Tools (1) – Spreadsheets

Spreadsheets are useful tools for basic risk assessments and the most common. Excel and similar spreadsheet programs are widely accessible making these easy to complete and share. If a spreadsheet is set up correctly, it will provide a quick and easy way to manage, assess and grade risks for a simple situation.

If we use one of the basic risk methodologies we discussed above

risk = threat x vulnerability x impact

we end up with something like this.

Again, more complicated formulas can be tackled in a spreadsheet. The more complicated the formula, the more care that needs to be taken to ensure that all of the links and formatting are set up correctly.

One additional tip is to lock down as much of the spreadsheet as possible. This should allow you to set criteria so only the permissible values (e.g. 1 – 3) can be added and lock cells so only the description and value can be added. Otherwise you will find that people accidentally change the formulas and formatting which is a disaster.

 Tools (2) – The Boston Square

The Boston Square is another popular tool for risk assessments and can be used as a stand-alone tool or a way to represent risk results. The Boston Square presents information with two values on a color-coded grid. This works well if you are using the basic likelihood x impact formula: you simply allocate an axis to each factor and plot risks on the grid accordingly.

This example shows the overall risk value for each quadrant:

This example plots the infrastructure risk as described in the likelihood x impact spreadsheet above:

The Boston Square is often used as a simple way to brainstorm risks in a workshop. Note that this approach allows a lot of bias and subjectivity into the assessment, rather than evaluating each risk on its own factors, so there is a tendency to immediately start to compare risks to one another.

Although I would recommend that you use a different tool for assessing your risks, the Boston Square can still be used as a way to represent the findings of your assessment. You can begin by assessing the risks in a spreadsheet before transferring the final results to an appropriately marked Boston Square. This provides a simple way to represent your findings while maintaining the objectivity of the assessment process.

More Detail = More Refinement

The r = tvi formula that I prefer (more on that in the next part) uses a similar metrics structure but has five different values and ratings to allow some additional refinement in the results. The metrics are shown below and I have also included a short description of what each term could mean when used to describe a different factor.

These definitions are not fixed and this is something that can be adapted for your organization or the particular assessment.

Although this is a little busier than the previous example, the underlying concept is the same. A value, color or term can be applied to each factor.

We can’t use a Boston Square here as that limits us to two factors but we can use other graphs and charting tools to represent our results, as required.

An example of one comparison graph is shown below. It illustrates how overall risk can be compared to the likely impact of an event. This helps highlight higher impact events irrespective of their overall risk as these can be particularly damaging to an organization.

For example, in this case, although safety and infrastructure threats pose similar risks and would both fall into the ‘significant’ category, infrastructure risks carry potentially higher impacts which might prioritize this as an area for action.

None of these examples are provided to give you the ‘perfect’ way to present your data. Don’t forget, the approach you take will depend on your client. However, it’s worth being aware of some of the different ways you can present your information and results as this will give you additional flexibility when you’re planning your own assessment.

Summary

There are many systems and methodologies for risk assessment. Most involve a set of metrics with some combination of descriptive terms, quantitative values and a color-code. Personally, I now use the r=tvi model and the DCDR.io assessment tool I built for assessments. I save the Boston Square for more subjective brainstorming to compare options.

However, whichever approach you use, the options outlined above offer some basic frameworks that can then be built on for more complicated systems that you can adapt for your own assessments in the future. The key thing to ensure is that you have a clear and robust system of grading and metrics in place before you start.