A risk assessment matrix is a grid that plots each risk you’ve identified based on two factors: how likely it is to happen and how severe the impact would be. The intersection of those two scores tells you whether a risk is low, moderate, or high priority, so you can decide where to focus your time and resources. It’s one of the most widely used tools in project management, workplace safety, and enterprise risk planning, and getting it right comes down to following a clear process.
How the Matrix Is Structured
The matrix is a simple grid with two axes. One axis represents likelihood (the probability a risk event will occur), and the other represents impact (how much damage it would cause if it did). Each axis uses a defined scale, typically ranging from 1 to 5. For likelihood, a common scale runs from “very unlikely” (1) to “near certain” (5). For impact, it runs from “insignificant” (1) to “severe” (5).
Every cell in the grid represents a unique combination of likelihood and impact. Most matrices divide those cells into three color-coded zones: green for minor risks, yellow for moderate risks, and red for major risks. A risk that scores 2 on likelihood and 1 on impact lands in the green zone. A risk that scores 4 on likelihood and 5 on impact lands deep in the red.
The most common format is a 5×5 grid, which gives you 25 possible positions and enough granularity to separate risks that might otherwise look the same. A 3×3 matrix works for simpler assessments where you just need a quick high-medium-low sort, but it can lump together risks that actually deserve different levels of attention.
Choosing Your Scales
Before you plot anything, you need to define what each number on your scales actually means in concrete terms. This is the step most people rush through, and it’s the one that determines whether the matrix produces useful results or vague guesses.
For impact, think about the specific types of harm that matter to your situation. In project management, the Project Management Institute recommends evaluating impact across cost, schedule, functionality, and quality, then using the highest of those four ratings as your overall impact score. In a workplace safety context, impact might range from “minor first aid” at level 1 to “fatality or permanent disability” at level 5. For a business risk assessment, level 1 might mean less than $10,000 in losses while level 5 means losses that threaten the organization’s survival. The key is writing down specific, measurable descriptions for each level so that two different people evaluating the same risk would arrive at the same score.
For likelihood, your scale should reflect how probable the event is over a defined time period. A level 1 might mean less than a 5% chance of occurring in the next year, while a level 5 might mean greater than 90%. Some frameworks also factor in how difficult it would be to intervene and prevent the risk, combining that with raw probability to get a final likelihood rating. If a risk is somewhat probable but easy to catch and stop before it causes damage, the effective likelihood drops.
Identifying and Scoring Your Risks
Start by building a comprehensive list of risks. Brainstorming sessions with your team, interviews with subject matter experts, and reviews of historical incidents or near-misses are all productive ways to surface risks you might not think of alone. Write each risk as a specific event, not a vague category. “Key supplier fails to deliver materials within the contract window” is actionable. “Supply chain problems” is not.
Once you have your list, score each risk on both axes using the scales you defined. This is where having clear, written descriptions for each level pays off. Walk through each risk one at a time: what’s the realistic probability this happens, and what’s the worst plausible outcome if it does? Assign the numeric scores, then calculate the overall risk level. The most common formula is straightforward multiplication: Risk Level = Likelihood × Impact. On a 5×5 matrix, that gives you scores ranging from 1 to 25.
Some organizations use a weighted formula instead, such as Likelihood + 2 × Impact, which puts extra emphasis on consequences. Under that approach, the PMI framework defines red-zone risks as scores of 12 to 15, yellow as 8 to 11, and green as anything below 8. The formula you choose depends on whether your organization is more concerned about frequency or severity. For most purposes, simple multiplication works well.
Plotting Risks on the Grid
With scores in hand, place each risk on the matrix at the intersection of its likelihood and impact values. Color-code each cell or risk marker according to which zone it falls in. When you’re done, you should be able to glance at the matrix and immediately see which risks cluster in the red zone, which sit in yellow, and which are green.
This visual layout is the matrix’s biggest advantage. A spreadsheet of 30 risks with numeric scores is hard to interpret quickly. A color-coded grid lets you spot patterns at a glance. You might notice that several risks share the same high-impact column even though their likelihoods vary, which tells you that entire category of consequence deserves a mitigation plan. Or you might see a cluster of moderate risks in the yellow zone that, taken together, represent a bigger problem than any single red-zone item.
Deciding What to Do With Each Risk
The matrix sorts your risks into priority tiers, and each tier calls for a different type of response. A framework used by the U.S. Coast Guard Auxiliary illustrates this clearly with four action levels:
- Extremely high risk (red zone, highest scores): Stop the activity or process and correct the issue immediately before proceeding.
- High risk (red zone): Consider stopping and make urgent corrections. These risks need dedicated resources and a defined mitigation plan with clear ownership.
- Moderate risk (yellow zone): Corrective attention is needed, but the situation doesn’t require halting operations. Assign someone to monitor the risk and implement controls on a reasonable timeline.
- Low risk (green zone): Possible acceptance. You acknowledge the risk exists but decide the cost of mitigating it outweighs the potential harm. Document the decision and revisit it periodically.
For each risk that falls outside the green zone, you have four basic response strategies. You can avoid the risk by eliminating the activity that creates it. You can reduce it by putting controls in place that lower the likelihood, the impact, or both. You can transfer it by shifting the financial consequence to another party, typically through insurance or contract terms. Or you can accept it, which is really only appropriate for green-zone risks or when the other options cost more than the risk itself.
The response you choose should move the risk to a lower position on the matrix. After you implement a control, re-score the risk to see where it lands now. If a high-likelihood, high-impact risk drops to moderate likelihood after you add a backup supplier, that’s measurable progress you can show stakeholders.
Validating With Your Team
A risk matrix is only as reliable as the judgments behind it. After completing your initial scoring, review the full matrix with stakeholders and subject matter experts. Look for risks that seem over- or under-scored relative to each other. If “server outage” is rated higher than “complete loss of a major client,” something is probably off. Calibration conversations like these catch bias and fill knowledge gaps, especially when the people closest to each risk area weigh in on the scores.
It also helps to have at least two or three people independently score the same set of risks before comparing results. Where scores diverge significantly, that’s a signal you need to sharpen your scale definitions or gather more data before committing to a rating.
Keeping the Matrix Current
A risk matrix is not a document you create once and file away. Risks change as projects progress, markets shift, regulations evolve, and new information surfaces. Set a regular review cadence, whether that’s monthly, quarterly, or tied to major project milestones. At each review, ask three questions: Have any existing risks changed in likelihood or impact? Have new risks emerged? Have any risks been fully resolved and can be removed?
ISO 31000, the international standard for risk management, emphasizes that the full cycle of identifying, analyzing, evaluating, and treating risks should be an ongoing process, not a one-time exercise. The standard applies to organizations of any size or sector and, while it doesn’t prescribe a specific matrix format, it reinforces that monitoring and regular reassessment are core to effective risk management.
When you update the matrix, keep previous versions. Tracking how risks move across the grid over time gives you a record of whether your mitigation efforts are working and helps you spot emerging patterns before they escalate into red-zone problems.