What is NASA’s Risk Matrix?
NASA’s Risk Matrix is a straightforward graphic that helps their teams conceptualize risk. The graph measures risk on two scales: likelihood and consequence.
*Source: Managing risk with the NASA Risk Matrix, Ness Labs
Nothing about this graphic is specific to NASA as an organization. Thus, it can be used by anyone evaluating risk.
At Negotiatus, we think it’s particularly useful to businesses that are implementing a vendor management policy. A vendor management policy requires businesses to figure out approximately how much risk they face when working with a vendor, and that can be a tough call.
NASA’s matrix makes it simple. Determine the risk, then ask two questions: how likely is it that the risk will occur, and how strong are the consequences?
What’s at risk when working with vendors?
Working with vendors exposes your business to a multitude of risks, which is why a vendor management policy is so important to implement. The most significant risks are to your business continuity, reputation, and data security.
Eighty-seven percent of firms surveyed by Deloitte “have experienced an incident with a third party that disrupted their operations.” Vendor issues such as late deliveries and incorrect orders put your business operations at risk, and can result in unexpected fees or revenue loss.
If, for example, you operate a hair salon, and your shampoo delivery is delayed, you may have to purchase a replacement product from a local beauty store at a higher price point so that you can continue washing your clients’ hair. This would result in additional, unexpected fees. And if your hair salon also sells the usual shampoo product to its clients, you would incur a loss in revenue while the product was unavailable for sale.
Twenty-five percent of a company's market value is derived from its reputation, a study from the World Economic Forum estimates. With stakes this high, businesses have to carefully evaluate the risks of partnering with any outside organization.
If your business affiliates with a vendor that does not share your values or engages in illicit business affairs, the media may hold your business accountable.
For example, let’s say a vendor your business uses is caught importing products illegally. You risk getting tied up in a public-relations nightmare, whether or not your business had anything to do with it. If the media reports your business as one that received the illegally imported product, you could face permanent damage to your reputation.
Data security may be one of the greatest risks a business faces in modern times. Working with a vendor, especially one in the IT space, amplifies this risk. In fact, 83% of organizations surveyed by Deloitte “experienced an incident at one of their third party suppliers / partners in 2019.”
The cost of these breaches is immense, costing $3.92 million on average, according to a new report from IBM Security finds. And, “breaches originating from a third party—such as a vendor or supplier—cost companies $370,000 more than an average breach.”
Keep in mind, though, that a breach is a worst-case scenario. Failure to comply with laws that prevent breaches is a risk in and of itself. Businesses need to adhere to data-security laws from governing bodies such as the Federal Trade Commission and the European Union, depending on location, and noncompliance can result in hefty fines.
These laws can often be complex, covering both data privacy and security. According to Auth0, a company that provides authentication services for applications, “Even if your data collection policies are strictly in accordance with the law, if you’re not protecting that data with adequate security measures such as authentication and access management, you still may not be in legal compliance.”
With risks and the cost of risks running so high, businesses need to pay close attention to the security policies of their vendors.
How can NASA’s Risk Matrix help?
NASA’s framework allows you to clearly define, score, and mitigate risk, three essential components of a vendor management policy.
NASA uses the following formula to define a risk before applying the matrix, according to Ness Labs:
Given that [CONDITION], there is a possibility of [DEPARTURE] adversely impacting [ASSET], thereby leading to [CONSEQUENCE].
What does that look like in practice?
Let’s say you work for a specialty bakery that produces only gluten-free pastries. You need very specific ingredients, such as almond flour, to make your pastries. Your business relies on its vendor to deliver these goods on time every three days. A delay of even one or two days can jeopardize your ability to produce enough gluten-free goods to meet your customers’ demand. A delay of a week could completely shut down your operations for a few days.
During a vendor audit, you discover that another vendor offers similar gluten-free baking products at a lower price. Although the new vendor comes highly recommended, there’s a catch: the vendor ships its products from California, and your bakery and current vendor are both located on the East Coast. That means your orders will have to travel an additional 2,000 miles, increasing the likelihood of delays.
Following NASA’s framework, we can define the risk of ordering from the California vendor as follows:
Given that the vendor is located 2,000 miles across the country, there is a possibility of shipping delays adversely impacting our stock of almond flour, thereby leading to our inability to produce gluten-free pastries, meet customer demand, and turn a profit for up to three days.
Now, you need to score a vendor’s riskiness according to NASA’s Risk Matrix. We’ll use it to identify, on a scale of 1 to 5, how likely an event will be and how consequential it might be.
So, using the example above, the likelihood of a delay in our shipment of almond flour, given that the vendor is 2,000 miles away, is high. We’ll rate it 5. And the consequence, that we could lose up to three days of profit, isn’t great, either, but it probably won’t sink the business. So let’s give it a 3. Mapped out on NASA’s Risk Matrix, they intersect on a point that indicates a level of “highest risk.” Therefore, we would reconsider working with them.
*Source: Managing risk with the NASA Risk Matrix, Ness Labs
After using the Risk Matrix to score risk, use that score to decide how risk should be mitigated. To do so, your business will need to establish controls for each level of risk across business-continuity reputation, data security, and other potential issues.
For business-continuity issues, these controls could include the following:
1. Keep one extra day’s worth of supplies in stock at all times.
2. Establish a backup plan to acquire supplies if there is a delay.
3. Limit reliance on the vendor by ordering half of your supplies from another vendor.
4. Limit orders from your vendor to items that are nonessential.
5. Prohibit use of the vendor.
Using our bakery example, a level 5 risk means that, unfortunately, we should prohibit use of the California vendor, even though their products are less expensive. The risk of disrupting business continuity is just too great.
Develop a vendor management policy that eradicates risk
If your business takes a scientific approach to evaluating risk, developing and articulating a vendor management policy should be a straightforward process.
Even so, conducting this process for every vendor you work with takes a lot of time.
Negotiatus can save you the hassle. Our strategic sourcing feature vets vendors to reduce risk in the purchasing process. Request a demo today to learn more.