What is a Risk Matrix
The risk matrix is the matrix that is used during a risk assessment to determine the level of risk by considering a category of probability or probability against a category of severity. This is a simple mechanism to increase visibility of risks and aid managerial decision-making.
Risk is uncertainty about the outcome of making a particular choice. Statistically, the level of downside risk can be calculated as the product of the probability of damage (for example, an accident) multiplied by the severity of that damage (i.e. the average amount of damage or, more conservatively, the maximum reliable amount of damage). In practice, the risk matrix is a useful approach as the probability or severity of damage cannot be estimated with precision and accuracy.
Although standard risk matrices exist in certain contexts (e.g. US Department of Defense, NASA, and ISO), individual projects and organizations may need to create or detail their own existing risk matrix. For example, the severity of the damage can be classified as follows:
- Catastrophic: death or permanent total disability, significant and irreversible environmental impact, complete loss of equipment.
- Critical: Incident-level injury resulting in hospitalization, permanent partial disability, significant reversible environmental impact, and equipment damage.
- Marginal: Injury causing lost workdays, moderate reversible environmental impact, and minor accident damage level.
- Minor: Injury that does not cause loss of working days, minimal environmental impact, damage below the level of a minor accident.
The probability of damage can be categorized as “certain”, “probable”, “possible”, “unlikely” and “rare”. However, it must be borne in mind that very low odds may not be very reliable.
The resulting risk matrix could be:
The company or organization will then calculate the levels of risk they can take on with different events. This is done by evaluating the risk of an event occurring against the cost and benefit of implementing the safety.
Risk Matrix Problems
In his article “What’s Wrong with Risk Matrices?” Tony Cox argues that risk matrices encounter many problematic mathematical features that make it difficult to assess risk. Here they are:
- Weak decision. Typical risk matrices can correctly and unambiguously compare only a small portion (eg, less than 10%) of randomly selected risk pairs. They can assign identical ratings to quantitatively very different risks (“range compression”).
- Risk matrices can erroneously assign higher qualitative ratings to quantitatively smaller risks. For risks with negatively correlated frequencies and intensities, they can be “worse than useless,” resulting in decisions worse than randomness.
- Suboptimal resource allocation. The effective allocation of resources to countermeasures to reduce risks cannot be based on the categories provided by risk matrices.
- Ambiguous inputs and outputs. Severity ratings cannot be made objectively for uncertain consequences. The inputs for risk matrices (e.g., frequency and severity ratings) and the resulting output (i.e., risk ratings) require subjective interpretation, and different users may receive opposite ratings for the same quantitative risk. These limitations indicate that risk matrices should be used with caution, and only with accurate interpretations of the provisions included.
Thomas, Pratfold, and Bickel show that risk matrices produce arbitrary classifications of risks. The ratings depend on the design of the risk matrix itself, such as the size of the funds and whether or not one is using an increasing or decreasing scale. In other words, changing the scale can change the answer.
An additional problem is the inaccuracy used in probability classes. For example; ‘Certain’, ‘probable’, ‘possible’, ‘unlikely’ and ‘rare’ are not hierarchically related. A better choice would be made by using the same basic term, such as “very common,” “very common,” “somewhat common,” “less common,” “not very common,” “not very common,” or a similar hierarchy The term “frequency” is fundamental.
Another common problem is assigning the rank indices to the axes of the matrix and multiplying the indices to get the “score of risk”. While this seems counterintuitive, it results in an uneven distribution.
Douglas W. Hubbard and Richard Sersen take the general research from Cox, Thomas, Bratfold, and Beckle, and provide a specific discussion in the field of cybersecurity risks. They noted that since 61% of cybersecurity professionals use some form of risk matrix, this could be a serious problem.
Hubbard and Seiersen considered these problems in the context of other measured human errors and concluded that “expert errors are simply exacerbated by additional errors introduced by the same metrics and matrices. We agree with the solution proposed by Thomas et al. There is no need for cybersecurity (or other areas of risk analysis). which also use risk matrices) to reinvent the well-established quantitative methods used in many equally complex problems.”