A risk assessment matrix is one of the most practical tools in risk management. It provides a visual, standardized way to evaluate and prioritize risks based on their likelihood and impact — helping your organization focus resources where they matter most.
What Is a Risk Assessment Matrix?
A risk assessment matrix (also called a risk heat map or probability-impact matrix) is a grid that plots risks along two axes:
- Likelihood (horizontal axis) — How probable is the risk?
- Impact (vertical axis) — How severe would the consequences be?
Each risk is placed in a cell based on its ratings, with the resulting position determining its overall risk level — typically categorized as low, medium, high, or critical.
The 5x5 Risk Matrix
The most common format is a 5x5 matrix:
| Rare (1) | Unlikely (2) | Possible (3) | Likely (4) | Almost Certain (5) | |
|---|---|---|---|---|---|
| Catastrophic (5) | Medium | High | High | Critical | Critical |
| Major (4) | Medium | Medium | High | High | Critical |
| Moderate (3) | Low | Medium | Medium | High | High |
| Minor (2) | Low | Low | Medium | Medium | Medium |
| Insignificant (1) | Low | Low | Low | Low | Medium |
How to Build a Risk Assessment Matrix
Step 1: Define Your Scales
Before plotting risks, establish clear definitions for each level. Ambiguity is the enemy of consistent risk assessment.
Likelihood scale example:
| Level | Rating | Description |
|---|---|---|
| Rare | 1 | Could occur only in exceptional circumstances (<5% per year) |
| Unlikely | 2 | Not expected but possible (5-20%) |
| Possible | 3 | Could occur at some point (20-50%) |
| Likely | 4 | Will probably occur in most circumstances (50-80%) |
| Almost Certain | 5 | Expected to occur regularly (>80%) |
Impact scale example:
| Level | Rating | Financial Impact | Operational Impact |
|---|---|---|---|
| Insignificant | 1 | <€10K | No disruption to operations |
| Minor | 2 | €10K–€50K | Brief disruption, easily managed |
| Moderate | 3 | €50K–€250K | Noticeable disruption, requires response |
| Major | 4 | €250K–€1M | Significant disruption, recovery takes days |
| Catastrophic | 5 | >€1M | Severe disruption, threatens business survival |
Step 2: Identify and Assess Risks
For each identified risk, assign a likelihood and impact rating based on your defined scales. Use workshops, interviews, and historical data to inform your assessments.
Step 3: Plot and Prioritize
Place each risk on the matrix. The position determines the risk level:
- Critical risks — Require immediate action and executive attention
- High risks — Need active mitigation plans and regular monitoring
- Medium risks — Should be monitored with contingency plans ready
- Low risks — Accept and monitor periodically
Step 4: Determine Risk Treatment
For each risk, decide on a treatment strategy:
- Avoid — Eliminate the activity that creates the risk
- Mitigate — Reduce the likelihood or impact through controls
- Transfer — Share the risk through insurance or outsourcing
- Accept — Acknowledge the risk and prepare to manage consequences
Common Risk Assessment Mistakes
- Not defining scales clearly — Without specific criteria, people interpret "likely" and "major" differently
- Clustering all risks in the middle — If everything is "medium," you're not actually prioritizing
- Assessing risks in isolation — Risks interact; one risk materializing can increase the likelihood of others
- Only considering financial impact — Reputation, compliance, and operational impacts matter too
- Not reassessing regularly — The risk landscape changes; your matrix should be a living document
Risk Assessment with Sohvo
Sohvo's risk register lets you assess each risk by likelihood and impact, automatically calculating a risk score. Risks are linked to specific resources and processes, so you can see exactly what's at stake. The platform shows you which critical processes have unmitigated risks, where backup resources are missing, and how your overall risk posture is trending over time.