Quantifying operational risk: beyond the basic risk matrix

by :name Tim Larkin · Enterprise Risk Management · Mar 28, 2026 · 2 replies Answered

No Reliance on Forum Content. The information, opinions, and discussions shared on this forum are contributed by community members and LexFlag Team and do not constitute professional advice. LexFlag does not endorse, verify, or guarantee the accuracy, completeness, or reliability of any content posted.

User Identity & AI-Generated Content. There is no guarantee that users are using their real names, represent any organization, or express their own personal views. Replies and contributions may be partially or fully generated by artificial intelligence.

Independent Verification Required. You must independently verify any information obtained from this forum before making any decisions. LexFlag, its affiliates, and contributors accept no liability for any loss or damage arising from reliance on forum content.

We currently use a 5x5 likelihood-impact risk matrix for our operational risk assessment. While it's easy to understand, I'm increasingly finding it too subjective and imprecise. Two different assessors will rate the same risk differently, and the ordinal scale makes it difficult to prioritize investments.

Has anyone moved to more quantitative approaches like Monte Carlo simulation, loss distribution approaches, or scenario-based quantification? What was the cost-benefit, and how did you get buy-in from the board?

Tim Larkin

Member since Mar 2026

Accepted Answer

We transitioned from a qualitative matrix to a semi-quantitative approach using calibrated estimates and simple Monte Carlo simulation. Here's how:

Calibration training — We trained risk owners on how to estimate frequency (events per year) and impact (dollar ranges) using calibration techniques from Doug Hubbard's work.
Monte Carlo simulation — Nothing fancy. We use a Python script that runs 10,000 iterations per risk using the estimated ranges. This gives us a loss exceedance curve for each risk.
Aggregation — We can now aggregate risks and show the board our total operational risk exposure as a distribution rather than a colored cell.

Board buy-in came from a simple demonstration: we showed how two risks with the same "High" rating on the old matrix had vastly different expected losses ($200K vs. $5M) when quantified. The board immediately understood the limitation of the old approach.

The entire transition took about 6 months and one FTE equivalent of effort.

Aisha Rahman

Chief Compliance Officer · NeoBank Digital

Member since Apr 2026

2 replies

Be careful with quantification — garbage in, garbage out. If your frequency and impact estimates are poorly calibrated, the Monte Carlo output will give you a false sense of precision.

I'd recommend starting with your top 10-15 risks and validating the estimates against actual loss data (internal and industry benchmarks). Once you've proven the approach works on a small scale, expand it.

Also look into the FAIR (Factor Analysis of Information Risk) framework. It's designed specifically for operational and cyber risk quantification and provides a structured methodology for the estimation process.

John Doe

Mar 29, 2026 at 4:33 AM