What the Matrix Cannot Do
A risk matrix is an inventory with scores. It records what might go wrong, assigns likelihood and impact ratings, and produces a ranked list. This is a Rung 1 operation — it describes the current state of assessed risk. It cannot answer any of the questions that follow from that description.
Which control most reduces overall risk exposure? The matrix cannot answer this — controls affect mechanisms, and mechanisms connect risks. A control that reduces the probability of one risk may increase the probability of an adjacent risk through a shared causal pathway. The matrix encodes no pathways.
What happens to our total exposure if this risk materialises? The matrix cannot answer this — risks interact through cascades. A high-scoring cyber risk may trigger a compliance risk which triggers a reputational risk. The matrix scores each row independently. Independence is almost never the correct assumption.
The Specific Failures
| Board question | Matrix answer | Causal model answer |
|---|---|---|
| Which control should we fund first? | The highest-scoring risk | The control with highest Risk Diminution Factor — the one that most reduces system risk per dollar |
| What is our total exposure if Risk A fires? | Risk A’s impact score | P(all downstream consequences | Risk A) propagated through the causal graph |
| Are our risks independent? | Yes, by assumption | Tested by d-separation — and almost never true |
The Alternative
The causal model starts where the matrix ends. It takes the register’s inventory and asks: which of these risks share causes? Which cascade into which? Which controls operate through which mechanisms? The output is a graph that answers the board’s questions rather than postponing them. See From Register to Graph for the conversion process, and Bayesian Risk Decisions for the importance factors that replace the matrix’s ranking.
On the formal side: McNeil, Frey & Embrechts develop the axioms of coherent risk measures — monotonicity, sub-additivity, homogeneity, translation invariance — and show why any scoring scheme that violates them produces paradoxical rankings under portfolio aggregation. A risk matrix violates sub-additivity by construction. See Quantitative Risk Management (Princeton University Press, 2005), ch. 6.
Bring your current risk matrix. Thirty minutes to identify the three board questions it cannot answer — and whether a causal model already has the structure to answer them.
info@rung3.ai