Are You Still Using Risk Matrices?

Imagine yourself being paid to plot risks on a graph where one axis represents probability, and the other axis represents impact. Now imagine yourself wasting time. The latter should be easy because plotting risks on a risk matrix or heat map is a waste of time, unless your goal is to get paid for shuffling paper until somebody important realizes that the business would perform just as well without you. Ten years ago a lot of seemingly competent people would openly recommend the use of risk matrices. Thankfully, the tide has turned against this particular form of pseudoscience as more and more experts have described why risk matrices are deficient. I wrote my own piece about why I hate heat maps but even that article failed to capture all the failings of risk matrices. Here are just a few valid criticisms from various authors:

My disenchantment with heat maps began when I was presented with one while serving as a board member. Charged with the responsibility for organization’s risk oversight, I was forced to ask myself the question “what does this tell me and what should we do about it?”

The simple answer was nothing, and nothing. Distributing a set of risks into a heat map provides little, if any, useful information to management.

Bruce McCuaig, Digitalist Magazine

Scoring methods [including risk matrices] are virtually always developed in isolation from scientific methods in risk analysis and decision analysis. The developers in these areas tend to be experts in some particular problem domain, such as IT security or public health, but they are virtually never experts in risk analysis and decision analysis methods. There is no empirical evidence that these methods improve decisions at all. In fact, even considering the question of whether decisions are measurably improved seems to be completely absent from every one of the scoring methods…

Douglas Hubbard, The Failure of Risk Management

…existing risk management tools (heat maps, risk registers, etc.) and practices based on historical data and intuition are a good start, but inadequate for the demands of today’s business climate. As the need to cover the “upside” risks (financial and otherwise) continues to grow, so does the need for an effective risk management framework and science-based tools that quantify uncertainty in both risk and value.

Jeff Driver and Renée Bernard, Enterprise Risk Management and its Relationship to the Wizard of Oz

  • If the organizational goal is to respond only to known and identified threats, and the ERM process is viewed as an extension of audit and compliance, risk registers and risk heat maps can be useful.
  • If the organizational goal is to respond to known threats and opportunities and gain risk intelligence about emerging perils on the horizon, traditional risk registers and risk heat maps fall short.
  • If the organizational goal is to grow the business and create value for stakeholders, traditional risk registers and risk heat maps are useless.

John Bugalla and James Kallman,

I was reminded of all the faults of risk matrices by a new article at Causal Capital entitled “Risk Matrices Failures”. Author Martin Davies starts his article by repeating a question submitted by a reader:

“Martin, I have been seeing various risk managers on LinkedIn dismiss Risk Matrices as poor methods for reporting Enterprise Risk and I wondered what your thoughts are on the subject?”

Davies observes that heat maps are ‘hazards’:

I see Risk Matrices as a failed construct of Enterprise Risk or Operational Risk reporting, and I have held this opinion for more than a decade or so now… there are many more problems with operational risk reporting than Risk Matrices… they are nonetheless self-imposed decision making hazards so I avoid upselling them to management.

Davies does have some more positive advice on what risk managers should construct instead of risk matrices:

With that in mind, I believe the whole process of defining and capturing risk data, modelling it and reporting it needs to evolve…

Risk Managers should… develop a detailed and interactive Risk Dashboard. When faced with the prospect of looking upon a Risk Matrix or a detailed, up-to-date Risk Dashboard that connects risks to objectives, benchmarks and allows slicing and dicing of risk data in different business contexts, you’ll find stakeholders will move on pretty swiftly, only a fool wouldn’t.

My purpose with this article is to remind readers that the telecoms industry may be laggards at risk management when we should be leaders. There is no longer any good reason for telcos not to invest in the technology and human skills that would bring detailed risk data to life by presenting the information in ways which are far more useful than plotting points on a restrictive, dull, flat chart. If telecoms risk managers continue to use flawed methods this can only be justified by observing that others continue to use the same flawed methods, which reveals a similar attitude to risk intelligence as that adopted by lemmings.

Telcos are inherently digital businesses. They possess all sorts of data that other businesses do not. Whilst not every risk can easily be reduced to numbers, the risks faced by telcos are generally more susceptible to numerical analysis. Compared to most other businesses, telcos can potentially make more use of maths and computers to manage their risks. Technological progress also means these techniques are cheaper and more accessible than ever before. The only aspect that holds us back is the failure to develop professionals, and particularly the underinvestment in education that leaves many believing that if something was written into a textbook ten years ago then it must have been true when written, and continues to be true now.

A lot of pioneering work has been done by telecoms risk managers who focused on specific operational risks. It would be a shame if we collectively lose confidence in the ability to innovate when it comes to developing techniques that present and rank risks more generally. So let me ask again: are you still using risk matrices to explain and compare the severity of the various risks faced by your telco? What prevents you from offering something better?

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.