Key Takeaways
- A 2008 study published in Risk Analysis found that poorly implemented risk matrices can produce risk rankings that are worse than random, not just imprecise, but actively misleading.
- The most damaging risk matrix trap is not false precision in individual scores. It is the cluster of risks in the amber zone that nobody ever acts on because amber feels acceptable.
- Probability and impact scales only produce consistent scores if every person using them works from the same written definitions. Without anchor examples, a '3' means something different to every assessor.
- The risk matrix is a communication tool, not an analytical one. Its job is to direct attention and start conversations, not to replace judgement about which risks actually matter.
- Adding a target assessment alongside your current score, showing where you expect to land after measures are applied, turning a static heat map into a tool that tracks progress over time.
Here is a finding worth sitting with: a peer-reviewed study by Tony Cox, published in Risk Analysis in 2008, demonstrated that poorly designed risk matrices do not just produce imprecise rankings. They can produce rankings that are worse than random, not just imprecise but actively worse than guessing.
That is not an argument for abandoning the risk matrix. Most organisations are not going to replace it, and for good reason — used well, it is a fast, communicable way to direct attention to the risks that matter most. But "used well" is doing a lot of heavy lifting in that sentence. Most organisations are not using it well, and the gap between what the matrix promises and what it actually delivers is where risk management quietly breaks down.
This article is for teams that already use a risk matrix and want to get more from it. The goal is not to walk you through what a 5x5 grid is. The goal is to name the traps specifically and give you the guidance to avoid them.
The traps you are probably already in
Trap 1: Everyone has a different definition of '3'
Ask five people in your organisation what a probability score of 3 means. You will get five different answers. One person thinks it means "happens roughly once a year." Another thinks it means "we've seen it happen before." A third is calibrating against their gut feeling about the current quarter.
This is the most fundamental problem with how most organisations use a risk matrix, and it is also the most fixable. Without written definitions for each score on your probability and impact scales, including real anchor examples, you are not getting consistent assessments. You are getting a vote on how anxious people feel about each risk on the day they scored it.
The fix is not complicated. For each level on your probability scale, write a description and attach a concrete example from your own context. "Probability 3: has occurred at least once in the past three years in our organisation or sector. Example: supplier delivery failure in Q2 of last year." Do the same for impact. Then make sure everyone scoring risks is working from the same document.
Without this, every risk score is an opinion dressed up as a number.
Trap 2: Everything is amber
Walk into most organisations and pull up the risk register. Forty risks. Thirty-two of them are amber. Three are green. Five are red — mostly things that went wrong once and got added at the time. Zero are updated in the past six months.
This is amber inflation, and it is endemic. It happens because amber feels safe. It is not alarmist (not red) and it is not dismissive (not green). Marking something amber lets everyone feel like they have acknowledged a risk without committing to do anything about it. It is risk management as plausible deniability.
If your matrix is producing a uniform amber cluster, the matrix is not the problem. The problem is that your scoring hasn't been challenged. A risk that has been amber for two years, with no measures in place and no change in context, should either be moving toward red (acknowledge it is serious and act) or green (accept that it is being managed and move on). Staying amber indefinitely means the risk is being administered, not managed.
A practical rule: any risk that has been in the same cell for more than six months should be reviewed and either re-scored with justification or escalated.
Trap 3: The matrix is treated as an output, not a conversation starter
The risk matrix shows you where your risks cluster. That is genuinely useful. But the matrix tells you nothing about what to do next, which risks are connected, what is causing them, or whether your existing measures are actually working.
Teams that use the matrix as an endpoint — score it, colour it, file it — are treating a navigation tool as a destination. The visual is meant to generate questions, not answer them. Why are three separate risks sitting in the top-right corner? Are they related? Is there a single measure that would address all three, or are they completely independent? The matrix cannot tell you. Someone has to ask.
If your risk review meetings consist of looking at the heat map and confirming that nothing has changed, you are not doing risk management. You are looking at a picture of risk management.
Trap 4: Probability and impact are averaged, not analysed
This one is subtle but consequential. When a group of people scores a risk, the temptation is to average their scores, or to let the loudest voice in the room set the score. Both approaches discard the most valuable information: the disagreement itself.
If one person scores a risk as probability 2 and another scores it as probability 5, averaging to 3.5 and rounding to 4 loses the fact that two people have fundamentally different understandings of how likely this event is. That disagreement is not a problem to be resolved by arithmetic. It is a signal that someone has information the others do not, or that the risk is not well enough defined, or that the probability scale definitions need more work.
When you get wide score variance, the right response is to slow down and understand why, not to average your way through it.
What good practice actually looks like
Define your scales before you score anything
Before your team scores a single risk, agree on what each level of probability and impact means in your context. Write it down. Use real examples. If your organisation operates in logistics, your impact scale should reference delivery failures, regulatory penalties, and customer contract clauses, not generic descriptions like "significant disruption."
This is not bureaucracy. It is the difference between a score that means something and a score that looks like it means something.
Use the matrix to prioritise, not to replace thinking
The risk matrix should tell you where to focus your attention. The top-right of your 5x5 grid is where your team's analytical energy should go. But the matrix cannot do the analysis for you, and that requires understanding the causes driving each high-scoring risk and the measures in place (or not in place) to address them.
Bow-tie diagrams are one of the most useful tools for this. Once you have identified your high-priority risks from the matrix, a bow-tie forces you to map out what is causing each risk and what the consequences look like if it materialises. That is the kind of analysis a colour-coded grid cannot perform, but that your team absolutely needs before deciding what to do.
Track current versus target, not just current
Most risk matrices show you one data point: where a risk sits today. That is fine for a snapshot but useless for managing progress. Adding a target assessment, showing where you expect the risk to land once your measures are fully implemented, turns the matrix from a photograph into a film.
This is what separates a register that helps you manage risk from one that just records it. A construction company we spoke to had twelve risks all clustered in the amber zone, with a range of measures listed against each one. But nobody could say whether any of those measures were actually moving the risks. They had no target scores, no due dates on the measures, and no way to tell whether the picture was improving or static. The matrix looked fine. The underlying situation was not.
When you can see the gap between where a risk sits now and where it should sit after your measures take effect, you have something worth managing. Without that gap, you have documentation.
Challenge your red risks — and your green ones
The instinct in most organisations is to focus audit energy on the red risks and leave the green ones alone. Both deserve more scrutiny than they typically get.
Red risks that are high-priority but have well-established, effective measures in place may genuinely belong lower in the matrix. Not moving them creates noise and distracts attention from risks that have neither mitigation nor an owner. Equally, green risks that have been green for years are sometimes green because nobody has looked at them recently, not because they are genuinely well-managed.
Schedule a deliberate review of both ends of your matrix at least once a year. You will usually find at least one risk that has been miscategorised, either through optimism or neglect.
Where software can help — and where it cannot
A tool like Risk Companion's risk matrix does not remove the need for the practices above. What it does is remove the friction that makes good practice hard to sustain.
When your matrix lives in a spreadsheet, updating a score means opening a file, finding the right row, editing the cell, saving the file, and hoping nobody else has saved a different version in the meantime. When measures are managed in email threads, overdue items disappear. When your register has no target assessments, you cannot show auditors how risks are progressing, only where they are today.
Risk Companion connects probability and impact scores directly to the measures assigned to each risk, with named owners and due dates. Overdue measures surface automatically. The gap between initial and target assessments is visible at a glance. And the risk matrix updates in real time as your team works, not when someone remembers to update the spreadsheet.
The judgement about what each score means, whether a risk has been correctly categorised, and what to do about the risks that matter most, that stays with your team. The tool just makes sure the underlying data is clean enough to support that judgement.
The matrix is not the enemy
If your risk register disappeared tomorrow, would anything actually change about how your team operates?
For too many organisations, the honest answer is no, because the matrix has become a reporting artefact rather than a working tool. Updated quarterly, presented to the board, filed away. The risks that actually derail projects and budgets are rarely the ones sitting in the top-right of the heat map. They are the ones nobody thought to put in the register at all, or the ones that have been amber so long nobody looks at them anymore.
The risk matrix is a useful tool with real limitations. Its limitations become dangerous when organisations forget they exist. The teams that get the most value from the matrix are the ones that treat it as a starting point for a conversation, not the destination itself — and treating it as a destination is how a useful tool quietly becomes decoration.
Ready to see what a structured risk assessment looks like in practice? Start your free trial of Risk Companion and replace your spreadsheet with something your team will actually use.
Ready to improve your risk management?
See how Risk Companion can help you implement these best practices with powerful, easy-to-use tools. Sign up and we'll prepare a demo project tailored to your company.