# Risk Matrix

A risk matrix visualizes risks together with the possible extent of damage and their likelihood of occurring. The Risk Matrix, also known as the Probability Matrix or Impact Matrix, is an effective tool that assists in risk evaluation by considering the probability or likelihood against severity linked with the potential risks of a project. It is a tool that assists in reducing the risk impact that might otherwise affect a business adversely.[1]

There are two dimensions to a risk matrix. It looks at how severe and likely an unwanted event is. These two dimensions create a matrix. The combination of probability and severity will give any event a place on a risk matrix.

The Risk Matrix Grid[2]
Risk matrices are broken into a grid. Matrices grids are usually 5x5, though it can be larger or smaller depending on company needs. The grid is used to assign a “number” to the risk, which is combination of Probability x Severity, and represents the scope of the risk.

The risk matrix grid:

• Usually increases in severity from left (low) to right (high);
• Usually increases in probability from bottom (low) to top (high); but
• A risk matrix can move in any direction, so you may see risk matrices that move from right to left and top to bottom, right to left and bottom to top, or left to right and top to bottom.

As you can see, there is a lot of flexibility about how the risk matrix “appears.” What matters most is what is consistent and comfortable in your organization.

Despite the fact that a risk matrix only contains two variables, there is a surprising amount of confusion or misunderstanding about how to use it. There are differing opinions about how to use it – some of these opinions are better than others.

• Probability in Risk Matrix: Risk matrix probability is used in different ways depending on how the organization defines “probability.” Probability usually means likelihood or frequency, and is ranges from “very rare in industry” to “reported several times a year in company.” Probably can be used to quantify:
• The likelihood of a risk event, such as a runway incursion;
• The likelihood of negative consequences materializing, such as aircraft damage from bird strike; or
• An overall probability of a risk scenario, including the likelihood of a risk event and negative consequences materializing.

Many companies understand probability as likelihood of consequences, though you can also use it to assess probability of risk events. Likelihood is assigned a letter value for each increment in likelihood. Low probability is assigned A. High likelihood (in a 5x5 grid) is assigned an E.

• Severity in Risk Matrix: Severity in risk matrices is more streamlined in use than probability. Severity consists of:
• The severity of impacts in safety events; and
• Only accounts for “likely” outcomes.

Severity is given in a range of numbers, starting at 1 (low severity), and incrementing up by 1 each row. In a 5x5 risk matrix grid, high severity would be assigned a value of 5. Severity is generally considered as ranging from:

• Negligible (1 rating): slight injury/damage, low financial consequences, and/or little effect on mission; to
• Catastrophic (5 rating): multiple fatality, extremely high financial consequences, and/or mission failure

High severity risk assessments should require extensive investigations by a company and every available resource to mitigate the exposure of the safety incident.

Creating a Risk Matrix[3]
To create a risk matrix or a risk diagram, the probability of occurrence and the extent of the damage have to be evaluated. Then the individual risks are entered into a coordinate system according to these values.

• Evaluation of the likelihood of occurrence: There are five levels of entering the likelihood of occurrence. These levels can be expressed in percentages or in semantic concepts. For example:
• 0-20%, 21-40%, 41-60%, 61-80% and 81-100%
• impossible, unlikely, possible, likely and highly likely

The criteria for the level of likelihood where a risk is situated has to be defined precisely. If you have quantative data, then you can base it on that. Even the reference value should be clearly defined. For example, take the expected time until the onset of the damage or the likelihood per customer. An “impossible” likelihood level is recommended so as to not have to identify the same risks again during a project, for example, if the process changes.

• Evaluation of the extent of damages: In the same way, the extent of damages can be formulated in five levels, for example, low, middle, high, very high and critical.

Of course, here each level of a damage extent has to be described exactly in order to allocate the corresponding risks. For example you have to take into account an event happening that could lead to undesired results or have long or short term consequences.

The reference value is then established (for example, Euros per occurence.)

Features of Risk Matrix[4]
A good risk matrix normally shows the following features:

• Normally, quantitative/semi-quantitative hazard analysis tool.
• Developed in a simple and easy to understand manner.
• Tolerable and non-tolerable ranges are clearly defined prior to developing risk matrix.
• Detailed descriptions of all consequences within the range.
• It uses orders of magnitudes and has consistent likelihood range to cover entire spectrum of potential hazards.
• Good guidance for effective hazard analysis in a qualitative manner and may not require prior knowledge for quantitative analysis. However, proper knowledge of the project for which it is done is an advantage. It shall also provide guideline additional action needed to mitigate risks with intolerable risk level, that is, to show how intolerable risk levels can be mitigated, to bring the same with tolerable range.
• It shall be designed in such a way that it has flexibility to adapt itself for various risk targets specific for the company project.
• Prior software knowledge is not essential, but it could be handled with the help of software.

The risk matrix:

• Identifies the gravest project risks.
• Creates and presents the risk situation with minimal effort (e.g. as an Excel diagram).
• Presents the risk situation visually and comprehensively.
• Presents the risk situation simply for everyone because no prior knowledge is required to understand it.
• Assesses the efficiency of your risk measures.

Problems with the Risk Matrix[6]
In his article 'What's Wrong with Risk Matrices?', Tony Cox argues that risk matrices experience several problematic mathematical features making it harder to assess risks. These are:

• Poor resolution. Typical risk matrices can correctly and unambiguously compare only a small fraction (e.g., less than 10%) of randomly selected pairs of hazards. They can assign identical ratings to quantitatively very different risks ("range compression").
• Errors. Risk matrices can mistakenly assign higher qualitative ratings to quantitatively smaller risks. For risks with negatively correlated frequencies and severities, they can be "worse than useless," leading to worse-than-random decisions.
• Suboptimal resource allocation. Effective allocation of resources to risk-reducing countermeasures cannot be based on the categories provided by risk matrices.
• Ambiguous inputs and outputs. Categorizations of severity cannot be made objectively for uncertain consequences. Inputs to risk matrices (e.g., frequency and severity categorizations) and resulting outputs (i.e., risk ratings) require subjective interpretation, and different users may obtain opposite ratings of the same quantitative risks. These limitations suggest that risk matrices should be used with caution, and only with careful explanations of embedded judgments.

Thomas, Bratvold, and Bickel demonstrate that risk matrices produce arbitrary risk rankings. Rankings depend upon the design of the risk matrix itself, such as how large the bins are and whether or not one uses an increasing or decreasing scale. In other words, changing the scale can change the answer. Douglas W. Hubbard and Richard Seiersen take the general research from Cox, Thomas, Bratvold, and Bickel, and provide specific discussion in the realm of cybersecurity risk. They point out that since 61% of cyber security professionals use some form of risk matrix, this can be a serious problem. Hubbard and Seiersen consider these problems in the context of other measured human errors and conclude that "The errors of the experts are simply further exacerbated by the additional errors introduced by the scales and matrices themselves. We agree with the solution proposed by Thomas et al. There is no need for cybersecurity (or other areas of risk analysis that also use risk matrices) to reinvent well-established quantitative methods used in many equally complex problems."