The post today has been inspired from a question a client put to me only last week, let's dig out that question and then we'll deal with the response.
"Martin, I have been seeing various risk managers on LinkedIn dismiss Risk Matrices as poor methods for reporting Enterprise Risk and I wondered what your thoughts are on the subject?"
At the profoundly critical end of my opinion, I see Risk Matrices as a failed construct of Enterprise Risk or Operational Risk reporting, and I have held this opinion for more than a decade or so now. About five years ago I wrote several articles on the subject, one of which can be found below from our publication on the "Ten stories of concern for operational risk". Albeit, Risk Matrices featured as headache number nine in our list, so there are many more problems with operational risk reporting than Risk Matrices ... they are nonetheless self-imposed decision making hazards so I avoid upselling them to management.
There are a lot of Risk Management Practitioners throwing various negative rhetoric at the Risk Matrix, and yes, I have to admit that I am a member of the let's move on from the Risk Matrix camp. However, where these people fail is that they don't tackle the problem with an alternative. I always say it's easy to be cynical about anything, it's simple to throw up a critique, but unless you are able to do so and offer up an alternative option, you become part of the problem rather than its solution.
As it is ~ The questions we need to be asking ourselves is not what's wrong with the Risk Matrix as much as how could we effectively report risk, objectives and other contextually relevant items. Risk Managers need to stop copying busted practices because they are just there and do their jobs of developing novel techniques to meet the reporting requirements of their stakeholders.
With that in mind, I believe the whole process of defining and capturing risk data, modelling it and reporting it needs to evolve. The Risk Matrix will most likely stay until the practice of reporting risk is improved, after which stakeholders will then begin to move on naturally.
My suggestion on where Risk Managers should start with resolving the Risk Matrix conundrum is to develop a detailed and interactive Risk Dashboard. When faced with the prospect of looking upon a Risk Matrix or a detailed, up-to-date Risk Dashboard that connects risks to objectives, benchmarks and allows slicing and dicing of risk data in different business contexts, you'll find stakeholders will move on pretty swiftly, only a fool wouldn't.