Risk Radar is your comprehensive risk management tool that uses a 5×5 matrix to visualise and prioritise threats by plotting each risk according to its likelihood and impact—helping you quickly identify which risks need immediate attention while tracking them from identification through to residual risk assessment.
Risk management model
Each risk managed in Swise can be classified based on the Swise risk management model. The model helps you identify and understand the dynamics of each individual risk, as well as understand your overall risk posture. Risks are assigned a business owner and status, and have the same collaborative features like comments and sharing you'll be familiar with from other Swise features.
We use a 5×5 risk matrix to visualise and prioritise potential threats by plotting each risk according to its likelihood (1-5) and impact (1-5). This colour-coded grid helps us quickly identify which risks need immediate attention
Assessing likelihood
Consequences that are more likely to occur typically require more focus and control
Level 1 - Rare
Would only occur in exceptional circumstances e.g. less than 1% chance of occurring in the next 12 months
Level 2 - Unlikely
Unlikely to occur in most circumstances, e.g. 1-30% + chance of occurring in the next 12 months
Level 3 - Possible
Could conceivably occur in some circumstances, e.g. 30-60% + chance of occurring in the next 12 months
Level 4 - Likely
Has a reasonably high chance of occurring in many circumstances, eg) 60-80% + chance of occurring in the next 12 months
Level 5 - Almost certain
Expected to occur in most circumstances, eg) 80% + chance of occurring in the next 12 months
Assessing impact
Risks that have a higher potential impact typically require more focus and control
Level 1 - Insignificant
Operational impact easily handled through normal internal control processes
Level 2 - Minor
Some disruption possible; able to be managed with management input
Level 3 - Moderate
Significant disruption possible; managed with additional management and resource
Level 4 - Major
Business operations severely damaged or disrupted; requires extraodinary management input and resources
Level 5 - Extreme
Disaster; extreme impact on staff, plant, and / or operations
Net risk versus Residual risk
Net risk is the level of risk that exists after inherent risks have been identified and some controls are in place, but before a complete risk treatment plan is implemented.
Residual risk is the remaining risk level after all planned risk treatment options and controls have been fully implemented.
Typical risk evaluation flow:
Identify the inherent Risk - The raw risk before any controls
Assess net risk - Risk level after existing controls but before new treatments
Plan and apply risk treatment - Implement additional controls based on risk priorities
Evaluate Residual Risk - Determine if remaining risk is acceptable
When moving from net risk to residual risk, consider:
Risk Tolerance: The amount of risk leadership is willing to accept for specific assets
Asset Value: Higher-value assets may require more controls to reduce residual risk
Control Effectiveness: How well the implemented controls actually mitigate the identified risks
Cost-Effectiveness: Ensuring mitigation techniques are practicable and achievable for the business