A risk assessment matrix — sometimes called a risk matrix or risk heat map — is the single most useful tool in any risk manager's kit. It lets you visualise the relative severity of risks at a glance, prioritise treatment actions, and communicate clearly with senior stakeholders. But building one that actually reflects your organisation's risk landscape takes more thought than most people give it. This guide covers everything from choosing your matrix size to calibrating your likelihood and impact scales.
Risk matrices come in three common sizes: 3×3, 4×4, and 5×5. Each has trade-offs.
3×3 matrix
Pros
Simple, easy to communicate
Cons
Not enough granularity for complex organisations
Best for
Small businesses, project-level assessments
4×4 matrix
Pros
Good balance of simplicity and nuance
Cons
Asymmetric — harder to anchor the scales clearly
Best for
Mid-size organisations with mixed risk profiles
5×5 matrix
Pros
Industry standard. Strong granularity.
Cons
Can feel complex if stakeholders are not risk-literate
Best for
Enterprise risk programmes, regulated industries
For most organisations doing enterprise risk management or internal audit risk assessments, the 5×5 matrix is the right default. It is the most widely used, best supported by reference frameworks (ISO 31000, COSO ERM), and gives you enough cells to differentiate clearly between risk levels.
There are three common ways to calculate a risk score from likelihood and impact ratings:
Multiplicative: L × I
The most widely used method. Multiplying likelihood by impact means a risk rated 5 × 5 = 25 scores significantly higher than 3 × 3 = 9. This amplification effect makes it easy to separate high-severity risks from moderate ones.
Recommended for most organisations. Used in ISO 31000 and COSO ERM templates.
Additive: L + I
Produces a narrower score range (2–10 for a 5×5). Treats likelihood and impact as equally important, which is sometimes appropriate. Less sensitive to high-scoring outliers.
Weighted: (L × w₁) + (I × w₂)
Allows you to weight likelihood and impact differently. Useful if your organisation is more sensitive to high-impact, low-likelihood events (e.g., catastrophic operational failures).
This is the step most people rush — and it is the most important. Your likelihood and impact scales need to be anchored to real, specific criteria that your assessors can apply consistently.
Likelihood scale example (5-point):
Impact scale example (financial focus):
For a multiplicative 5×5 matrix, scores range from 1 to 25. Standard zone definitions:
Immediate escalation to board/executive. Treatment required within 30 days.
Senior management attention. Treatment plan required within 90 days.
Management responsibility. Monitor and treat within 6 months.
Routine management. Review annually.
Accept. Monitor at regular intervals.
With your matrix configured, the next step is populating it with risks. Run structured risk identification workshops with process owners, reviewing both internal and external risk factors. For each risk, assess inherent likelihood and impact (before controls), then document existing controls and score residual risk. Assign an owner and a risk response strategy (Accept, Mitigate, Transfer, Avoid, or Exploit).
RiskMatrix Pro handles all of the above automatically — choose your size, scoring method, and scale labels, then start adding risks.
Get started free →