What is a Risk Matrix?

Risk ranking is based on a matrix with axes for likelihood and impact. There are several types of risk matrices, at TeamSuccess we use the qualitative 5 x 5 matrix. The combination of the likelihood and impact gives us a risk rank.

Risk = Impact * Likelihood

There are both benefits and challenges to using a Risk Matrix. Risk matrices are simple to use, however they sometimes give a false sense of security.

risk matrix 5x5

The example matrix above categorizes risks into 3 levels; low, medium and high. The risks in the green area are low risk and low likelihood. Risks in the red area are high impact and high likelihood.

It's important to be very careful with low likelihood, high impact events. Gordon Graham explains High-Risk, Low-Frequency Incidents in an entertaining way. We highly recommend watching his video on the topic:

The assessment of risk's likelihood and impact is an estimate only, doesn't include an assessment of timeframes (for example when the risk might materialize), and is often biased.

Sometimes assigning a risk rating can oversimplify the complexity, and doesn't take into account how risks interact with each other.

However, a qualitative approach of rating risks makes it easier to understand and observe the level of risk. It's a simple method to implement, and introduce to a team not yet familiar with risk management. It promotes discussion, makes the analysis process faster, and helps to evaluate the most important areas of risk.

References and resources

  • ISO 31000:2018, (2018) Risk management – Guidelines, provides principles, framework and a process for managing risk. Source
  • Deloitte & Touche LLP. (2012). Risk assessment in practice. Deloitte. Source
  • Boyle, T. (2002). Health and safety: risk management. England: IOSH Services Limited.
  • Altenbach, T (1995). “A comparison of risk assessment Techniques from qualitative to quantitative”, Honolulu HI.