This document describes how to create a more effective risk matrix by defining your own probability and impact ranges rather than using pre-defined categories. It recommends using triangular and PERT distributions to model the most likely probability and impact values within each range. Running a Monte Carlo analysis on these user-defined distributions provides quantitative risk exposure metrics like minimum, average, and maximum annual losses. This allows comparing risks and assessing if risk mitigation spending is appropriately reducing exposure to the organization's risk appetite.

1. How to create a better Risk
Matrix (kind of…)
Or
How to avoid the dreaded “Q” word….
By Osama Salah

2. This is a typical Risk Matrix
Negligible Minor Moderate Significant Severe
Very Likely Low Med Medium Med Hi High High
Likely Low Low Med Medium Med Hi High
Possible Low Low Med Medium Med Hi Med Hi
Unlikely Low Low Med Low Med Medium Med Hi
Very Unlikely Low Low Low Med Medium Medium
Impact
Likelihood

3. With the good intention to make it easier
some add labels to provide guidance….
Negligible Minor Moderate Significant Severe
0 - $100K $101K - $1M $1M - $50M $50M - 100M > $100M
Very Likely 10 times per year or more Low Med Medium Med Hi High High
Likely 9 - 5 times per year Low Low Med Medium Med Hi High
Possible 4-2 times per year Low Low Med Medium Med Hi Med Hi
Unlikely Once per year Low Low Med Low Med Medium Med Hi
Very Unlikely Once every 3 years or less Low Low Low Med Medium Medium
Impact
Likelihood

4. But you can’t help but wonder….
Negligible Minor Moderate Significant Severe
0 - $100K $101K - $1M $1M - $50M $50M - 100M > $100M
Very Likely 10 times per year or more Low Med Medium Med Hi High High
Likely 9 - 5 times per year Low Low Med Medium Med Hi High
Possible 4-2 times per year Low Low Med Medium Med Hi Med Hi
Unlikely Once per year Low Low Med Low Med Medium Med Hi
Very Unlikely Once every 3 years or less Low Low Low Med Medium Medium
Impact
Likelihood
Am I really going to deal with a $1M loss the same as a $50M?
Am I really going to treat something that happens 11 times per year
the same as 100 times?
Who came up with these seemingly arbitrary buckets? (I did for this
presentation, but in real life there isn’t much more of a rationale
behind it either.)

5. What if I could define my own buckets?Likelihood
Impact
Let’s imagine that and start with a blank slate…

6. Let’s say you are pretty sure:Likelihood
Impact$70K
Impact is somewhere between $70K and $200K
Likelihood (frequency of loss) is somewhere between once and 3 times
per year
These will be your self-defined buckets
$200K
3/year
1/year

7. We designed our own buckets, but what now?
We can actually do some cool math with these ranges. But to make it
more useful we will add one more point in each bucket (and will start
calling them “ranges”).
If loss is between $70K and $200K, what do we believe is most likely?
Are we more likely (more often) going to see losses close to $70K or
more likely (more often) closer to $200K? Or somewhere in the
middle?
To represent how we feel about that we express our range as a
distribution and add a “most likely” point.
$70K $200K
Most Likely?

8. Let’s Assume our analysis concludes that
most likely Loss is at $100K
This means that if we observe multiple occurrences of losses over time we will find most
around $100K.
In a plot it would look like a triangular, but that’s not “natural”. We can ”smoothen” it out
using a “PERT” distribution.
Triangular Distribution Smooth PERT Distribution
Min Max
ML (Most Likely)

9. Let’s Assume our analysis concludes that
Most likely Frequency is Twice per year
This means that if we observe losses over several years we find that in
most years there we 2 occurrences.
Triangular Distribution Smooth PERT Distribution

10. We take both distributions and throw them into a
computational engine…. (Monte Carlo Analysis)Likelihood
Impact

11. And the output will be…

12. Where did
all my colors
go!!!??!

14. This is the most likely loss exposure. Somewhere
around
$200K / year.
The average annualized loss exposure is about $223K.
(not deductible from chart, from calculated statistics)
This is the max loss
exposure. About
$505K / year.
This is the min loss
exposure. About
$95K / year.
Min 96.04K
Avg 223K
Max 506.4K

15. Same data but cumulative
90% of annualized losses
will be below $310K.
If 90% expresses your risk
appetite then don’t spend
more than that to treat
the risk.

16. Mitigating the Risk
• If I spend $X on a particular treatment plan I can reduce the loss
exposure and the loss frequency. Let’s say:
• Throw that back into the computational engine…
Frequency Loss
Min 1 $50K
ML 1 $80K
Max 2 $140K

17. Result after risk mitigation
90% of losses were below $310K.
After treatment 90% of losses are below
$130K.
If this residual risk is acceptable than risk
mitigation implementation costs should
not exceed $180K ($310K-$130K).
Or go look for a more effective treatment
plan to reduce risks further.

18. • And that’s how you end up doing quantitative risk management
without noticing.
• Although we just made assumptions we really haven’t used any data
that we wouldn’t have used to process the risk matrix.
• The risk matrix would not have helped figuring out if you invested
enough or too much.

19. Resources
Risk Analysis (O-RA)
Risk Taxonomy (O-RT)
This was a very simplified introduction to quantitative risk management.
You can improve on making better estimates (calibration).
Better understand the relationship and building blocks of Risk (FAIR Ontology).
Have a look at the below resources
blog

20. A computational engine
Download the free version of Analytica.
Download my simple FAIR model.