
Risk Matrix

Revision as of 17:06, 18 March 2020 by User (talk | contribs)

A risk matrix visualizes risks together with the possible extent of damage and their likelihood of occurring. The Risk Matrix, also known as the Probability Matrix or Impact Matrix, is an effective tool that assists in risk evaluation by considering the probability or likelihood against severity linked with the potential risks of a project. It is a tool that assists in reducing the risk impact that might otherwise affect a business adversely.[1]

There are two dimensions to a risk matrix. It looks at how severe and likely an unwanted event is. These two dimensions create a matrix. The combination of probability and severity will give any event a place on a risk matrix.

Risk Matrix

Creating a Risk Matrix[2]
To create a risk matrix or a risk diagram, the probability of occurrence and the extent of the damage have to be evaluated. Then the individual risks are entered into a coordinate system according to these values.

  • Evaluation of the likelihood of occurrence: There are five levels of entering the likelihood of occurrence. These levels can be expressed in percentages or in semantic concepts. For example:
    • 0-20%, 21-40%, 41-60%, 61-80% and 81-100%
    • impossible, unlikely, possible, likely and highly likely

The criteria for the level of likelihood where a risk is situated has to be defined precisely. If you have quantative data, then you can base it on that. Even the reference value should be clearly defined. For example, take the expected time until the onset of the damage or the likelihood per customer. An “impossible” likelihood level is recommended so as to not have to identify the same risks again during a project, for example, if the process changes.

  • Evaluation of the extent of damages: In the same way, the extent of damages can be formulated in five levels, for example, low, middle, high, very high and critical.

Of course, here each level of a damage extent has to be described exactly in order to allocate the corresponding risks. For example you have to take into account an event happening that could lead to undesired results or have long or short term consequences.

The reference value is then established (for example, Euros per occurence.)

Problems with the Risk Matrix[3]
In his article 'What's Wrong with Risk Matrices?', Tony Cox argues that risk matrices experience several problematic mathematical features making it harder to assess risks. These are:

  • Poor resolution. Typical risk matrices can correctly and unambiguously compare only a small fraction (e.g., less than 10%) of randomly selected pairs of hazards. They can assign identical ratings to quantitatively very different risks ("range compression").
  • Errors. Risk matrices can mistakenly assign higher qualitative ratings to quantitatively smaller risks. For risks with negatively correlated frequencies and severities, they can be "worse than useless," leading to worse-than-random decisions.
  • Suboptimal resource allocation. Effective allocation of resources to risk-reducing countermeasures cannot be based on the categories provided by risk matrices.
  • Ambiguous inputs and outputs. Categorizations of severity cannot be made objectively for uncertain consequences. Inputs to risk matrices (e.g., frequency and severity categorizations) and resulting outputs (i.e., risk ratings) require subjective interpretation, and different users may obtain opposite ratings of the same quantitative risks. These limitations suggest that risk matrices should be used with caution, and only with careful explanations of embedded judgments.

Thomas, Bratvold, and Bickel demonstrate that risk matrices produce arbitrary risk rankings. Rankings depend upon the design of the risk matrix itself, such as how large the bins are and whether or not one uses an increasing or decreasing scale. In other words, changing the scale can change the answer. Douglas W. Hubbard and Richard Seiersen take the general research from Cox, Thomas, Bratvold, and Bickel, and provide specific discussion in the realm of cybersecurity risk. They point out that since 61% of cyber security professionals use some form of risk matrix, this can be a serious problem. Hubbard and Seiersen consider these problems in the context of other measured human errors and conclude that "The errors of the experts are simply further exacerbated by the additional errors introduced by the scales and matrices themselves. We agree with the solution proposed by Thomas et al. There is no need for cybersecurity (or other areas of risk analysis that also use risk matrices) to reinvent well-established quantitative methods used in many equally complex problems."

See Also


  1. Definition - What is a Risk Martix CIO Index
  2. How do you create a risk matrix? Microtool
  3. Problems with the Risk Matrix Wikipedia