In 2008, a well-known risk expert named Tony Cox published one of his most famous articles titled "What's wrong with risk matrices?" in the journal Risk Analysis.
In the article, Tony Cox argues that risk matrices suffer from several limitations that make them less effective in risk management. Specifically, he argues that risk matrices:
Provide an illusion of accuracy: Risk matrices give the impression of precise risk assessments, but in reality, the likelihood and impact scores assigned to risks are often subjective and uncertain.
Can be manipulated: The use of risk matrices can be manipulated by changing the scales, ranges, or categories used to assess likelihood and impact, which can lead to inconsistent and unreliable risk assessments.
Overlook important factors: Risk matrices focus solely on the likelihood and impact of risks but fail to account for other important factors, such as the uncertainty and variability of risk estimates, the interdependence of risks, and the effectiveness and feasibility of risk mitigation strategies.
Can mislead decision-makers: Risk matrices can mislead decision-makers by overemphasizing risks with high likelihood and high impact while overlooking risks with lower likelihood but potentially catastrophic consequences.
Do not reflect the true nature of risks: Risk matrices treat risks as static and independent entities, but in reality, risks are dynamic, interconnected, and influenced by a range of factors.
Overall, Tony Cox argues that risk matrices should be used cautiously and complemented with other risk assessment tools and techniques to provide a more comprehensive and accurate view of risks.
