Risk matrices have been around for decades, but most people don’t build their own anymore. In fact, Mark Powell told an audience at Risk Awareness Week 2020 that he hadn’t met anybody in 25 years who had built a risk matrix from scratch, with many outsourcing the job to consultants instead.
So why does this matter? According to Powell there are several reasons.
A relatively simple process
The first is that building a risk matrix is a relatively simple process consisting of just seven steps, so paying a consultant to develop one may not be the best use of your money.
The seven steps are:
- Choose a risk factor formula and normalise between 0 and 1.
- Choose units for your consequence risk and normalise between 0 and 1. Risks are added where there are multiple consequences.
- Choose risk factor levels for acceptable and unacceptable risks – any values suitable for the decision-maker will do
- Draw isocontours of equivalent risk factors
- Colour the isocontour regions (red above unacceptable RF isocontour, green below RF acceptable isocontour and yellow for those in between
- Draw boxes that are of equivalent value and evenly spaced
- Colour the boxes the predominant colour.
Powell demonstrated the process to produce a risk matrix for the audience.
In this case:
- Risk factor formula is RF=PxC
- The consequence unit was dollars
- Unacceptable risk factor level was 0.7 and above. Acceptable was 0.3 and below
- Matrix was designed as 5×5
Getting the steps right
The second problem with risk managers not building their own matrices is that even though the process is relatively simple, there are several important choices that need to be made along the way.
These can significantly impact how your risk matrix turns out and the decisions you end up making, with some methods building in artificial levels of risk tolerance or aversion.
For instance, the risk factor formula you choose, can give you radically different risk matrices for the same problems and values.
To demonstrate, Powell took the example above – but used the risk factor formula RF = 1 – (1-P)*(1-C) instead of RF=PxC. When this risk factor formula is used, you get convex isocontours instead of concave ones which gives you far fewer acceptable boxes and far more unacceptable ones.
Other risk factor formulas will each give different matrices again. So, selecting the formula that works for your organisation and decision makers is critically important.
Of course, it’s also possible to simply reuse matrices, or borrow the format from elsewhere, however doing so introduces several new risks…
Getting your values right
One important factor is to get the values right for your consequences and your probabilities, however, this is far from straightforward as both are nonlinear.
For instance, according to the law of diminishing marginal utility, the more of something that you have, the less additional satisfaction you get from more of that thing.
Powell gave the example: “If you’re extremely rich and you see a ten-dollar bill on the ground, you might not bother to pick it up. If you only have ten dollars in your pocket and that’s all you have for your night, you’ll definitely pick it up.”
This diminishing marginal value of money is expressed as an exponential curve, which will differ from decision-maker to decision-maker. This will have an impact on your x-axis, and how you build your boxes on the matrix.
Equally, many people have issues dealing with really big or really small numbers, which can also warp your X-axis. Others have similar personal views on probabilities, where, for instance, they might treat an event with a 70% probability exactly the same as one with a 90% probability. Some people may discount extremely small probabilities automatically. And all of these factors must be built into the model.
Powell said: “You have to have a feel for what their values are. You’ve got to be realistic, you can’t just apply your values or you’ll skew the decision. You’ve got to pick the right risk factor values for the unacceptable and the acceptable risk levels and clearly, it’s got to be something with which the decision maker will be comfortable with or familiar.
“And then you have to properly transform the risk matrix axis based on the values of the decision maker for both consequences and the probabilities which are going to warp the risk factor isocontours and consequently the whole risk matrix. You’ve got to do these things right.”
A moving feast
These subtle differences between decision makers and problems mean that you probably need to build a new matrix for each new risk or decision. Perhaps worse, you may need to keep rebuilding the same risk matrix for the same problem as factors change over time.
Powell gives the example of congress signing off on a budget – this could render a risk matrix you’d built only hours earlier useless as one of your risks is now off the table.
Of course, some risk managers may say that a risk matrix is just a guide rather than a decision making tool, but Powell cautions against this view. He explains: “if a risk maker sees a risk matrix, they’re going to be influenced by it in making their decision. The red, yellow, green is something ubiquitous in our universe and they influence you. So if somebody sees something in a red box, they’re going to think differently regardless of what their original feelings are.”
The moral of the story according to Powell is that risk matrixes need to be built correctly in order to have any value for decision-making, and if they’re not constructed with the specific scenario and decision-maker in mind they can even be dangerous.
But more importantly, he believes that the act of building one yourself helps show some of the limitations of the method. He concludes: “You can never get an optimal decision using a Risk Matrix, but you might get a reasonably good decision if you build it right.
“After seeing how you do science and math to build a risk matrix from scratch and seeing the sensitivities the question is: ‘do you still want to use a risk matrix’ and to quote Clint Eastwood: ‘Do you feel lucky?’