C1.4.1 Continued (2)


Example 2:

Rather than simply using likelihood and severity, some organisations prefer to additionally include scores for:

  • Frequency
    • Infrequent operation / normal operation / frequent operation / high use.
  • Legislation
    • No relevant legislation / compliant / potentially not-compliant / not-compliant.
  • Controls
    • Have full control / Have some control / have no control.


This may appear to be more comprehensive. However, the problem with including a score for legislation is that most activities are controlled by some legislation. In addition, if the specific activity or aspect is not currently controlled by legislation, it may not mean the resulting impact is any less significant.

A simple risk matrix will not be sufficient with this number of variables. Instead, a formula may be used. For example:

Risk x Severity x Frequency x Legislation x Control


(Risk x Severity x Frequency x Legislation) x Control


Example 3:

Another approach may be to use:

  • Likelihood.
  • Ease of Detection.
    • Easy to detect, possible to detect, cannot be detected.
  • Ease of Resolution.
    • Easily resolved, can be resolved, cannot be resolved.
  • Severity.


This approach would also require a formula to determine the significance.