KEVSTEMPLATES.COM
Risk Assessment Matrix
A risk assessment matrix (also called a risk heat map or probability-impact matrix) is a visual tool for evaluating and prioritising risks based on their likelihood of occurring and potential impact.
The 5x5 Risk Matrix
The most common format uses a 5x5 grid with probability on one axis and impact on the other.
| Probability | Impact | ||||
|---|---|---|---|---|---|
| Very Low (1) | Low (2) | Medium (3) | High (4) | Very High (5) | |
| Very High (5) | 5 | 10 | 15 | 20 | 25 |
| High (4) | 4 | 8 | 12 | 16 | 20 |
| Medium (3) | 3 | 6 | 9 | 12 | 15 |
| Low (2) | 2 | 4 | 6 | 8 | 10 |
| Very Low (1) | 1 | 2 | 3 | 4 | 5 |
Risk Zones
The matrix is typically divided into three zones based on the risk score:
| Zone | Score Range | Response | Typical Actions |
|---|---|---|---|
| Red (High) | 15-25 | Active management required | Immediate response plan, escalate to sponsor, allocate contingency |
| Amber (Medium) | 5-14 | Monitor closely | Develop mitigation plan, assign owner, regular review |
| Green (Low) | 1-4 | Accept or monitor | Document in register, periodic review |
How to Use the Matrix
Step 1: Identify Risks
Gather risks through brainstorming, interviews, checklists, and lessons learned.
Step 2: Assess Probability
Rate the likelihood of each risk occurring using a defined scale:
| Rating | Probability | Description |
|---|---|---|
| 5 | Very High | >80% - Almost certain to occur |
| 4 | High | 60-80% - More likely than not |
| 3 | Medium | 40-60% - Could go either way |
| 2 | Low | 20-40% - Unlikely but possible |
| 1 | Very Low | <20% - Rare occurrence |
Step 3: Assess Impact
Rate the potential impact if the risk occurs:
| Rating | Impact | Cost Impact | Schedule Impact |
|---|---|---|---|
| 5 | Very High | >20% budget | >20% schedule |
| 4 | High | 10-20% budget | 10-20% schedule |
| 3 | Medium | 5-10% budget | 5-10% schedule |
| 2 | Low | 1-5% budget | 1-5% schedule |
| 1 | Very Low | <1% budget | <1% schedule |
Step 4: Calculate Risk Score
Multiply probability by impact: Risk Score = P x I
Step 5: Plot on Matrix
Place each risk on the matrix and determine its zone.
Step 6: Prioritise Response
Focus attention on high-scoring risks first.
The 3x3 Risk Matrix
For simpler projects, a 3x3 matrix may be sufficient:
| Probability | Impact | ||
|---|---|---|---|
| Low | Medium | High | |
| High | Medium | High | Critical |
| Medium | Low | Medium | High |
| Low | Low | Low | Medium |
Worked Example
Consider a software project with these identified risks:
| Risk ID | Risk Description | P | I | Score | Zone |
|---|---|---|---|---|---|
| R001 | Key developer leaves | 3 | 4 | 12 | Amber |
| R002 | Third-party API changes | 2 | 5 | 10 | Amber |
| R003 | Requirements creep | 4 | 4 | 16 | Red |
| R004 | Server hardware failure | 1 | 5 | 5 | Amber |
| R005 | Testing delays | 3 | 3 | 9 | Amber |
| R006 | Budget approval delayed | 2 | 2 | 4 | Green |
Priority order: R003 (16) > R001 (12) > R002 (10) > R005 (9) > R004 (5) > R006 (4)
Best Practices
Do:
- Use consistent scales across all projects
- Involve the team in assessments
- Consider multiple impact dimensions
- Review and update regularly
- Document assumptions behind ratings
Don’t:
- Let one person assess all risks alone
- Use overly complex scales
- Ignore low-probability, high-impact risks
- Forget to reassess after changes
- Treat the matrix as static
Matrix Variations
Asymmetric Matrices
Some organisations weight impact more heavily than probability, creating asymmetric zones.
Multiple Impact Dimensions
Assess impact across several dimensions (cost, time, quality, reputation) and use the highest score.
Proximity Consideration
Add a third dimension for how soon the risk might occur (imminent risks may need faster response regardless of score).
Related Resources
- Probability & Impact Scoring - Detailed scoring guide
- Risk Response Strategies - How to respond to each zone
- Risk Register Best Practices - Recording matrix results
- Risk Register Template - Download RAID log