A recent debate on the G31000 forum titled "Test your Risk Matrix" isn't the first time this contentious subject of Risk Matrices has been debated between practitioners and, I doubt it will be the last. The use of a Risk Matrix, which we will explain in this blog article, is broadly popular among enterprise risk managers looking to report aggregated and enterprise-wide view of exposures that threaten their stakeholders. Those that use risk software systems often find that the Risk Matrix comes installed as part of the package and I know some practitioners out there wouldn't procure a risk solution unless this type of report was available from the outset.
The Risk Matrix is a bit of FAIL though and it generally does not yield to the industry of risk management what it promises. Some seasoned risk analysts are so disgruntled with the tool that they choose to drop the whole reporting concept altogether. That is all fine but it doesn't detract from the requirement that stakeholders are going to ask for a summarized view of their risks at some point in time and as it stands, many of them have become accustomed to seeing their world of risks in a matrix.
Disbanding the Risk Matrix to the rubbish bin doesn't seem a viable solution for avoiding its problems, unless something better comes along. So then, let's tackle its flaws and try to resolve them.