# Risk matrix

A risk matrix is a matrix that is used during risk assessment to define the level of risk by considering the category of probability or likelihood against the category of consequence severity. This is a simple mechanism to increase visibility of risks and assist management decision making.[1]

Risk is the lack of certainty about the outcome of making a particular choice. Statistically, the level of downside risk can be calculated as the product of the probability that harm occurs (e.g., that an accident happens) multiplied by the severity of that harm (i.e., the average amount of harm or more conservatively the maximum credible amount of harm). In practice, the risk matrix is a useful approach where either the probability or the harm severity cannot be estimated with accuracy and precision.

Although standard risk matrices exist in certain contexts (e.g. US DoD, NASA, ISO),[2][3][4] individual projects and organizations may need to create their own or tailor an existing risk matrix. For example, the harm severity can be categorized as:

• Catastrophic – multiple deaths
• Critical – one death or multiple severe injuries
• Marginal – one severe injury or multiple minor injuries
• Negligible – one minor injury

The probability of harm occurring might be categorized as 'certain', 'likely', 'possible', 'unlikely' and 'rare'. However it must be considered that very low probabilities may not be very reliable.

The resulting risk matrix could be:

Negligible Marginal Critical Catastrophic
Certain High High Extreme Extreme
Likely Moderate High High Extreme
Possible Low Moderate High Extreme
Unlikely Low Low Moderate Extreme
Rare Low Low Moderate High

The company or organization then would calculate what levels of risk they can take with different events. This would be done by weighing the risk of an event occurring against the cost to implement safety and the benefit gained from it.

## Example Matrix

The following is an example matrix of possible personal injuries, with particular accidents allocated to appropriate cells within the matrix:

Negligible Marginal Critical Catastrophic
Certain Stubbing Toe
Likely Fall
Possible Major Car Accident
Unlikely Aircraft crash
Rare Major Tsunami

## Problems

In his article 'What's Wrong with Risk Matrices?',[5] Tony Cox argues that risk matrices experience several problematic mathematical features making it harder to assess risks. These are:

• Poor resolution. Typical risk matrices can correctly and unambiguously compare only a small fraction (e.g., less than 10%) of randomly selected pairs of hazards. They can assign identical ratings to quantitatively very different risks ("range compression").
• Errors. Risk matrices can mistakenly assign higher qualitative ratings to quantitatively smaller risks. For risks with negatively correlated frequencies and severities, they can be "worse than useless," leading to worse-than-random decisions.
• Suboptimal resource allocation. Effective allocation of resources to risk-reducing countermeasures cannot be based on the categories provided by risk matrices.
• Ambiguous inputs and outputs. Categorizations of severity cannot be made objectively for uncertain consequences. Inputs to risk matrices (e.g., frequency and severity categorizations) and resulting outputs (i.e., risk ratings) require subjective interpretation, and different users may obtain opposite ratings of the same quantitative risks. These limitations suggest that risk matrices should be used with caution, and only with careful explanations of embedded judgments.

Thomas, Bratvold, and Bickel[6] demonstrate that risk matrices produce arbitrary risk rankings. Rankings depend upon the design of the risk matrix itself, such as how large the bins are and whether or not one uses an increasing or decreasing scale. In other words, changing the scale can change the answer.

Douglas W. Hubbard and Richard Seiersen take the general research from Cox, Thomas, Bratvold, and Bickel, and provide specific discussion in the realm of cybersecurity risk. They point out that since 61% of cyber security professionals use some form of risk matrix, this can be a serious problem. Hubbard and Seiersen consider these problems in the context of other measured human errors and conclude that "The errors of the experts are simply further exacerbated by the additional errors introduced by the scales and matrices themselves. We agree with the solution proposed by Thomas et al. There is no need for cybersecurity (or other areas of risk analysis that also use risk matrices) to reinvent well-established quantitative methods used in many equally complex problems."[7]

## References

1. "What's right with risk matrices?". Julian Talbot on Risk, Success and Leadership. Retrieved 2018-06-18.
2. "Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs" (PDF). United States Department of Defense. January 2017. Retrieved 2018-06-18.
3. "NASA, Goddard Space Flight Center, Goddard Technical Standard GSFC-STD-0002, Risk Management Reporting" (PDF). 2009-05-08. Retrieved 2018-06-17.
4. International Organization for Standardization, Space Systems Risk Management, ISO 17666,
5. Cox, L.A. Jr., 'What's Wrong with Risk Matrices?', Risk Analysis, Vol. 28, No. 2, 2008, doi:10.1111/j.1539-6924.2008.01030.x
6. Thomas, Philip, Reidar Bratvold, and J. Eric Bickel, 'The Risk of Using Risk Matrices,' SPE Economics & Management, Vol. 6, No. 2, pp. 56-66, 2014, doi:10.2118/166269-PA.
7. Hubbard, Douglas W.; Seiersen, Richard (2016). How to Measure Anything in Cybersecurity Risk. Wiley. pp. Kindle Locations 2636–2639.