Skip to Content

The Problem with Risk Matrices (And What Defensible Risk Assessment Actually Looks Like)

The most widely used risk tool in the world produces work that looks structured but provides limited protection against the risks that actually matter.
20 June 2026 by

Risk matrices are everywhere. Every risk management framework includes one. Every board pack contains one. Every consultant produces one. They are the lingua franca of enterprise risk — and they are, in many important respects, epistemically broken. The problem is not that risk matrices are used. The problem is that they are trusted as if they produce reliable outputs, when the evidence suggests they frequently do not.

The Core Problem: Ordinal Scales Don't Behave Like Numbers

The standard risk matrix asks you to rate likelihood on a scale of 1–5 and consequence on a scale of 1–5, then multiply them to get a risk score. The resulting number gets colour-coded — green, amber, red — and decisions are made accordingly. This feels rigorous. It is not rigorous. It is the illusion of precision applied to subjective estimates.

The foundational problem is that likelihood and consequence ratings are ordinal, not cardinal. "Likely" (4) is not twice as likely as "Possible" (2). "Catastrophic" (5) is not five times worse than "Minor" (1). When you multiply ordinal values, the arithmetic is meaningless. A risk scored 4×4=16 is not twice as serious as one scored 4×2=8. The numbers do not carry the information the arithmetic assumes they carry.

This was documented rigorously by Tony Cox in a 2008 paper, "What's Wrong with Risk Matrices," and the problems he identified have not gone away because practitioners have not read it. Risk matrices can produce risk rankings that are, in his terms, "reversed" — where genuinely high risks score lower than genuinely low risks, and vice versa. The matrix does not surface this. It conceals it behind a plausible-looking number.

The Calibration Problem

Even if we set aside the arithmetic issue, risk matrices depend on raters who are well-calibrated — meaning their subjective estimates of likelihood and consequence accurately reflect the actual distribution of outcomes. The evidence from decades of research on human judgment and forecasting is clear: people are not well-calibrated. We overestimate the likelihood of vivid, memorable events. We underestimate slow-moving systemic risks. We anchor on recent experience. We are influenced by whether we personally find the scenario frightening or routine.

When a group of executives sits in a room rating risks on a 1–5 scale, they are not conducting probabilistic analysis. They are conducting a social process — in which anchoring, authority effects, groupthink, and motivated reasoning shape the outputs as much as any objective assessment of likelihood. The matrix records the consensus, not the reality.

The Aggregation Problem

Risk matrices aggregate unlike risks onto a single scale. A cyber incident, a regulatory breach, a catastrophic safety event, and a reputational crisis all get scored on the same likelihood-consequence grid, producing numbers that can then be ranked and compared. But the nature of these risks is fundamentally different. Their probability distributions are different. Their time horizons are different. Their second-order consequences are different. Expressing them on the same scale and treating the numbers as comparable is not analysis. It is false equivalence dressed as methodology.

What Defensible Risk Assessment Actually Looks Like

The standard for defensible risk assessment is not "we used an industry-standard matrix." The standard is "we identified the material risks, we gathered the best available evidence about their likelihood and consequence, we documented our reasoning, and we made decisions proportionate to that evidence." That is a significantly different exercise.

Treat risks individually, not in aggregation. The top-10-risks heat map is a reporting artefact, not an analytical output. Each significant risk deserves its own analysis — its own evidence base, its own scenario consideration, its own uncertainty acknowledgment.

Separate uncertainty from probability. Much of what appears on risk matrices is not risk in the statistical sense. It is uncertainty — situations where we do not have enough data to assign meaningful probabilities. Treating uncertainty as if it were a 1–5 probability rating is false precision. Acknowledge when you are operating in conditions of genuine uncertainty and structure your response accordingly.

Document the reasoning, not just the score. When an incident occurs and your risk management is examined — whether by a regulator, a board inquiry, a court, or an expert witness — what will be scrutinised is not your heat map. It will be whether your reasoning process was sound and your decisions were proportionate to what you knew. Ratings without reasoning are not defensible.

Use bow-tie or fault-tree analysis for high-consequence risks. For risks where the consequence of failure is severe, qualitative scenario analysis — identifying causes, controls, and consequences — is more useful than a matrix score. Bow-tie analysis forces you to think about the causal chain from source to consequence and the adequacy of your controls at each node. It produces outputs you can act on.

Challenge the ratings.) If your risk matrix has not changed significantly from year to year, that is evidence that it is recording consensus rather than analysis. Genuine risk assessment produces uncomfortable findings. If everyone in the room agrees, someone is not thinking hard enough.

The Expert Witness Perspective

I have reviewed risk frameworks in the context of significant litigation on multiple occasions. The organisations that are most exposed are not those that had no framework — it is those that had a framework that looked rigorous but was not operationalised. A risk matrix populated by executives in a half-day workshop, unchanged for three years, is not evidence of a functioning risk management system. It is evidence that the organisation went through the motions. That distinction matters enormously when something goes wrong and the organisation's conduct is examined against the standard of what a reasonable organisation would have done.

Risk management is not about producing artefacts that look like risk management. It is about making better decisions under uncertainty. Those are different objectives, and only one of them provides any actual protection.

Tony Ridley provides expert review and advisory on enterprise risk frameworks. Contact us to discuss your requirements.

Why Duty of Care Is Failing Your Global Business
The gap between what organisations believe they have and what actually holds up under scrutiny is larger than most boards realise.