Risk matrices (or risk heat maps) have been in existent for some time and have become a contested topic in the risk management community in recent years. Once heralded as a sophisticated way to visually map risk pertinent to an organization’s revenue-producing activities or the overall industry in which they exist, these tools do have their drawbacks which should always be weighed when using risk matrices in decision-making processes.
This article which will dive into the benefits, limitations and some alternatives to risk matrices came to me recently while conducting a breakout session for an online MBA risk management course at Temple University I was assisting with. The professor had the students break into groups to answer questions specific to a case study on a Canadian power distribution company.
One question had the students describe the top risks facing the company in an extreme weather event (e.g. severe ice storm). The risks were to be broken into four pure risk categories: property, liability, personnel, and net income (or business interruption). As I assisted the students in their selection in each pure risk quadrant the data provided in the case study was limited. The students had to be creative and use their risk management knowledge learned in prior weeks to come up with the top risks related to this adverse event.
The next question had the students place the four pure risks they had selected on to a risk matrix provided in the assignment. At this time the students were asking for feedback on where they should place each of the risks in terms of frequency and severity. This is where the guessing game began. With such limited information and objective data provided it was almost a ‘pin the tail on the donkey’ game even for a risk manager as myself. It dawned on me that this risk matrix was not worth the paper it would be printed on if presented to the board of this organization. Although it was a cute visual, it lacked context from a quantitative and even qualitative standpoint.
Now before I continue with this article in no way will I only be bashing risk matrices in any sort of way. As a risk management professional, I do see value in risk matrices, but I am also fully aware of this tool’s limitations. This article will outline some of my thoughts on the benefits, limitations, and healthy alternatives to risk matrices currently out there. I am sure this content will start some discussions on risk matrices and that is exactly what we should all want. As risk professionals we should always be questioning the tools we use in our industry and assessing if they are truly helping our organizations make quality decisions with risk in mind and promoting intelligent risk-taking to help achieve strategic objectives, remain in compliance with industry-specific regulations, and build competitive advantages by exploiting opportunities when presented.
Benefits
There is a time and place for everything, this includes the use of risk matrices in decision-making scenarios. Below we will take a closer look at a few benefits of risk matrices and the value they can add in the risk management process.
Easy to Apply and Use by Non-Risk Experts
One of the main benefits of risk matrices is these visual tools are easy to use. In most cases, it does not require an extensive career or a fancy degree in risk management to use a risk matrix for presenting on key risks to stakeholders. Non-experts in the risk field can easily construct risk matrices using applications such as Microsoft Excel or PowerPoint. Furthermore, a simple Google search will provide a plethora of templates that can be used to quickly build a risk matrix for reporting purposes. No rocket science here, just a bunch of connected boxes and colors to make senior leaders feel warm and fuzzy on how they are performing in a world of uncertainty.
Detailed Analysis is Not a Requirement
Now, this benefit is bittersweet and will be talked about later in a more negative connotation but here we will focus on the positive. To piggyback off of the benefit above, risk matrices do not require a detailed analysis to map key risks to projects or an overall organization. Scales/levels of frequency and severity are not too difficult to design with the assistance of online resources (just Google it).
Simple risk discussions among senior leaders can provide a crowded list of everything that could go wrong with a project or could adversely impact the organization, from the polar ice caps melting to socioeconomic factors. Risk matrices that can be constructed from simple, qualitative discussions to provide a visual representation of the risk environment surrounding the business is a tool that can help drive further conversations on uncertainty which can negatively impact the organization.
Helps Promote Healthy Conversations on Risk Topics
Whether a risk matrix is rooted in quantitative data supported by qualitative data or not, simply popping up a heat map during a board meeting will automatically invoke risk discussions, it is just going to happen. Most boards and senior leaders are focused on protecting company revenues and providing value to shareholders (for public companies), therefore when you outline present hazards that could cause catastrophe to the bottom line or the achievement of objectives these individuals are going to pay attention.
Thus, risk matrices do have a significant advantage in getting business leaders to discuss risks to the business whether located internally or in the external business environment. Now, this benefit is merely the promotion of healthy conversations involving risks to the business, the underlying data of the risk matrix will determine if these conversations are valuable or simply risk conversations with little to no value in terms of changing the ways leaders act with risk in mind.
Limitations
There are several limitations of risk matrices, but I will focus on what I believe are three of the top constraints to how these tools lead to intelligent discussions involving risks’ impact on the achievement of organizational objectives.
Absence of Objective Data
The greatest knock on risk matrices being used in decision-making processes is the lack of objective (e.g. quantitative) data used to assess risks that are placed on the color-rich heat map. Frequency/severity scales and levels are rooted in qualitative foundations which make these tools very dangerous if used as a significant resource on key decisions involving strategies and resource allocation. Business “experts” will leverage their past experiences, groupthink, or something they picked up on the golf course to establish the scaling systems used in their risk matrix.
This can be like playing with matches in a fireworks factory. In the absence of objective data, cognitive biases and heuristic techniques cloud decision-making and lead analysis astray. Risk matrices can never be perfect but when based on quantitative analysis they can produce a much clearer picture for business leaders on how current risks could adversely impact projects or the achievement of organizational objectives.
Creates a false sense of security on risk levels and effectiveness of treatment
A second major red flag with the use of risk matrices is how it can provide a false sense of security to business leaders on where key risks are today and where they will be on the risk heat map once resources are allocated for proper risk treatment (e.g. insurance transfer, loss control measures). I once saw a corporate presentation slide comparing a “residual” risk heat map to an “inherent” risk heat map, showing how selected risk treatment options impacted the frequency & severity of key organizational risks.
How did the risk manager come up with the new positions of the key risks once risk treatment was introduced? Shockingly there was zero quantitative data to support the “inherent” risks positions on the colorful heat map, it was simply rooted in gut feelings and maybe the way the wind was blowing that day. Knowing this, risk matrices if relied on heavily for strategic decision-making can be one of the most dangerous tools on the market, a false sense of security reading key risks can lead to black swan events which can cripple an organization or simply put it out of business.
Can Lead to Sub-Optimal Resource Allocation
By now we have outlined the most major flaw in risk matrices, the reliance on too much qualitative input to create a visually appealing output that is supposed to evoke quality decisions surrounding how to mitigate present organizational risks. Mitigating risks requires the allocation of resources to treat uncertainty’s impact on achieving objectives, whether for a specific project or the overall organization. This is another dangerous flaw of risk matrices; they can lead to sub-optimal resource allocation to treat residual risks.
For example, a risk heat map cannot display how certain risks are interconnected and impact several different areas of an organization/project. This could lead to a risk treatment technique being implemented which addresses one risk but actually adversely treats an interconnected risk, leading to additional resources needing to be allocated for treatment. An exercise in insanity, redundancy or maybe even both, unfortunately these options cannot lead to positive results for businesses. Organizations only have so many resources, time, money which can be allocated to control organizational risks, thus relying solely on risk matrices as a roadmap to resource allocation can be a failure in waiting in terms of proper risk management.
Healthier Alternatives
Risk matrices have a time and place in the risk management field, however when it comes to being the central tool around making risk-based decisions, not so much. A quick Google search on risk matrix alternatives will provide a good number of articles and videos on better tools to help business leaders understand and make decisions involving organizational risks. A few alternatives include:
Stress Testing: Complex, computer-generated simulation models which use hypothetical scenarios as a testing framework which analyzes how an organization responds to certain situations
Sensitivity analysis: Quantitative risk assessment of how changes in a specific model variable impact the output of the model. An analysis which shows which variables have the greatest impact on output parameters (e.g. Monte Carlo simulations, tornado charts)
Scenario Analysis: Possible future scenarios are identified through imagination or extrapolation from the present and different risks considered assuming each of these scenarios might occur (ISO 31000:2009)
Decision Trees: Represents decision alternatives and outcomes in a sequential manner which takes account of uncertain outcomes. It is similar to an event tree in which it starts from an initiating event or an initial decision and models different pathways and outcomes as a result of events that may occur and different decisions that could be made (ISO 31000:2009)
Wrapping Up
In no way is this article meant to bully a risk management tool which has helped start healthy conversations involving organizational risks for many years. My mission for this article was to help shed some light on the benefits and limitations of risk matrices and provide some healthy alternatives which can produce quantitative analysis promoting intelligent management of risks. As risk professionals, we should always be questioning the tools we use to battle uncertainty and help our businesses win in our respective markets.
Do you believe it is time to put risk matrices on the shelf and explore smarter alternatives to help drive quality risk management decision-making to help businesses compete in a rapidly changing global economy? Let’s hear your thoughts on the benefits and drawbacks of this much talked about risk management tool.
The [only] good thing to be said of heatmaps is that they do provide a significant degree of freedom for the risk manager, and help him/her to drive whatever risk discussion they want. Based on the qualitative nature of heatmap scales, and even if7when using defined quantitative scales – an astute risk manager can argue for placing any risk in any quadrant/cell they may wish.
This allows the risk manager to place risks he/she wants discussed firmly in the “red” zone, and place risks not to be discussed in the “green” zone. Hence – the risk manager can direct and get the exact discussion wanted.
YES – it is blatant manipulation and highly indecent. If/when applied by someone external, it borders professional malpractice and should be illegal.
On top of that, heatmaps do NOT inform decision making. How do you prioritize efforts – how many yellow risks does it take to make up for one red – obviously nonsense.