A risk matrix stops working when it stops changing behaviour. If your team fills it in, submits it, and nothing happens differently as a result — the matrix is not a management tool anymore. It is a compliance artefact.According to Pirani's Risk Management Study 2026: Africa Chapter, 62% of organisations cite risk management culture as their primary challenge. A broken risk matrix is both a symptom and a cause of that gap. Here are the five signs yours has stopped working — and what to do about each one.
Sign 1 — Your Matrix Looks the Same Every Quarter
A risk matrix that never changes is not evidence of a stable risk environment. It is evidence that nobody is actually reviewing it.
Trigger events that should prompt a matrix review include launching a new product, entering a new market, regulatory changes, major system upgrades, or emerging threats like cybersecurity incidents. If none of those events are moving risks on your matrix, one of two things is happening: your team is not connecting external events to internal risk assessments, or your matrix is being updated in name only — dates changed, content unchanged.
What to do: Introduce a standing agenda item in your quarterly review that explicitly asks: what happened in the last 90 days that should change a score? Make the connection between external events and matrix updates explicit, not assumed.
Sign 2 — Everything Is Rated High
When a matrix is predominantly red, it has lost its prioritisation function. Labelling too many risks as high dilutes focus, creates alarm, and undermines the entire prioritisation process. If everything is urgent, nothing is.
This usually happens for one of two reasons. Either the scoring scales have no concrete definitions — so assessors default to "high" to avoid being wrong — or the team is scoring inherent risk without accounting for the controls already in place.
A fundamental flaw of risk matrices is the failure to properly assess control effectiveness when calculating likelihood. A risk with a strong, well-tested control in place should have a lower residual likelihood than one with weak or untested controls. Ignoring this produces inflated scores across the board.
What to do: Review your probability and impact definitions. If they do not include concrete criteria — time boundaries, financial thresholds, regulatory consequences — rewrite them. Then score residual risk separately from inherent risk and use the gap to evaluate your controls.
Sign 3 — Risks Materialise That Were Not on the Matrix
This is the most serious sign. When a risk event occurs that was not in your register, it means your risk identification process has blind spots. Skipping input from key departments or subject matter experts leads to blind spots in risk identification and a lack of buy-in for risk prioritisation.
A risk matrix built by the risk team alone, without input from operations, compliance, finance, and front-line staff, will systematically miss the risks that those functions see every day.
What to do: Run a cross-functional risk identification workshop at least annually. Bring in one representative from each major business unit and use a structured process — scenario analysis, process walkthroughs, regulatory change reviews — to surface risks beyond what the risk team already knows.
Sign 4 — Your Matrix Is Disconnected From Decisions
A risk matrix should influence how your organisation makes decisions: which projects get approved, which controls get funded, which vendors get contracted. A matrix alone does not reduce risk — it is merely the starting point to identify priorities. Failure to link risks to action plans limits its practical value.
If your leadership team makes strategic decisions without referencing the risk matrix — if budget allocations, new market entries, or product launches happen without a risk lens — your matrix exists in a parallel universe from where your organisation actually operates.
What to do: Present the risk matrix at every board or executive meeting as a standing agenda item, not an appendix. When a strategic decision is being made, explicitly ask: what does our matrix say about the risks involved? This is the core requirement of COSO ERM — risk management integrated with strategy, not bolted on afterwards.
Sign 5 — Your Controls Are Not Linked to Your Risks
A risk without a linked control is a risk without a response. If your matrix lists risks and scores but does not show which control is mitigating each risk, and who owns that control, it cannot tell you whether your risk exposure is actually being managed.
Regulators including the Bank of Ghana, the CBN, and the South African Prudential Authority are increasingly asking not just whether a risk framework exists, but whether controls are active, tested, and assigned to named owners. A risk-only matrix without controls fails that test.
What to do: For every risk rated medium or above, document the primary control, the control owner, the last time the control was tested, and the residual risk score after the control is applied. This transforms your matrix from a list of concerns into a genuine management tool — and into the kind of evidence that satisfies a regulatory examination.
What to Do When You Recognise More Than Two Signs
If two or more of these signs apply to your organisation, the issue is not the matrix itself — it is the process around it. The matrix is a document. The process is what makes it work.
The most effective upgrade is usually not switching to a different format or tool. It is adding the governance layer that the matrix currently lacks: defined review cadence, cross-functional input, explicit links to decisions, and controls mapped to every material risk.
ISO 31000 calls this "continual improvement" — and it is the principle that separates organisations that have a risk matrix from organisations that use one.
Two ways to upgrade today:
Join the next session of the Pirani Risk Management School — this month's topic is risk matrices in practice. Free, every third Wednesday.
Related resources:
No Comments Yet
Let us know what you think