix. On the other hand, those that are both unlikely to occur and pose no significant threats should they occur will fall under low-priority risks.

4. Decide on preventative measures

Draw up contingency plans to deal with worst-case scenarios. This last step in the risk assessment process helps you determine how you should deal with middle- and high-ranked risks.

Example of a risk assessment matrix

Here is an example of risk impact/probability chart that consists of varying degrees of risk probability and risk impact:

The four corners of a risk impact/probability matrix show extremes that typically have the most actionable insight and include:

• Low probability/ low impact: Risks in this corner of the chart are both low probability and low impact. You do not need to pay attention to these risks.
  
• High probability/ low impact: This kind of risk poses a moderate threat to operations. Although you should try to minimize the possibility of such events occurring, you can manage these risks if and when they take place.
  
• Low probability/ high impact: This type of event will have a high impact on operations, but the probability of them materializing is unlikely. In order to avoid such risks occurring, you should take all possible preventative steps. You should also put contingency plans in place to minimize the severity of the impact should the risk manifest.
  
• High probability/ high impact: The risks in this category are the highest-priority risks because they have a high probability of occurring and would also have a severely negative effect on operations. This means that you should give these risks the most attention and should take them into consideration in the daily decision-making process.

Medium-priority risks could seriously impact the profitability and overall successful implementation of a project, the occurrence of high-priority risks may not only potentially signal the end of a project, but could also have a serious impact on the organization as a whole.

https://tinyurl.com/5cafcst9

Evaluation of Risks in Complex Problems

• Gregory S. Parnell

https://tinyurl.com/5n93x83k