This document describes how to create a more effective risk matrix by defining your own probability and impact ranges rather than using pre-defined categories. It recommends using triangular and PERT distributions to model the most likely probability and impact values within each range. Running a Monte Carlo analysis on these user-defined distributions provides quantitative risk exposure metrics like minimum, average, and maximum annual losses. This allows comparing risks and assessing if risk mitigation spending is appropriately reducing exposure to the organization's risk appetite.