No Risks should remain in the “Red Zone” of the Risk Matrix.

The risk matrix has become pretty much a staple within the project risk management family of tools and techniques, especially for the more complex and highly scrutinized projects.  It portrays a relatively easy-to-comprehend visual of individual project risk status.  One example of a risk matrix can be found on page 84 of my book, “Project Risk Management: A Practical Implementation Approach.”  I advocate a particular approach for using this matrix, one which engenders organizational communication and action which I tend to believe is essential for holistic risk management and the ultimate benefit of “doing more with less.”  It should be understood throughout the organization that the risk matrix’s “Red Zone” is the organization’s established risk threshold within which individual risks cannot be tolerated for more than some short amount of time – e.g., two weeks.  This is particularly important within a matrix organizational structure.  A communicated risk in this zone should be considered a plea for help from the project team, and one which, if not rectified in some amicable way, will likely lead to a major issue which jeopardizes the project.  This zone should accurately reflect organizational risk tolerance – which means that if a risk is outside of this Red Zone, and results in a materialized issue, the resultant consequence is acceptable to the organization’s management team.  This concept should be consistently applied to all projects within the organization, thus necessitating organizational governance relative to the specifics of the tools and techniques used, as well as the criteria for determining risk severity levels.