The wonderful risk matrix

What is a Risk Matrix, and how do we use it?

A Risk Matrix is a tool used to rate a risk according to likelihood and consequence/impact. Your organisation have to identify what the specific impact means to them and when a risk is likely to happen. This tool is used in association with a Scenario Analysis and usually you make to different Risk Matrices; one before mitigative measures and one after mitigative measures.

A likelihood scale will most times look like this: 1) highly unlikely, 2) Unlikely, 3) Possible, 4) Likely and 5) Very likely. With this likelihood scale your organisation must define, according to your operational standards, what each step means. It is often measured and defined by frequency in which an accident or emergency is present but, it can also be defined by chance or quantitatively by percentages e.g., probability.

A Consequence/Impact scale is very similar to the likelihood scale, except it is measured in impact. Impact in this case, once again, have to be defined by the individual organisation. Some of the impact or consequence descriptors could be: People, Information, Reputation, Economic etc. Each descriptor then has 5 different levels of severity as given in the example below. But you can, and should, of course define you own according to the specific risk scenario.

An example will be given: 

An example of a risk matrix created for travel safety – before ane mitigative measures.

The risk matrix is divided into colours REDYELLOW and GREEN which depicts the level of seriousness the threat poses. A red risk is clearly bad and should never be allowed to remain. A yellow risk is a bit more nuanced; this can be divided into top yellow, middle yellow and bottom yellow.

— The top part of the yellow area (consequence 4) needs a more detailed assessment of other factors such as; people and their skills. Have they worked on this type of project before, are there any new guys? Then conditions such as weather. Are there optimal conditions to perform these tasks if not, then maybe you should wait. Try doing a more detailed Scenario Analysis at this point, maybe do multiple, whit different factors turned up or down.

— The middle part of the yellow (consequence 3) is not as serious but still needs assessments. These are still serious threats to whatever descriptor you decide to put there, and therefore still needs significant work in order to reduce.

— The bottom part of the yellow (consequence 1 & 2) is somewhat safe to have further along in the project but beware of the high likelihood! The consequence of these risks is rated as fairly low and therefore don’t necessarily need significant work.

All of this is to say that: RED boxes is very bad and should be handled immediately! But YELLOW boxes are also bad and should in most cases be where the bulk of the mitigative measures are placed. But it can, with the right assessments, be acceptable. GREEN should be the main goal for every risk scenario, but that is often not a realistic accomplishment. And again, beware of top green.


  1. Risk manager Julian Talbot has a great article about using a risk matrix.
  2. He also has an article stating what is right with Risk Matrices.
  3. The Danish Emergency Management Agency also did some great work on risk matrices in their Handbook for Risk Based Dimensioning in Danish municipalities (Danish only!).
  4. Furthermore CGE Risk has a great Wiki-like page on Risk Matrices.

About the author

Mikkel K. Nyegaard

Aspiring risk manager studying Disaster & Risk management at University College Copenhagen. Currently at an intern position at RoC Consult ApS.


Other articles:

Risk Management

Fault Tree Analysis (FTA) 

Introduction The fault tree analysis, also known as FTA, is a model used to understand how systems or processes fail. Furthermore, it helps with identifying the best way to reduce risk and to determine the probability of an event occurring. The FTA shares many of the same aspects as the BowTie Analysis (BTA). The model …

Does your company have a Contingency Plan? 

Does your company have a Contingency Plan? This post guides you through how and why to make a CP. Click here to learn more..

What Can Go Wrong Will Go Wrong 

Managing a large-scale construction project is no small task. There are many moving parts, stakeholders with which to communicate, supplies to order, funding to obtain, permits to acquire, and safety to consider. With this understanding, it may not be a surprise to hear that time delays are quite common within construction projects. However, recent reports …

Subscribe to our newsletter

Stay updated on Risk In Complex Operations