The ERM Risk Matrix: Modelling Fault

Enterprise Risk Management (ERM) relies on accurate ERM Risk Matrix for decision-making.

ERM Risk Matrix


Enterprise Risk Management (ERM) is describing a Risk Matrix (ERM Risk Matrix) as a tool for ranking and displaying risks by defining ranges for consequence and likelihood. This is a very easy concept if one knows how to develop matrixes, and this is where the catch is.

Over the 35 years, where I have been dealing with strategic, tactical and operational risk, on various levels, from political risk, criminal risk, communique engagement risk, project risk, etc., Matrices were the centre point of all our measurement of the risk and to be able to explain the risk level to our peers or the Board of Directors.

In most of these cases, the ERM Risk Matrix has been the most reliable methodology we could derive from, where we have a shared vision and a shared measurement structure.

With the changing of environments, I have experienced various types of risk matrixes, from a 3X3, 4X4, 5X5, 7X7 and even a 10X10 matrix. And every one of these has a place and time for its use. In the case of a 10X10, within a chemical, engineering or production environment, the preciseness of the data gathered made the ranges between the various levels definable and understandable.

Each Likelihood and Consequence could be explained in detail and within precise measurable parameters. The more and better the data has been obtained and collected, the better the decision or the better the movement of the parameters within the process flow. This made the decision-making process easy and entirely understandable for everyone and every stakeholder.

The Common Universal ERM Risk Matrix

The universally used ERM Risk Matrix within an immature Risk Management Environment is the 5X5 Model (see diagram below). The more common methodology behind the use of the 5X5 model is that one multiplies the Likelihood and the Consequence factors, and you will obtain a Level of Risk (LoR).

The LoR represents the magnitude of risk or combination of risks, expressed in terms of the combination of Consequences and their Likelihood. This sounds valid and the ERM Risk Matrix indicated in the below diagram, looks and expresses the requirements of a valid ERM Risk Matrix. It has a 1 to 5 level of Likelihood, and a 1 to 5 level of Consequence and it cross-references with the figures in the ERM Risk Matrix, when multiplied, to reach an LoR.

But, is this a valid and acceptable measurement within the modern world of Enterprise Risk Management? And if not, what is the alternative?

The Standard 5x5 ERM Risk Matrix
The Standard 5x5 ERM Risk Matrix

Test the Validity of the ERM Risk Matrix

As stated in my introduction, I have been working with and exposed to extreme matrixes, from intelligence-based matrixes, measuring the validity of the source or agent, the validity and accurateness of the information and has it be concurred by another source (low-level agent), or a fully fletched agent (extremely accurate) in the structure and the specific environment.

And then we are only getting to the information of intelligence gathered. This is measured against various matrixes, because if there is intelligence gathered, which is not verifiable and there are mitigations implemented on incorrect intelligence, which turns out to only be uncorroborated information, and lives are lost, then the validity of the actionable risk-based information, are in doubt and will never be believed again.

Thus, with the example stated above, and this is a real example of a real-life situation, one is always asking yourself, what is the validity and accurateness of the ERM Risk Matrix, and how were the Risk Criteria for each of the Likelihood and Consequence Levels defined? An extremely important process within the design of the ERM Risk Matrix.

The ERM Risk Matrix diagram above needs to be validated. With the validation process, one needs to ask what the objective of the ERM Risk Matrix is. Well, any ERM Risk Matrix is designed to determine the Level of Risk (LoR) and the significance of the LoR. Is it Low, Medium, High or Catastrophic?

ERM Risk Matrix Accuracy Modelling

The ERM Risk Matrix validation process was developed to determine on which level decisions are made and what is the correctness of those decisions, purely looking at the ERM Risk Matrix Modelling. The above model’s analysis looks like the diagram below.

The Standard 5x5 ERM Risk Matrix Analysis
The Standard 5x5 ERM Risk Matrix Analysis

The process involved listing every number between 1 and 25 and then verifying the number with a visual representation within the ERM Risk MatrixModel. The result was astounding. The general accuracy of the 5X5 model, based on multiplying the Likelihood and the Consequences, is in general 56% correct. This is indicating that the ERM Risk Matrix Model has a 44% fault factor. How can this be acceptable to any enterprise or company, whose daily work is based on managing risk?

The analysis provides four columns of analysis.

  • First is the general model analysis - 56% correctness
  • Second, the measurement between 1 to 10 -90% correctness
  • The third level, 11 to 19 - 33% correctness
  • Fourth Level 20 to 25, a staggering 17% correctness.
Results of the Standard 5x5 ERM RIsk Matrix Analysis
Results of the Standard 5x5 ERM Risk Matrix Analysis

What does this mean?

This means that on the Operational level, there is an accuracy of 90% of the ERM Risk Matrix Model. In effect, what top management or the board has decided here, is that a 10% fault figure is acceptable, as it is built into the model.

The Tactical Level, where bigger decisions need to be made, affecting the Operational environment, has an accuracy level of 33%. The same as with the Operational level, top management, Audit and Risk Committee (ARC) and the board, are implying that there is provision or appetite for a 67% fault figure with the ERM Risk Matrix Model. This is in itself absurd.

And lastly, the Board and Exco. Yes, this structure is working within the range of making risk-based decisions on this ERM Risk Matrix, between the risk levels 20 to 25. Well, this ERM Risk Matrix Model provides an accuracy of only 17%. This implies that the Board and Exco make provision for an 83% fault figure at their level.

Can this be true and how many companies are still using this immature ERM Risk Matrix Model? Well, I can assure you, that with the CAA exposure over this many years and across various continents, the Immature Model is the Best Practice. If you Google Risk Matrix, you will find this model as the results under the images. The question is, how wrong can you be before you are looking into the detail?

This ERM Risk Matrix Model creates the opportunity for bad decisions, wrong assessments of risks, emerging risks and risks on the horizon. This also opens the business or enterprise to corruption and mismanagement, as risk is not seen as a science, but as the best guestimate, you can have.

The New ERM Risk Matrix Model

Yes, I am turning the applecart upside down and stating it boldly, risk management ERM Risk Matrix Models, as it is proposed by many institutes, government guidelines and others, are modelling faults. has identified Business modelling as one of the Top 10 Risks from 2017 to 2019.

CAA's ERM Risk Matrix
CAA's ERM Risk Matrix

The ERM Risk Matrix Model described in CAA's ERM Risk Matrix above is a mature model. This ERM Risk Matrix Model is used in some of the oldest and most critical and mature companies globally. Where the wrong Level of Risk (LoR) has grave and institutional effects on the company, employees, stakeholders, communities and lastly, shareholders. This model has also been validated in the same way as the previous immature ERM Risk Matrix Model, and every number between 1 and 25 can be accounted for. Thus, there are no gaps, no scenarios missed or left out and no hiding from addressing risks.

Let’s put the Theory to the test: Practical Example

I have provided a lot of information and usually, when this discussion is presented and finalised in front of Boards, Executive Committees, and Chief Risk Officers (CROs), they ask, "So how does this work in my business?" Well, the proof is in the example below.

The objective of the example is twofold:

  • First - does the Mature ERM Risk Matrix Work with accuracy?
  • Secondly, how does this help to have a better understanding of the risk and how do I prioritise the various risks?
ERM Risk Matrix Practical Test
ERM Risk Matrix Practical Test

The above modelling test proves that the Mature ERM Risk Matrix has another layer of weighting built into the model. The Consequences are higher rated than the Likelihood, as the Consequences have diverse applications, from people safety, financial, operational, strategic, legal, and reputational. And we can continue repeating the same process. It will always be the same. You will also see that the Risk Ranking of the Immature ERM Risk Matrix is consistently the same, whereas the Risk Ranking of the Mature ERM Risk Matrix is different. This makes it easy to rank the various risks as well as to prioritise the various risks.

Use of the New ERM Risk Matrix

This model is not only used in Risk Management but in Business Continuity, Health and Safety, Compliance and all other Risk Based Models and Management Systems. This is the new standard of measuring risk.

The Way Forward

Crest Advisory Africa (Pty) Ltd are specialists in the Global Corporate Governance field. We are here to change with the times and set the tone going forward, during all the challenges of the global economy.

We drive Performance and Certainty and provide global changing methodologies within the Corporate Governance universe.

COVID-19 has created a demand to measure better and to equate our decisions based on science. This must translate to the general workplace, whether you are an airline carrier, a train system, or a bank. With the wrong models, you will make awful decisions. With the relevant, acceptable, suitable, effective and efficient models, CAA can assist enterprises to drive their risks and their objectives to the new standard.


3 Responses

  1. Hi Nico

    Interesting that I was just discussing this weakness with my team earlier today. For those who have already taken the above course, a refresher is needed then!

Leave a Reply

Table of Contents

Enquire Now

Got questions? Let's help you find the answers.
By clicking "Submit" you agree to have read the Privacy Policy and agree to the terms. You can unsubscribe at any time by clicking the link in the footer of our emails.

More Quality Articles

A Decade of Excellence: Crest Advisory Africa Celebrates 10 Years of Empowering African Businesses
Crest Advisory Africa celebrates a decade of risk management excellence.
Crest Advisory Africa: A Trusted Partner for MSECB and PECB Services
Crest Advisory Africa partners with MSECB and PECB for comprehensive services.
Managing Disruption: The Importance of Business Continuity Management (BCM)
Business Continuity Management (BCM) is a proactive approach to managing disruption, helping businesses prepare for, respond to, and recover from disruptive even…
Crest Advisory Africa Attains PECB Platinum Level Partnership: A Milestone in Providing Exceptional Information Security and Risk Management Services
Crest Advisory Africa (Pty) Ltd attains PECB Platinum Level as an Authorised Partner, offering clients access to top information & services in information secu…
What is Risk?
What is risk? There’s a lot of research into all types of risk, but in my experience, I have found that most people and organisations don’t completely gras…
Book your Human Rights Audit for 2023
Book Your Human Rights Audit or Training.
7 Critical Steps to Pass Audits
There are 7 Critical Steps to Pass Audits. Carina takes your through these steps.
BIA – How to Structure the Resource Analysis for a Business Impact Analysis
Introduction One of the processes within the Business Continuity Management System (BCMS) is the development of a Business Impact Analysis. I have experienced seve…