The objective of this tool is to aid discussion and provide an initial categorization of risks into four groups:
BUSINESS AS USUAL (BAU): Risks that are unlikely to occur and will probably have only minor consequences if they do. Examples include fraud, common burglary, vandalism, and shoplifting. Some analysis and ongoing monitoring might be appropriate but these risks are typically best managed by standard procedures.
ROUTINE: Risks that are likely to occur but if managed correctly will rarely result in catastrophic consequences. Examples include phishing attacks, network penetration attempts, minor theft, etc. Usually managed by standard operating procedures.
SWANS: Risks that are unlikely but are likely to have major consequences if they eventuate. ‘Black Swans’¹ refer to unidentified risks, while 'White Swans' include foreseeable but rare risks. A terrorist attack using an improvised explosive device would be and example of a White Swan, 9/11 was a BlackSwan. Monitoring and detailed analysis is likely to be appropriate for these risks.
DANGER ZONE: Risks that are both likely to occur and likely to have major consequences. Depending on the organization, examples might include international operations in high risk environments, industrial espionage, or privacy breaches. These require detailed analysis and specific resources, and should be the priority for senior management and risk analysts
As to why it’s called Stroud Matrix? No particular reason but it needed a name and it was created in the town ofStroud in the Cotswolds in the UK
¹ Taleb, Nassim Nicholas.The Black Swan: Second Edition: The Impact of the Highly Improbable: With a New Section:‘OnRobustness and Fragility’. 2 edition. New York: Random HouseTrade Paperbacks, 2010