Chapter 7. The Risk Matrix

The first step in managing risk is understanding the risk that is already in your system. Identifying, labeling, and prioritizing your known risks is what the risk matrix is all about.

First introduced in Chapter 5, the risk matrix is a critical aspect of managing the risk in your system. It is a table that contains a living view of the state of all the known risk in your system.

Figure 7-1 contains an example risk matrix.

Risk matrix template.
Figure 7-1. Example risk matrix

Each row in the matrix represents a single, quantifiable risk that is present in your system. The columns in the spreadsheet contain the details of that specific risk item.

For each risk item the following information is kept:

Risk ID

This is a unique identifier assigned to the risk. It can be anything, but a unique integer identifier is usually the easiest and is sufficient.1

System

This is the name of the system, subsystem, or module that contains the risk. This information is dependent on the specifics of your application, but it could be things like “FrontEnd,” “PrimaryDb,” “ServiceA,” or similar.

Owner

The name of an individual (or team) who owns this risk and is responsible for mitigation plans and resolution plans.

Risk description

This is a summary description of the risk. It should be short enough to be easily scanned and recognized yet long enough to uniquely and accurately identify ...

Get Architecting for Scale now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.