Despite all known limitations of that methodology, over the past years risk matrices have become more and more accepted as a means for companies when creating an easy-to-understand illustration and overview of their risk portfolio. However, the technique itself with a two-axes approach and green-yellow-red colour codes has not been changed much even if in some cases a third assessment criterion or a fourth colour are added for more differentiation of risk assessments.
From my perspective there are two main purposes of a risk matrix; firstly, to give an overview of the top risks, and secondly, to facilitate prioritization of mitigating actions among the top risks. In my experience, the classical Impact/Likelihood approach may serve well with regard to selecting top risks but is not just as easy to handle when it comes to the assessment of the effectiveness of risk controls. A solution for that problem is to include the direct assessment of risk control effectiveness in the matrix, either as a third assessment dimension or as a replacement of impact or likelihood. But here starts the problem because common practice shows that it is difficult to directly assess control effectiveness more than in vague qualitative terms.
The problem becomes even worse when not even standards like COSO or ISO offer a methodology to tackle this problem. Therefore, most companies work with "desired" or "target" control level in order to establish a reference frame that the assessment of current control effectiveness is related to.
This concept is used in a different type of risk matrix, click here. It combines the assessment of the potential impact of the risk, with the assessment of the gap between desired and current level of risk controls for that specific risk, the so called "Relative Risk Control".
The assessment of the relative risk control requires that the desired level of control needs to be fairly defined, which in turn gives expression to what residual risk level the company is willing to accept ('risk appetite'). Hence, this matrix fosters and facilitates a risk appetite discussion in both management teams and on board level about where the right level of "adequate" risk control should be. Another advantage of this approach is in my view that the matrix represents a more favourable working platform for both the risk and control functions of a company on one side, and risk owners, management and the board on the other side.
Summarized, this risk matrix (or modifications of it), introducing the assessment of "Relative risk control", may bring the development of risk assessment techniques forward, while better connecting these techniques to the actual requirements on the effectiveness of the risk management process that boards and management teams express today.
I am looking forward to discussing this further!