The risk matrix approaches described in PMBOK® and similar sources of risk management information multiply the probability of occurrence of the risk with the impact from the risk to produce a risk index.
The example matrix from PMBOK® is
From this diagram the numbers in the cells coming from the probability of occurrence and impact. There are lots of issues with this approach, not the least is that each element on each axis is "uncalibrated." By this I mean the "meaning" of a 0.10 (10%) impact or a 0.70 (70%) probability is not connected to "real" risks and outcomes.
Here's the matrix where the values are "calibrated." This means the coloring, ranking (names in the boxes) and the definitions on the row and column of the axis are "assigned" for a specific class of risk.
There are a couple of things here that are different:
- Each risk category for the "calibration" is unique - for example: (1) Database performance, (2) Power cooling meets specification, or (3) User community accepts or rejects next release of the software.
- The axis are labeled A, B, C, D, and E some math can not be performed. The values are just ranked.
- The values in the cells are defined in terms meaningful to the specific risk, rather than a number.
This approach is applied to individual risk events. This means that for specific classes of risk, a "calibrated" version of each table should be built.