Skip to content

Risk Matrix Sizing: Does size really matter?

Project Risk Manager - Risk Matrix Sizing
Does Size Really Matter?

In this post, we will delve into one of the technicalities of Qualitative Risk Analysis and that is: Risk Matrix Sizing. This is a topic which, surprisingly, has occasionally resulted in heated debates between Risk Management Professionals. So, not being afraid to wade into the fray myself, this is my take on the subject.

In Qualitative Risk Analysis, we generally rely on the use of a risk matrix to define the severity of a risk. This is done by ranking the probability of risk occurrence against the potential impact of the risk. The product of Probability x Impact gives us a value which defines the overall severity of the risk. Now, some may argue that this is actually a form of Quantitative Risk Analysis and, in a sense, it is. After all, we have just used the product of two values to determine the acceptability level of a risk, which is essentially a quantitative risk analysis approach (see our previous post on this subject: https://www.project-risk-manager.com/blog/qualitative-and-quantitative-risk-analysis/).

The difference here though, is that instead of using verified data to establish the values for Probability and Impact, we have applied subjective data. In other words, in Qualitative Risk Analysis we establish the Probability and Impact values based either on historical data, expert knowledge, past experience or, at worst, just plain old gut feel. And this is what really underpins the debate around the importance of risk matrix sizing.

The bottom line in risk management, be it using Quantitative or Qualitative Risk Analysis techniques, is that all risks need to be managed to within a defined range of acceptability. In Technical Safety Quantitative Risk Analysis, this will be a number which defines the acceptable frequency of fatalities per year. (Generally anything over 1 x 10-3, or 1 fatality every 1000 years, is considered unacceptably high). In Qualitative Risk Analysis, however, the range of acceptability falls within the “Green Zone” of a risk matrix.

Now, if you’re using a 4x4 matrix, this means the upper extremities of acceptability are either when the probability of risk occurrence is “Possible”, and the impact is “Low”, or the probability of risk occurrence is “Rare”, and the impact is “High”.

Project Risk Manager - 4x4 Risk Matrix
4x4 Risk Matrix

Alternatively, if you’re using a 5x5 matrix, this means the upper extremities of acceptability are either when the probability of risk occurrence is “Possible”, and the impact is “Very Low”, or the probability of risk occurrence is “Rare”, and the impact is “Medium”.

Project Risk Manager - 5x5 Risk Matrix
5x5 Risk Matrix

So, what’s the difference?

It all comes down to how precisely you’ve defined the Probability and Impact ranges and, more importantly, how accurately the person managing the risk is able to rank each risk’s probability and impact within the defined ranges.

More often than not, risk matrix sizing ends up being a matter of personal preference. As long as a risk is ranked accurately enough to determine what measures are required to bring the risk into the acceptability range (or “Green Zone”) then, whether you use a 4x4 matrix or a 5x5 matrix makes little difference. However, using matrix sizes smaller than 4x4 or larger than 5x5, can actually be detrimental to effective risk management. This is because the range of uncertainty becomes too constrained in the one case and too vague in the other.

Because risk matrices are used in Qualitative Risk Analysis, it is important to remember that they are there for subjective guidance, and not to provide you with definitive Quantitative risk ranking data. In the case of trying to use a 3x3 matrix, it becomes difficult to gauge where the boundary between Acceptable and Unacceptable lies and, when trying to use a 6x6 matrix, the distinction between a risk impact of “Very High” or “Severe”, or risk probability of “Highly Probable” or “Certain”, becomes largely insignificant.

For more information about our project risk management services and software, or if you just want to express your own views on the subject, please feel free to get in touch via our “Contact Us” page.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.