There are better tools for risk assessment than risk matrices.
But, contrary to some opinion, they are not without some utility. So if your organization still insists on using them, here are at least two basic issues that are easy to fix when using a risk matrix.
The first is failing to identify the risk. You can't calculate a likelihood and consequence for a one-word risk such as 'Terrorism'. Even a short phrase such as 'loss of funding' or 'inadequate resources' will have different meanings to different people. This article isn't about that problem, however. To fix the risk statement you might like to check out my article on How to write risk statements.
The second problem goes back to the design of the risk matrix. Most of us are familiar with risk matrices which look something like the following. It looks innocent enough and is easy to use but it hides an unpleasant truth.
To illustrate the problem I've used financial consequences along the top row and percentages for likelihood. Many risk matrices also include likelihood or frequency descriptors such as 'likely' or 'expected to occur once every 10 years'.
You'll also often find consequence descriptors such as 'adverse national media', 'lost time injury', or 'multiple fatalities'. I've left these out for simplicity's sake, but the problem remains no matter how you choose to assess likelihood and consequences.
In Figure 2 I've put some numbers into the matrix from Figure 1 so that you can see the problem. I've plotted five hypothetical risks that all work out to be MEDIUM. For example, a risk with a 50% chance of occurring that has an expected consequence of $1,000,000 will rank as a MEDIUM risk. Calculating the expected loss (EL) gives a value of $500,000 (50% likelihood x $1,000,000 consequence).
The EL gives us a risk score of MEDIUM and suggests that for any given time period (say one year) the risk will occur 50% of the time. Over a longer period, the expected loss works out to $5,000,000 over 10 years, or an average of $500,000 per year.
Five different hypothetical risks, all rated as MEDIUM have expected losses ranging from $9,000 to $10,000,000. This is an order of magnitude of difference between supposedly comparable levels of risk.
Even worse, a 2-A risk (consequence = 2, likelihood = A) which is rated as HIGH, has an expected loss of $90,000 which is significantly lower than three of the five MEDIUM risks.
So, what to do about it? A better approach is to:
Use a consequence ranking based on a percentage of existential consequence (ie. a catastrophic level of consequence which is likely to destroy the organization); and,
Specify thresholds for each of the risk ratings and management responses.
In Figure 3, I've plotted some numbers for a hypothetical organization that would be bankrupted or cease to exist if faced with a consequence of over $10 billion. I've included the expected loss values in each square but you might choose to just use VL, L, M, H, and VH in those squares. The financial amounts are just to illustrate that the risk ratings are now comparable. MEDIUM risks for example, are now ranging from $1.8 billion to $2.5 billion which is more or less in the same approximate range.
As an alternative (or additionally) to specifying a financial threshold that would destroy the organization, you might choose to consider annual budget, net assets, or annual revenue as the threshold for catastrophic risk. Depending on the nature of your organization, a number of deaths or level of reputation damage might cause the end of your organization.
The main points from Figure 3 are that:
Determining what constitutes a catastrophic consequence, then using percentages provides a more consistent approach to rating risks; and,
If you set threshold values for risk ratings as per the example in the smaller table below the risk matrix, you might still need to change the color-coding (rating). For example, the top left corner of the Figure 1 matrix (1-A) is rated M for MEDIUM. In Figure 3, I have changed the risk rating for 11A from yellow to bright green to indicate that it is now considered to be L for LOW.
Your mission now is to look at your organizational risk matrix with a fresh eye and let me know how your matrix fares. Hopefully, no changes are required but at least if you need to make changes, you have some ammunition to do so.
Before I go, I'll leave you with the example in Figure 4 of a risk matrix from the NY Times article on How Bad Will the Coronavirus Outbreak Get?. One of the best aspects of this risk matrix is the excellent way they have illustrates the uncertainty regarding coronavirus by plotting a range rather than a point value. You can also find a couple of examples on my SRMAM website of a bubble chart and a risk matrix which also express range uncertainties as bubbles or probability distributions.
As you can see below, we have good statistical data for chickenpox, swine flu, and the like but the best we can do for coronavirus is to plot the likely ranges of outcomes.
I've written a lot more about risk matrices and how to use them in my article "What's Right With Risk Matrices" and you can download some example risk matrices from this link on the Security Risk Management Aide-Mémoire website.
You can also find a free SaaS risk assessment application that will let you customize risk matrices and export your own risk reports at SECTARA.com.