Updated March 18th, 2020

Risk. It’s at the core of just about every decision you make at your facility: how you interpret it; how you measure it; how you manage it; and most importantly, how you mitigate it. Effective risk management helps you prioritize how you spend time, money, and materials, and is inarguably one of the most crucial elements behind improving safety and preventing asset failure.

The problem is, risk is subjective. Your experience and environment greatly affect your interpretation of risk, and that interpretation becomes even more subjective within dangerous work environments like asset-intensive process facilities. What’s more, each department within your facility views risk differently. For example, an asset integrity engineer and a Health, Safety, and Environmental (HSE) manager will each have a different interpretation of risk based on the consequences that risk has on his or her department.

The solution to this problem lies in implementing a corporate risk matrix that analyzes the risks of each department, allowing them to be plotted on the same matrix in order to effectively assess risk across them all. The steps outlined below show an effective process for developing and implementing your facility’s corporate risk matrix. This process also drives better communication, improved safety, decreased downtime, and increased business performance.

1. Risk Matrix Data Collection

Data collection is a critical step in consolidating each department’s risk into one corporate risk matrix, because the information you collect now will become the foundation of your corporate matrix moving forward.

You should begin this process by researching whether each of your facility’s departments has a risk matrix or if one needs to be developed for them. Questions to ask managers responsible for managing their department’s risk include:

  • Does your department currently have a risk matrix?
  • Is your department’s risk matrix up-to-date?
  • How is your department using the risk matrix?

After answering these questions and collecting each department’s approved risk matrices, the next step is to combine them into a single corporate risk matrix as shown in Figure-1.

2. Define Consequence of Failure

A Consequence of Failure (COF) is the negative impact a failure could have on your facility. Defining consequences of failure for a corporate risk matrix is a challenging task because you must compare each department’s COF scale within their individual risk matrix and define a new measurement standard for the COF company-wide.

The best way to do this is to start by labeling four columns with the following titles:

  • Business Impact
  • Health and Safety
  • Environment
  • Community

Next, create eight rows which display the impact that consequences from a specific event would have on your facility. The generic levels of these rows are:

  1. Negligible consequence
  2. Notable consequence
  3. Reportable consequence
  4. Impactful consequence
  5. Major consequence
  6. Critical consequence
  7. Catastrophic consequence
  8. Globally catastrophic consequence

Place these eight generic levels of consequence on the table, starting with 8 at the top and working your way down to 1. Once the levels are added, specific descriptions should be added that clearly define events or impacts within each of the eight cells.

It is important to note that each box within the table must be measurable and communicated consistently throughout your facility, or the implementation of a risk matrix in later steps will not be successful. Each box should be clearly explicit so it isn’t left up to an individual’s interpretation (Figure-2).

3. Define Probability of Failure

After defining the COF, you must determine the Probability of Failure (POF), also known as failure frequency or failure rate. The POF is the likelihood that an asset will fail at a given time.

It’s important to note that the order of magnitude is the key to a successful risk matrix. An order of magnitude is an exponential change of plus or minus 1 in the value of a unit or quantity. The most common approach is using 1 out of 1, 10, 100, 1000, etc.  For example, 1 out of 10 could represent 1 failure every 10 years or 1 out of 10 pieces of equipment will fail each year.

The following diagram shows how POF can be used within the risk matrix graph. The descriptions can be highly customized based on your facility’s pain points (Figure-3).

4. Determine the Threshold Level of Each Risk

The threshold level of each risk determines at what point and in which way the appropriate team will respond to a specific risk. The following color codes define the different response levels based on five risk levels:

  • Grey: Negligible; it will not affect your facility
  • Green: Low risk; minimal response efforts
  • Yellow: Moderate risk; teams should take action to keep risks from increasing
  • Orange: High risk; teams should take action as soon as reasonably possible
  • Red: Extreme risk; teams need to take immediate action

The colors are then placed on the risk matrix to show how each level of risk should be classified. The risk threshold is then determined and denoted with a dark line (Figure-4). Where you place the risk threshold on the risk matrix will establish your facility’s risk management culture moving forward.

5. Implementation and Review

After setting up your facility’s risk matrix, the department heads should meet to review the risk matrix and determine if any items are missing, or need to be edited. When reviewing the matrix, discuss several examples of potential failures and their corresponding consequences to validate the matrix. Use failure examples that have occurred in the past or ones that are a result of modifications being made to your facility today.

6. Avoid Common Pitfalls

Mistakes can happen during the risk matrix process. However, these common pitfalls can be easily avoided prior to implementation if you pay close attention to these items when setting up and implementing your risk matrix:

  • Is your facility’s risk matrix qualitative or quantitative? The challenge with a qualitative risk matrix is it cannot be consistently measured.
  • Be careful if a dynamic risk model and static risk model use the same risk matrix. A user of the risk matrix will interpret the results differently depending upon the risk model.
  • Clearly define and document what a failure means to your facility. This ensures that team members are correctly interpreting different levels of failure.
  • Make sure each level on the COF table has a comparable response effort.
  • Make sure the corners of the risk matrix are clearly defined either above or below the risk threshold. This will determine the level and timing of your facility’s response to correct the problem.

Indisputably, reducing risk is critical for all process facilities, and with the help of a risk matrix, you can proactively take steps to mitigate any challenges or disruptions that could negatively impact your facility. Knowing when and where a risk could occur allows you to make well-informed decisions and ultimately ensures the safety and compliance of your facility.

Have questions about how you can implement a corporate risk matrix at your facility?
Speak with Lewis Makin for more information.

Email Lewis