Building Your Enterprise Risk Matrix: The CARISK™ Methodology

Eight articles of risk intelligence have built the context. Now we build the instrument. This article walks you through the CARISK™ Enterprise Operational Risk Matrix methodology — from organisational context-setting to risk identification, scoring, control evaluation, and the mitigation roadmap — providing the practical guidance that converts the CARISK™ framework from a conceptual structure into a functioning risk management tool your board can govern.

THE CARISK™ ENTERPRISE OPERATIONAL RISK MATRIX — SIX-PHASE METHODOLOGY

PHASE 1 Context & Scope	PHASE 2 CRI Integration	PHASE 3 Risk Identification	PHASE 4 Risk Assessment	PHASE 5 Control Evaluation	PHASE 6 Reporting & Roadmap
Risk appetite. Org profile. Territory mapping.	Country risk signals applied to enterprise.	Five-pillar risk register built.	Impact × likelihood matrix scored.	Control gaps identified and rated.	Board report + mitigation roadmap.

 

After eight articles examining Caribbean risk domain by domain — political, macroeconomic, regulatory, social, climate, cyber — it is time to build the instrument. The CARISK™ Enterprise Operational Risk Matrix is the mechanism through which all of that intelligence becomes a governing document: a structured, scored, board-approved framework that tells an organisation exactly where its material risks lie, how well controlled they currently are, and what it must do to bring its residual risk exposure within its stated risk appetite.

This article is different in character from the previous eight. Where those articles were analytical — examining risk landscapes, presenting territorial assessments, identifying systemic patterns — this article is methodological and practical. It walks through the CARISK™ EORM process step by step, with worked examples drawn from the kind of Caribbean enterprise that is the primary audience for this series: a mid-market financial services, professional services, or commercially active enterprise operating across two or more Caribbean territories, with a board that has recognised the need for structured risk governance and wants to implement it with discipline and rigour.

The EORM is not a template to be completed once and filed. It is a living governance instrument — a dynamic risk register that is maintained, updated, reviewed by the board regularly, and connected to the organisation’s strategic planning, financial planning, and operational management processes. Building it well the first time creates the foundation from which ongoing risk governance can operate effectively. This article tells you how to build it well.

Before You Begin: Establishing the Governance Foundation

The most common implementation failure in enterprise risk management is beginning the risk identification process before the governance foundation is in place. Organisations that skip straight to listing risks — without first establishing who owns the process, what the board’s risk appetite is, and what the EORM is designed to achieve — produce risk registers that are politically shaped, management-reviewed rather than board-governed, and disconnected from the strategic and financial planning processes they are supposed to inform.

The CARISK™ methodology begins with three governance prerequisites that must be in place before Phase 1 commences. First, board mandate: the board must formally authorise the EORM process, designate a board committee or named board member to provide oversight, and commit to receiving and acting on the EORM outputs. Without this mandate, the EORM will be managed as a management exercise and will not achieve the governance integration that makes it valuable. Second, executive sponsorship: the CEO or a designated C-suite executive must own the EORM process operationally — allocating resources, driving management participation, and ensuring that the process is not captured by any single functional area. Third, qualified facilitation: the EORM process should be facilitated by a qualified risk professional — whether internal or, for most Caribbean mid-market enterprises, external — who brings both technical risk management expertise and the independence to surface risks that internal political dynamics might otherwise suppress.

“A risk register that management has shaped to be comfortable for the board is not a risk management instrument. It is a governance performance. The CARISK™ methodology is designed to produce the former, not the latter.”

Phase 1: Establishing Context and Scope

Phase 1 establishes the foundation upon which the entire EORM is built. Its outputs — the Context Statement, the Risk Appetite Statement, and the Assessment Scope Document — define the analytical boundaries within which every subsequent phase operates. Shortchanging Phase 1 produces an EORM that is structurally weakened from the outset.

The Organisational Context Statement

The Context Statement is a structured description of the organisation’s operating environment, strategic objectives, key stakeholder relationships, and the internal and external factors that shape its risk landscape. It is not a marketing document or a strategic plan summary; it is a risk-focused analytical description that provides the frame of reference for every risk identification and assessment decision that follows.

A well-constructed Context Statement for a Caribbean mid-market enterprise should address: the organisation’s operating territories and the nature of its operations in each; its primary business model and revenue drivers; its key dependencies — on suppliers, customers, regulators, infrastructure, and human capital; its governance structure and the board’s current risk oversight arrangements; the strategic objectives that the EORM is designed to support; and the key changes in the external environment — regulatory, competitive, macroeconomic, climate — that have material implications for the organisation’s risk profile. The CARISK™ CRI assessments for each territory in which the organisation operates are the primary external reference source for this last dimension, and should be formally incorporated into the Context Statement.

The Risk Appetite Statement

The Risk Appetite Statement is the board’s formal declaration of the types and levels of risk it is willing to accept in pursuit of the organisation’s strategic objectives, and the types of risk it is not willing to accept under any circumstances. It is one of the most important governance documents a Caribbean board can produce — and one of the least frequently produced in practice.

A well-constructed Risk Appetite Statement does three things. It defines risk appetite quantitatively where possible — for example, specifying the maximum acceptable revenue concentration in a single customer, the maximum acceptable regulatory penalty exposure, or the minimum acceptable liquidity coverage ratio. It defines risk appetite qualitatively for categories that resist quantification — for example, stating that the organisation will not accept compliance risk that could result in loss of operating licence, or reputational risk that could materially damage relationships with key institutional partners. And it defines risk boundaries — the categories of risk that the board will not accept under any circumstances, regardless of the potential return, such as facilitation payments, data protection breaches involving customer personal information, or operations in jurisdictions subject to international sanctions.

The Risk Appetite Statement should be formally approved by the board, documented, communicated to senior management, and reviewed at least annually. It is the governing document against which every risk score in the EORM is calibrated: risks that score above the appetite threshold require active mitigation; risks within appetite require monitoring; risks at the boundary require explicit board acceptance.

The Assessment Scope Document

The Assessment Scope Document defines which entities, geographies, business lines, and risk categories are included in the EORM assessment. For a multi-territory Caribbean enterprise, scope decisions are particularly important: a comprehensive EORM that attempts to assess every risk across every territory in a single exercise may produce an unwieldy output; a focused EORM that prioritises the highest-risk territories and most material risk domains produces more actionable intelligence.

The CARISK™ recommendation is to scope the initial EORM around the three to five risk domains most relevant to the organisation’s specific profile — informed by the CRI assessments of its operating territories — and to expand scope in subsequent annual cycles. An organisation operating primarily in Jamaica should weight its initial EORM toward the Social & Security and Climate & Environmental domains. An organisation in T&T should weight toward Macroeconomic & Fiscal and Regulatory & Compliance. An organisation with operations in both Barbados and an OECS state should weight toward Regulatory & Compliance and Climate.

Phase 2: CRI Integration — Connecting Country Risk to Enterprise Risk

Phase 2 is the distinctive feature of the CARISK™ methodology that differentiates it from generic enterprise risk management frameworks applied to Caribbean organisations. It is the phase in which the country-level risk intelligence from the CARISK™ CRI assessments is translated into enterprise-specific risk conditions — connecting the macro-level analysis of political stability, macroeconomic trajectory, regulatory direction, social dynamics, climate exposure, and cyber threat landscape to the specific operating context of the organisation being assessed.

CRI integration involves two analytical steps. The first is territory mapping: for each territory in which the organisation operates, the relevant CRI domain scores are applied to the organisation’s specific exposure in that territory. An organisation with significant physical assets in Jamaica applies the Jamaica Climate & Environmental domain CRI score to its asset base — not as a universal statement that all Jamaican enterprises face identical climate risk, but as a starting point that is then calibrated against the specific location, construction standard, and insurance position of the organisation’s specific assets. The second step is risk signal translation: each material CRI signal is translated into one or more specific enterprise risk items for inclusion in the risk register developed in Phase 3. A HIGH regulatory risk CRI score for T&T translates into specific enterprise risks around AML/CFT compliance programme effectiveness, transfer pricing exposure, and environmental liability — the specific regulatory risk dimensions most relevant to the organisation’s sector and operations.

 

CRI Domain Signal	Territory Example	Enterprise Risk Translation	EORM Pillar
Social & Security: HIGH	Jamaica	Supply chain logistics security risk in affected parishes; SOPE operational continuity risk; security cost in budgeting	Operational & Process Risk
Macroeconomic: HIGH	T&T	USD FX access constraint; energy sector revenue dependency; HSF fiscal buffer depletion impact on government contracts	Financial & Liquidity Risk
Climate: VERY HIGH	OECS	Post-Melissa property insurance adequacy; hurricane asset damage maximum probable loss; business interruption scenario	Operational & Process / Financial
Regulatory: MODERATE (accelerating)	Jamaica	AML/CFT effectiveness gap; data protection compliance programme; transfer pricing documentation	Regulatory & Legal Risk
Digital & Cyber: MODERATE	All territories	BEC fraud exposure; ransomware operational disruption; third-party vendor cyber risk; incident response gaps	Operational & Process Risk
Political: LOW-MOD	Barbados	IBC substance compliance risk; regulatory relationship continuity across election cycle; CBI revenue dependency	Regulatory & Legal / Strategic Risk

 

Phase 3: Risk Identification — Building the Risk Register

Phase 3 produces the raw material from which the EORM is constructed: the risk register — a comprehensive inventory of the specific risks facing the organisation across the five CARISK™ EORM pillars. Risk identification is both an analytical process and a facilitation process: it requires structured methodology to ensure completeness, and skilled facilitation to ensure that the risks identified reflect genuine operational reality rather than the risks that management is comfortable disclosing.

The Five EORM Pillars and Their Risk Domains

The CARISK™ EORM organises enterprise risk across five operational pillars that together span the full range of risk categories material to Caribbean enterprises. Each pillar contains a set of standard risk domains that provide the structured framework for risk identification, supplemented by organisation-specific risks identified through the management interview and document review process.

1. Strategic & Reputational Risk — Market position and competitive dynamics; brand and reputation risk events; board and executive governance failures; strategic partnership risk; merger, acquisition, and transformation risk; climate and ESG reputational exposure.
2. Financial & Liquidity Risk — Working capital and liquidity; credit exposure and counterparty risk; FX and interest rate exposure; insurance adequacy; financial reporting integrity; revenue concentration; capital structure and debt covenant risk.
3. Operational & Process Risk — Business continuity and disaster recovery; supply chain resilience; technology and systems reliability; BEC and payment fraud; security and physical asset protection; key-person dependency; quality and service delivery failure.
4. Regulatory & Legal Risk — AML/CFT programme effectiveness; tax compliance and enforcement; sector-specific regulatory breach; data protection compliance; contractual and litigation exposure; anti-bribery and corruption; cross-border regulatory complexity.
5. Environmental, Social & Governance (ESG) Risk — Physical climate risk to assets and operations; ESG disclosure obligations; labour practices and supply chain ethics; community relations and social licence; board composition and diversity governance; transition risk from decarbonisation.

 

Risk identification should be conducted through a combination of structured management interviews — using the pillar framework as the interview guide — workshop sessions with cross-functional participation, document review of existing policies and incident records, and benchmarking against sector peer risk registers. The CARISK™ risk identification protocol specifically includes a challenge step in which the facilitator presents the CRI signals from Phase 2 to the management team and asks them to identify the specific enterprise risks that those signals create — a process that frequently surfaces risks that the internal process alone would not have generated.

The Risk Register Format

Each risk identified in Phase 3 is recorded in the risk register with the following standard fields: Risk ID and Title; Risk Description — a specific, factual description of what could go wrong, not a broad category statement; Risk Category — the EORM pillar and domain; Risk Owner — the named individual responsible for managing the risk; Current Controls — the existing measures in place to reduce the likelihood or impact of the risk; Inherent Risk Score — the impact and likelihood score before controls are considered; Control Effectiveness Rating — an assessment of how well the current controls are operating; and Residual Risk Score — the impact and likelihood score after controls are considered.

Phase 4: Risk Assessment — Scoring the CARISK™ Risk Matrix

Phase 4 applies the CARISK™ Risk Matrix to each identified risk, producing the impact-likelihood scores that enable rational prioritisation of management attention and mitigation resources. The matrix is the visual centrepiece of the EORM — the heat map that tells the board, at a glance, where the organisation’s most critical risk exposures lie.

The CARISK™ 5×5 Risk Matrix Scoring Guide

 

IMPACT SCALE	1 — Insignificant	2 — Minor	3 — Moderate	4 — Major	5 — Catastrophic
Financial	<1% of annual revenue	1–5% of annual revenue	5–15% of annual revenue	15–30% of annual revenue	>30% of annual revenue
Operational	Minor disruption, <24 hours	Disruption 1–7 days	Disruption 1–4 weeks	Disruption 1–3 months	Permanent capability loss
Regulatory	Informal advisory	Formal warning, minor fine	Significant fine, public censure	Licence suspension risk	Licence revocation
Reputational	Internal only	Limited external awareness	Media coverage, client concern	Major media, client attrition	Existential reputational damage

 

LIKELIHOOD SCALE	1 — Rare	2 — Unlikely	3 — Possible	4 — Likely	5 — Almost Certain
Probability	<5% in any year	5–20% in any year	20–50% in any year	50–80% in any year	>80% in any year
Historical Pattern	Never occurred in sector	Occurred in sector, not org	Has occurred in the org	Recurs periodically	Expected to occur regularly

 

Each risk is scored separately for inherent risk (before existing controls) and residual risk (after controls). The difference between the two scores represents the value delivered by the current control environment. A large gap between inherent and residual risk scores indicates strong controls; a small gap indicates that controls are either weak or absent. The residual risk score is the score that determines whether the risk falls within or outside the board’s risk appetite, and therefore whether active mitigation is required.

The Risk Priority Classification

 

Score Range	Classification	Board Response Required	Management Action
15–25	CRITICAL	Immediate board notification; emergency session if score is 20+	Immediate mitigation action; fortnightly progress reporting to board
9–14	HIGH	Standing agenda item at every board/risk committee meeting	Active mitigation programme with monthly board reporting
4–8	MODERATE	Quarterly risk committee review; trend monitoring	Documented controls; annual management review and update
1–3	LOW	Annual risk register review	Monitor; no active mitigation required unless trend worsens

 

Phase 5: Control Evaluation — Assessing What Is Actually Working

Phase 5 is the phase that most Caribbean organisations find most uncomfortable — and most valuable. It is the systematic assessment of whether the controls that the organisation believes are in place are actually operating as intended, and whether they are adequate to manage the risks to which they are applied. The gap between the controls that management believes exist and the controls that are genuinely effective is, in the CARISK™ experience, almost always larger than the board expects.

Control evaluation assesses each identified control across two dimensions. Design effectiveness asks: is the control appropriately designed to address the risk it is intended to manage? A control that addresses the wrong dimension of a risk, or that is designed around an outdated version of the risk, is poorly designed regardless of how consistently it is applied. Operating effectiveness asks: is the control being applied consistently, by appropriately trained staff, with adequate documentation, and with sufficient management oversight to ensure it is functioning as intended?

The CARISK™ control evaluation uses a four-point rating scale. Effective controls operate as designed, are consistently applied, and demonstrably reduce the residual risk to within the risk appetite threshold. Partially effective controls address the risk but with gaps in design, application, or oversight that limit their effectiveness. Ineffective controls exist on paper but are not operating in practice, or are designed in a way that does not address the actual risk. Absent indicates that no meaningful control exists for the identified risk.

The control gap analysis produced by Phase 5 is often the most immediately actionable output of the EORM process. Controls rated as partially effective or ineffective represent specific, addressable management actions. The gap analysis tells management not simply that a risk is high but precisely which control failures are allowing it to remain high — and therefore exactly what needs to be fixed to bring the residual risk within appetite.

Phase 6: Reporting and the Mitigation Roadmap

Phase 6 converts the analytical outputs of the five preceding phases into the governance products that the board needs to perform its risk oversight function effectively. Three primary outputs are produced: the EORM Report, the Mitigation Roadmap, and the Board Risk Dashboard.

The EORM Report

The EORM Report is the primary deliverable of the CARISK™ assessment engagement. It presents the full risk register with inherent and residual risk scores for each identified risk; the risk matrix heat map showing the distribution of risks across the impact-likelihood grid; the control evaluation findings with gap analysis; the risk priority classification for each risk; and a management summary that frames the key findings for board consumption.

The report is structured for board governance, not management consumption. It leads with the most critical findings, presents the risks that fall outside risk appetite clearly and without qualification, and provides the board with the information required to make governance decisions — not a description of what management has already decided to do. A well-constructed EORM Report should generate genuine board discussion, not board endorsement.

The Mitigation Roadmap

The Mitigation Roadmap translates the risk register findings into a structured programme of actions to bring residual risk scores within the board’s risk appetite. For each risk rated HIGH or CRITICAL, the roadmap defines the specific mitigation action required, the risk owner responsible for implementation, the target completion date, the resources required, and the success metric that will confirm when the risk has been adequately addressed.

The roadmap is not a wish list. It is a committed action plan — reviewed and approved by the board, tracked at every risk committee meeting, and reported against with specificity. Actions that are not progressing should be escalated to the board, not quietly deferred. The CARISK™ methodology builds in a quarterly roadmap review cycle as the minimum governance standard, with the expectation that CRITICAL risk mitigation actions are tracked monthly.

The Board Risk Dashboard

The Board Risk Dashboard is the ongoing governance instrument that keeps the board informed between formal EORM cycles. It presents, on a quarterly basis: the current residual risk score for each risk in the register; trend indicators showing whether each risk is improving, stable, or deteriorating; the status of active mitigation actions from the roadmap; any new risks identified since the last report; and a summary of the CARISK™ CRI signals for the organisation’s operating territories — flagging any material changes in the country risk environment that require risk register updates.

“The EORM Report tells the board where the organisation stands. The Mitigation Roadmap tells management what to do about it. The Board Risk Dashboard tells the board whether management is doing it. All three are necessary for risk governance that is genuinely effective.”

Worked Example: A Caribbean Financial Services Enterprise

To illustrate the CARISK™ EORM methodology in practice, consider a hypothetical mid-market Caribbean financial services enterprise — a commercial bank operating across Jamaica, T&T, and Barbados, with total assets of US$500 million, 400 staff across three territories, and a strategy focused on SME lending, trade finance, and digital banking growth. We will walk through how Phase 3 risk identification and Phase 4 risk scoring would operate for three illustrative risks drawn from the CARISK™ risk domain analysis across those three territories.

 

Risk Description	EORM Pillar	Inherent Impact	Inherent Like.	Residual Impact	Residual Like.	Key Control Gap
AML/CFT programme effectiveness: documented policies exist but customer risk profiling is formulaic, not genuinely risk-based; suspicious activity reporting is below sector benchmarks.	Regulatory & Legal	4	4	4	3	Controls partially effective: policies designed but application inconsistent. Gap: risk-based CDD procedures need redesign; SAR culture requires training programme. Residual score: 12 — HIGH.
Post-Melissa property insurance: Jamaica branch offices and data centre carry pre-2025 coverage limits that have not been reviewed against post-Melissa market pricing or updated replacement values.	Financial & Liquidity	4	3	3	3	Controls ineffective: insurance schedule not updated since 2023. Gap: immediate broker review required; replacement value assessment needed; business interruption coverage terms review. Residual score: 9 — HIGH.
Business Email Compromise exposure: no out-of-band verification procedure for wire transfers; three BEC attempts identified in the past 18 months, one of which resulted in a US$180,000 loss.	Operational & Process	3	5	3	4	Controls absent: no verification protocol in place. Gap: immediate implementation of dual-authorisation and out-of-band verification for all transfers above US$10,000. Residual score: 12 — HIGH.

 

The three illustrative risks in this worked example all score HIGH in residual risk — indicating that they fall outside the risk appetite threshold and require active mitigation through the roadmap. The control gap column tells management precisely what needs to be done: a risk-based CDD redesign and SAR training programme for the AML/CFT risk; an immediate broker review and replacement value assessment for the insurance risk; and a dual-authorisation payment verification protocol for the BEC risk. None of these are expensive or technically complex interventions. All three are specific, actionable, and directly connected to the risk score that makes them a board-level governance priority.

Maintaining the EORM: The Annual Cycle

A CARISK™ EORM completed once and not refreshed is not a risk management instrument. It is a historical document. The value of the EORM lies in its currency — its ability to reflect the actual risk landscape the organisation faces at any given time, not the landscape it faced when the assessment was last conducted. The CARISK™ annual cycle maintains that currency through four structured touchpoints.

• Q1 — Annual EORM Refresh: Full re-run of Phases 3 through 6, incorporating updated CRI scores for all operating territories, management interview refresh, and reassessment of all risk scores and control ratings. The annual refresh produces an updated EORM Report and Mitigation Roadmap, reviewed and approved by the board at the Q1 risk committee meeting.
• Q2 / Q3 — Mid-Year Risk Register Review: A targeted review of risks rated HIGH or CRITICAL at the annual refresh, assessing progress against mitigation roadmap actions, identifying any new risks that have emerged since Q1, and updating risk scores to reflect material changes in the control environment or external risk landscape. A condensed mid-year risk update is presented to the board.
• Ongoing — Event-Triggered Updates: Material changes in the CRI environment — a major climate event, a regulatory enforcement action in a relevant sector, a significant political development, a cyber incident affecting a peer organisation — trigger an event-based risk register review for any risks potentially affected by the development. The CARISK™ Intelligence Dashboard’s real-time event alerts provide the trigger mechanism for this process.
• Annual — Risk Appetite Review: The board formally reviews and reconfirms or amends the Risk Appetite Statement at the annual governance calendar review, ensuring that risk appetite thresholds remain calibrated to the organisation’s current strategy, financial position, and regulatory environment.

 

The CARISK™ EORM methodology is not a compliance exercise. It is a strategic investment in the quality of governance — in the board’s ability to make better decisions, management’s ability to allocate resources more effectively, and the organisation’s ability to navigate a complex Caribbean risk environment with confidence rather than uncertainty. The organisations that implement it well do not simply manage risk better; they govern better, plan better, and perform better over time.

In the final article of this series — Article 10 — we close the Caribbean Risk Horizon with the synthesis that the series has been building toward: what it looks like to be a genuinely risk-ready Caribbean enterprise, and how the organisations that achieve that standard convert risk intelligence into strategic advantage.

 

REQUEST YOUR CARISK™ ENTERPRISE RISK MATRIX ENGAGEMENT Plan effectively with Dawgen Global’s expert analysis and methodology. From the full six-phase CARISK™ EORM engagement — including CRI integration, risk identification workshops, 5×5 matrix scoring, control gap analysis, and board-ready EORM Report and Mitigation Roadmap — to ongoing Board Risk Dashboard support, our Operational Risk service provides the complete risk intelligence and governance infrastructure your Caribbean enterprise needs. Request your CARISK™ Enterprise Risk Matrix proposal today. [email protected] “

Final Article in the Series

Article 10 — From Risk Exposure to Strategic Advantage: The Caribbean Risk-Ready Enterprise. The series closes with the synthesis: what a genuinely risk-ready Caribbean enterprise looks like at the board, management, and operational level — and how the organisations that achieve this standard use risk intelligence not merely to avoid harm but to create competitive advantage.

About Dawgen Global