whether it is choosing a method for risk identification and measurement or ranging the
identified risks. Choosing risk identification and measurement methods is a very particular problem as selection criteria strongly depend on company profile. As a result,
methodologies and standards do not describe definite tools for choosing a method but provide general recommendations. On the contrary, there is a widespread tool used for risk prioritization offered by each of the documents listed above – that is a risk matrix. Columns of risk matrix describe the likelihood of risk occurrence and rows present the consequences - possible impact of risk occurrence. Impact assessment criteria can include financial, reputational, operational, compliance and other consequences.
Companies typically define impact using a combination of
these consequences given that different risks may have different
impacts on the company (see an example of impact
assessment scale in Table 1). However, usage of risk matrix
has its disadvantages. L.A.Cox states that usage of risk
matrix for risk evaluation has several limitations