Most organizations "measure" risk with a red-amber-green matrix: likelihood times impact, each rated low-medium-high. It looks rigorous and frequently isn't. Real risk measurement means expressing uncertainty in quantities you can reason with — and it's more achievable than the matrix habit suggests.
The problem with the heat map
Ordinal scales (low/medium/high) can't be meaningfully multiplied — "medium times high" isn't a real calculation. Worse, the colours create false confidence and hide huge ranges: two risks both "high" might differ a hundredfold. The matrix can be useful for rough triage, but mistaking it for measurement leads to bad resource decisions.
Measure with probabilities and ranges
The alternative is to express risk in probabilities and quantities: not "high likelihood" but "a 20% chance per year," not "big impact" but "a loss between SAR 200k and SAR 2M." Ranges are honest about uncertainty while still being computable — and a wide range you can reason with beats a single colour you can't.
"You can't measure it" is almost never true — it usually means "I haven't decided what observation would reduce my uncertainty."
Calibrated judgement
Where you lack data, expert estimates fill the gap — but only if the experts are calibrated: trained so that when they say "90% confident," they're right about 90% of the time. Most people are badly overconfident by default; calibration training measurably improves estimates, turning subjective judgement into a usable input rather than a guess.
Modelling uncertainty
Once risks are quantities with ranges, you can combine them — running many simulated scenarios (Monte Carlo) to see the distribution of possible outcomes rather than a single point. That reveals things a matrix hides: the shape of the tail, the chance of a truly bad outcome, and which inputs actually drive the result.
The payoff
Quantified risk lets you compare risks on a common scale, decide how much mitigation is worth, and direct attention to what genuinely matters — instead of treating every "red" cell as equally urgent. It's the difference between managing risk and colouring it in.
Measure risk for real
My Risk Measurement course covers why heat maps mislead, expressing risk as probabilities and ranges, calibrated estimation, and modelling uncertainty you can actually act on.
View the course →Questions
What's wrong with a risk matrix?
Ordinal scales (low/medium/high) can't be meaningfully multiplied and hide huge ranges, creating false confidence. They're acceptable for rough triage but not real measurement.
Can you measure risks with no data?
Yes — with calibrated expert estimates expressed as probabilities and ranges. Calibration training makes subjective judgement reliable enough to compute with.