Risk matrices are commonly used in many risk management practices. There are a number of issues with risk matrices and overall, I would discourage their indiscriminate use. That is not to say that they don’t have a place but caution is advised in using them. If you have to use a risk matrix due, for example, to corporate policy, the following advice may help.
I've also written about What's right with risk matrices? and How To Use A Risk Matrix at one of my other websites as well as several articles on risk assessment at this website.
Limitations of Risk Matrices
Some of the problems with risk matrices are that they can:
Assign identical ratings to quantitatively different risks.
Lead to errors in risk prioritization, as calculation of consequences cannot be made objectively for uncertain outcomes.
Rely on subject matter expert judgments, resulting in wide variations in risk ratings, as different users assess the differing likelihood and consequence ratings unless explicitly stated, lead to assumptions regarding timeframes and frequencies of activities or events
Oversimplify the volatility of a risk, as some risks are relatively static over time while others can change rapidly
Lead assessors to overlook causation and downstream consequences
For an overview of some of the limitations of risk matrices, see “What’s Wrong With RiskMatrices”¹.
Avoid If Possible
If using risk matrices, it’s best to avoid:
Using simple (eg: 2x2) risk matrices as a risk calculation tool. They have some uses for initial discussion or prioritization (See: Stroud Matrix) but are unable to provide accurate prioritization of risks.
Plotting risks as a single point value o likelihood and consequence. All risks are likely to have a range of consequences and should be plotted accordingly. See: Bubble Charts for an example.
Risk matrices where risks that have the same semi-quantitative ranking (ordinal or priority ranking) have differing quantitative values. For example, on a 5x5 matrix, if risk ‘A’ has a likelihood of 2 and a consequence of 4 it will have a priority ranking of 6. If a likelihood of 2 is 20% and consequence of 4 is $10 million the Expected Monetary Value (EMV) will be $2million. Similarly risk ‘B’ with the likelihood of 4 (80%) and consequence of 2 ($1million) will also rank as a 6 but have an EMV of $800,000. Although both have a rating of 6, the EMVs of $800,000 and $2,000,000 are substantially different.
When Using Risk Matrices
If you do wish to or are required to use risk matrices, some of the best ways to use them include:
Express ratings as a probability distribution across several squares.
Use quantitative measures such as 0.0 to 1.0 for probability, and $0 to $X for consequence, where $X is the equity of the organization (or the quantity of cash or other items which would ensure the total demise of the organization if it eventuated).
As a framework for discussion.
Providing calibration training to users beforehand.
Using explicit likelihood and consequence descriptors which are as quantitative as possible; and then check and confirm at each stage that the team share the same understanding of the risks and the relevant descriptors.
Use only risk statements which have been clearly defined.
Using a matrix with more granularity (eg: a 10x10 matrix) to limit any tendency to cluster risks on a single setting.
Brainstorming risk events based on concepts of likelihood, for example, by considering what are the most likely and unlikely risk events.
Brainstorming risk events based on consequences, by considering the nature and relative significance of consequences in comparison to each other, prioritizing the consequences, and then moving ‘upstream’ to consider the potential sources and causes of such events.
Contrasting and discussing risks in a comparative fashion, e.g. Are the organization’s risks from attack by an external hacker attack greater or lesser than the risk from an insider threat? If so, by how much and why? What are the causes and effects of each?
As a framework for communicating comparative risk ratings and quality of controls. For an example of how to use risk matrices as a communication tool see Communication and“What’s Right With Risk Matrices”².
Note: the traditional view of risk is negative, representing loss and adverse consequences and the following risk matrix examples describe only negative consequences. ISO31000 includes the possibility of positive risk or opportunity associated with uncertainties that could have a beneficial effect on achieving objectives.³ It is equally practical to construct positive risk matrices, or matrices that show both positive and negative consequences. SeeSRMBOK, Figure 6.11 for an example.
¹ Cox, Tony.‘What’s Wrong with Risk Matrices?’Risk Analysis,1 April 2008. https://onlinelibrary.wiley.com/doi/abs/10.1111/j.1539-6924.2008.01030.x.
² Talbot, Julian.‘What’s Right with Risk Matrices?’ Accessed 7 July 2019. https://www.juliantalbot.com/post/2018/07/31/whats-right-with-risk-matrices
³ Hillson, David.‘Extending the Risk Process to ManageOpportunities’, 2002.