Part 5  |  Your ERM Action Plan for the C-Suite and Your Organization

Part 5 | Your ERM Action Plan for the C-Suite and Your Organization

Can You Salvage Flawed Risk Matrices and Make Them Useful? Yes!

Everything Should Be Made as Simple as Possible, But Not Simpler. -Albert Einstein

In our previous article, we explored some of the shortcomings of the traditional Decision Matrix Risk Assessments (DMRA) approach to categorize and prioritize risks and their tradeoffs.  The DMRA is an approach widely used to present risks to Senior Management, Rating Agencies, and Board Committees.  Although the tool may provide a starting point for risk analysis, it suffers from serious mathematical shortcomings that limit its effectiveness to categorize risks based on the usual information used in creating the matrix.  In short, DMRAs as currently used are fundamentally flawed. We concluded our previous article with the revised DMRA, which more accurately reflects the only grouping that can be logically inferred from the tool.

It is as follows [1]:              

Where Does This Leave Risk Managers?

  • Overall, probably in a better place despite the extra work. As previously stated, DMRA should be a data presentation tool, but not a data decisioning tool.
  • Building the Risk Matrix is the first step in the process, not the outcome.  Because it’s so easy to create and populate, it’s tempting to skip the harder subsequent steps in refining the analysis.
  • Risk Managers need to refine their approach and expand their efforts.  There is simply no substitute for thoughtful discussion and further analysis, and no better way for you to demonstrate the quality of the risk thinking that you bring to your organization.  We have several suggestions.

What Should You Do Next?

  • The next logical step for the Risk Manager is to evaluate each of the three groups, adding and refining the individual risk categories to incorporate elements often neglected or overlooked.  For each risk it is essential to estimate not only the anticipated mean loss from the risk, but estimate the standard deviation of the risk, the type of distribution if not normal, the level of risk predictability, etc.  
  • Once that has been accomplished, it is critical to estimate—as much as possible—the correlation between and among the risks. This requires a correlation matrix for all the major risks in your DMRA.  Without this step, you have virtually no insight into the aggregate effectiveness of your mitigation efforts.
  • The process of completing these activities presents a great opportunity to educate your peers on risk evaluation, mitigation, and correlation issues.  Typically, predictability is an important variable that often dictates the intensity of mitigation approaches required, i.e., compare approaches for floods, tsunamis, or earthquakes.  

From our perspective, these are the key missing elements that cripple most existing ERM efforts, and they drive our central recommendation around DMRAs, which is:

Don’t delegate your conclusions to the tool, use the tool as a tool to develop your own conclusions.

  • Risk Managers have a renewed opportunity to engage in thoughtful discussions with their colleagues around all elements of their risk programs, based on recent insights and improvements in risk methodology.  Use it!
  • Conduct workshops to reprioritize existing risks and check the quality of understanding throughout the organization.
    • There is no substitute for common sense and individual expertise.  Indeed, this more than anything is the key insight.  You must now engage your risk stakeholders to get underneath the risks your organization faces and figure out which ones matter, which ones don’t, and how to sequence your mitigation efforts.
    • Do risk owners really understand the way their risks behave in terms of spread or standard deviation of frequency and severity? Without those insights, it’s virtually impossible to prioritize approaches much better than leaving things to chance.  Best to ask them, challenge them, and explore new insights and perspectives.  In this way, you create value for them and your organization.
    • As the matrix categories are now skinnier at the ends and much fatter in the middle, the middle needs to be addressed much more carefully and thoughtfully.  You have an excellent opportunity to reset the discussion with the entire organization.
    • Positive and negative risk correlations are the neglected gems of risk management, because only ERM’s cross-functional perspective can identify them.  Group your universe of risk by negative and positive correlations and understand how these different families of risk will behave under various scenarios.  This may have significant impact of the cost and effectiveness of your mitigation efforts and the insights you generate will be unique within your organization.
    • Finally, do all participants have a consistent set of perceptions and definitions of risk or has human bias crept into their thinking? Chances are that bias was always there.
  • Use your expertise as a risk professional to uncover and mitigate the individual perceptual biases that always exist in human perception…. you are the best prepared umpire to enforce the rules and create sensible and internally consistent outcomes.
  • In future articles, we’ll show you how we’re using this enriched information to generate Monte Carlo solutions to refine the revised Matrix, making it much more useful and informative.  This provides real value to your risk management and mitigation efforts, and gives your efforts credibility and impact to the C-suite and the Board.  Stay tuned.

You have an exciting job ahead of you.  Attack it with insight and enthusiasm.  And don’t get stuck in the matrix!

[1] Krisper, Michael, “Problems with Risk Matrices Using Ordinal Scales.”


Book a Free, 45-min. ERM Strategy Session Now!

If you’re a CRO, CEO, CFO or COO, please fill out the form below with your name, title*, email, Company name, and phone number. We'll give you a call some time between 8:30AM - 5 PM ET, Monday thru Friday to schedule the session.

*Appointments limited to Senior Managers with Risk Management Responsibility only.

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.
risk maturity framework

Subscribe to receive alerts when new insurance related thought leadership content is published by our ERM subject matter experts:


Book an


discovery session

enterprise risk management for credit unions
Three ways to tap into the people, technology and insights of SRA Watchtower.
We're focused exclusively on the serving the financial & Insurance industries.


Discovery Session
Schedule a 30 minute discovery call with an SRA Watchtower risk expert to understand your challenges or opportunities ahead to see how Watchtower's holistic risk intelligence platform can support your goals.


watchtower demo
Look inside Watchtower, the holistic risk intelligence platform to learn how it helps executives navigate risk and drive growth.

Risk Intel

Risk Intel Podcast
Listen and learn from SRA Watchtower risk enthusiasts, customers, and experts across the financial industry through our weekly risk focused podcast.

RMA RIsk Maturity Framework

Powered by SRA Watchtower

Take the self-assessment today to
measure your institutions risk maturity.
risk maturity framework