The wonderful risk matrix

What is a Risk Matrix, and how do we use it?

A Risk Matrix is a tool used to rate a risk according to likelihood and consequence/impact. Your organisation have to identify what the specific impact means to them and when a risk is likely to happen. This tool is used in association with a Scenario Analysis and usually you make to different Risk Matrices; one before mitigative measures and one after mitigative measures.

A likelihood scale will most times look like this: 1) highly unlikely, 2) Unlikely, 3) Possible, 4) Likely and 5) Very likely. With this likelihood scale your organisation must define, according to your operational standards, what each step means. It is often measured and defined by frequency in which an accident or emergency is present but, it can also be defined by chance or quantitatively by percentages e.g., probability.

A Consequence/Impact scale is very similar to the likelihood scale, except it is measured in impact. Impact in this case, once again, have to be defined by the individual organisation. Some of the impact or consequence descriptors could be: People, Information, Reputation, Economic etc. Each descriptor then has 5 different levels of severity as given in the example below. But you can, and should, of course define you own according to the specific risk scenario.

An example will be given: 

An example of a risk matrix created for travel safety - before ane mitigative measures.

The risk matrix is divided into colours REDYELLOW and GREEN which depicts the level of seriousness the threat poses. A red risk is clearly bad and should never be allowed to remain. A yellow risk is a bit more nuanced; this can be divided into top yellow, middle yellow and bottom yellow.

-- The top part of the yellow area (consequence 4) needs a more detailed assessment of other factors such as; people and their skills. Have they worked on this type of project before, are there any new guys? Then conditions such as weather. Are there optimal conditions to perform these tasks if not, then maybe you should wait. Try doing a more detailed Scenario Analysis at this point, maybe do multiple, whit different factors turned up or down.

-- The middle part of the yellow (consequence 3) is not as serious but still needs assessments. These are still serious threats to whatever descriptor you decide to put there, and therefore still needs significant work in order to reduce.

-- The bottom part of the yellow (consequence 1 & 2) is somewhat safe to have further along in the project but beware of the high likelihood! The consequence of these risks is rated as fairly low and therefore don’t necessarily need significant work.

All of this is to say that: RED boxes is very bad and should be handled immediately! But YELLOW boxes are also bad and should in most cases be where the bulk of the mitigative measures are placed. But it can, with the right assessments, be acceptable. GREEN should be the main goal for every risk scenario, but that is often not a realistic accomplishment. And again, beware of top green.


  1. Risk manager Julian Talbot has a great article about using a risk matrix.
  2. He also has an article stating what is right with Risk Matrices.
  3. The Danish Emergency Management Agency also did some great work on risk matrices in their Handbook for Risk Based Dimensioning in Danish municipalities (Danish only!).
  4. Furthermore CGE Risk has a great Wiki-like page on Risk Matrices.

About the Author

Mikkel K. Nyegaard

Aspiring risk manager studying Disaster & Risk management at University College Copenhagen. Currently at an intern position at RoC Consult ApS.

Other articles:

Risk and culture
Risk and culture This post helps you to understand why different people and social groups fear different risks...
Risk Management
The FIRM Scorecard
Within the field of Risk Management, there are various ways of identifying risks. Depending on the way in which you wish to realize these risks, there are certain risk classification systems to choose from. One of these is the FIRM scorecard, which at some points serves the same purpose as the Business Impact Model. Both …
Risk Management
Risk Strategy. Safety Risk Management
This article describes how safety risk management is a key component of any safety management system and involves identifying safety hazards to your operations and assessing the risks of mitigation. To successfully identify hazards you should think laterally and be unencumbered by past ideas and experience    Introduction The term “safe” Those involved in disaster  management …



Feel free to contact us

for more information

+45 28 60 49 50

Our core business is rehearsing

excellence in your project

RoC Drill is used by:

RoC Consult ApS - All rights reserved.

We use cookies to allow us to better understand how the site is used. By continuing to use this site, you consent to this policy. Click to learn more