The Risk Matrix Approach: Strengths and Limitations
The RMA is an effective and intuitive technique used by risk managers to prioritize threats to their organization in a graphic manner – but it’s not flawless. What steps does this approach involve, and what are its pros and cons?
Friday, October 7, 2022
By Cristian deRitis
One of the key tasks of the financial risk manager, as one on my colleagues eloquently put it, is to “help people to worry more intelligently.” In part, the risk management field addresses our biological shortcomings, as the human mind is prone to extrapolate small changes to cataclysmic extremes. Indeed, a risk manager’s most significant contribution is often prioritizing threats as they seek to keep their organizations from acting rashly and flying off the proverbial rails.
The risk matrix approach (RMA) is one of the most effective tools for prioritizing threats. It’s a great starting point for not only organizing our own thoughts around risk, but also for illustrating priorities to others in an easily accessible, graphic fashion. The universality of the RMA allows us to apply it equally to complex systems, such as the global macro-economy, and to more micro subjects, such as a specific product, service or process.
RMA in Four Easy Steps
The first and most important step to create a risk matrix is defining scope, with respect to both subject matter and time horizon. This involves a consideration of tradeoffs. The narrower the focus, the more precise and actionable the risks we identify.
A narrow a scope, however, may give us tunnel vision. For example, focusing exclusively on the risk that an individual home’s property value could decline may cause us to focus too much on idiosyncratic factors – such as the color of the walls – while ignoring broader drivers of demand – such as migration into or out of the local area.
The time horizon is equally important. The potential threats we identify may vary considerably if we are looking out over the next day or month versus the next year or decade. For the purposes of exposition, let’s consider developing a risk matrix for the U.S. economy over the next eight quarters – an exercise I run through with my economist colleagues each month.
Having established the scope and time horizon, the next step is risk identification. This can be informed by consulting both internal and external surveys of staff, customers and other stakeholders. At this stage, the objective is simply to collect as many ideas as possible, as opposed to ranking their importance. The global financial crisis and the COVID-19 pandemic taught us that it is better to err on the side of constructing an exhaustive list rather than commit an error of omission.
The third step in the RMA process involves assigning likelihoods and severities to each of our identified risks. These may be quantitatively based by looking at history.
For example, we might look at the historical frequency and severity of hurricanes within a particular geography as a starting point with a statistical grounding. We might then refine these assumptions further based on recent trends and models that account for other factors, such as ocean temperatures or El Niño effects.
On the other hand, some risk assessments are purely qualitative in nature. Solar flares or cyberattacks could be known risks to our business operations, but the probability and severity of these events occurring within our specified time horizon may be unknown, given few – if any – historical episodes. In this case, we might survey subject matter experts or use simulation tools to approximate probabilities and severities, with the understanding that the confidence bands around our assumptions may be quite wide.
Mapping Your Priorities
Once we assign probabilities and severities to each of our risks, the fourth and final step is to construct a chart mapping one against the other, as illustrated in the example below:
When we examine the chart, our priorities are obvious. Items in the upper right-hand quadrant summarize threats with both high probability and high severity. Most of our risk mitigation efforts should be focused here.
Prioritization of our second-tier efforts depends on the relative weighting of likelihood and severity. Are we, for example, more concerned about the high-probability/low-severity events (upper left-hand quadrant) or the low-probability/high-severity event (lower right-hand quadrant)?
The last sector to consider is the lower left-hand quadrant, which summarizes threats with relatively lower likelihoods and severities – at least over our defined time horizon.
The definition of threats is important here. For example, “climate change fallout” in the risk matrix refers specifically to the transition risks involved with moving to a carbon-neutral economy. Although they are significant, these risks are unlikely to impact the U.S. economy in the immediate term, given the time required to legislate and implement new policies. More acute threats related to climate change, such as hurricanes or droughts, would be placed closer to the upper right-hand quadrant.
Strengths and Shortcomings
While risk matrices are great tools for adding rigor to risk management processes, they are not without their weaknesses. Risk managers need to be aware of both their strengths and weaknesses before using them.
Presents complex data on multiple threats in a simplified visual way.
Increases transparency in the prioritization of risks.
Applies to both large, complex systems and individual products or processes.
Communicates risks to broad, non-technical audiences in an effective manner.
Creates a common entry point for more effective risk discussions.
Requires precise definition of subject scope.
Masks differences in the confidence surrounding likelihood and severity estimates.
Oversimplifies the complex, interrelated nature of risks.
Depends on a specified time horizon.
Gives an air of scientific precision to subjective risk assessments.
One of the drawbacks of the RMA is that it relies heavily on the time horizon specified. While a short-term horizon is helpful for ensuring that organizations focus on the most salient threats, it may delay preparing for slow-growing threats (e.g., climate risk) until it is too late – or costly – to mitigate them. To minimize blind spots, organizations should regularly develop risk matrices for varying time horizons.
A risk matrix is both helpful and insightful, as it presents complex data in way that is visually accessible to a broad audience.
In addition to providing a systemic method for risk identification and prioritization, a key advantage of the RMA is in facilitating constructive discussions related to decision-making. Indeed, when properly executed, the RMA ensures that the decision process is transparent, based on the best knowledge of all stakeholders.
Another key advantage of risk matrices is how straightforward and easy they are to construct. Users need only identify and assess risks before organizing them into a chart. The addition of color coding makes the matrix intuitive and accessible to all stakeholders, both within and outside the organization.
However, the power of the RMA’s simple, logical framework can also become a liability. Users need to appreciate the uncertainty in assigning likelihoods and severities, especially for new and emerging threats with no historical precedents. Estimates are also dynamic in nature, subject to changing conditions and interactions with other threats that may be difficult to separately identify.
Although risk matrices are a better option than considering individual risks in a vacuum, they can still oversimplify the complexity of risk. Matrices should therefore be used as tools to support decision-making, rather than as algorithms for mechanically setting priorities or making decisions without additional input. It is also important to note that risk matrices contain no information about the mitigation actions an organization might take – which could, in turn, introduce new risks.
Provided we bear these limitations in mind, risk matrices are powerful devices for organizing and prioritizing the threats we face. While we can’t control all possible outcomes or foresee all possible threats, we can worry a bit more intelligently by leveraging risk matrices.
Cristian deRitis is the Deputy Chief Economist at Moody's Analytics. As the head of model research and development, he specializes in the analysis of current and future economic conditions, consumer credit markets and housing. Before joining Moody's Analytics, he worked for Fannie Mae. In addition to his published research, Cristian is named on two U.S. patents for credit modeling techniques. He can be reached at firstname.lastname@example.org.