The wonderful risk matrix

What is a Risk Matrix, and how do we use it?

A Risk Matrix is a tool used to rate a risk according to likelihood and consequence/impact. Your organisation have to identify what the specific impact means to them and when a risk is likely to happen. This tool is used in association with a Scenario Analysis and usually you make to different Risk Matrices; one before mitigative measures and one after mitigative measures.

A likelihood scale will most times look like this: 1) highly unlikely, 2) Unlikely, 3) Possible, 4) Likely and 5) Very likely. With this likelihood scale your organisation must define, according to your operational standards, what each step means. It is often measured and defined by frequency in which an accident or emergency is present but, it can also be defined by chance or quantitatively by percentages e.g., probability.

A Consequence/Impact scale is very similar to the likelihood scale, except it is measured in impact. Impact in this case, once again, have to be defined by the individual organisation. Some of the impact or consequence descriptors could be: People, Information, Reputation, Economic etc. Each descriptor then has 5 different levels of severity as given in the example below. But you can, and should, of course define you own according to the specific risk scenario.

An example will be given: 

An example of a risk matrix created for travel safety – before ane mitigative measures.

The risk matrix is divided into colours REDYELLOW and GREEN which depicts the level of seriousness the threat poses. A red risk is clearly bad and should never be allowed to remain. A yellow risk is a bit more nuanced; this can be divided into top yellow, middle yellow and bottom yellow.

— The top part of the yellow area (consequence 4) needs a more detailed assessment of other factors such as; people and their skills. Have they worked on this type of project before, are there any new guys? Then conditions such as weather. Are there optimal conditions to perform these tasks if not, then maybe you should wait. Try doing a more detailed Scenario Analysis at this point, maybe do multiple, whit different factors turned up or down.

— The middle part of the yellow (consequence 3) is not as serious but still needs assessments. These are still serious threats to whatever descriptor you decide to put there, and therefore still needs significant work in order to reduce.

— The bottom part of the yellow (consequence 1 & 2) is somewhat safe to have further along in the project but beware of the high likelihood! The consequence of these risks is rated as fairly low and therefore don’t necessarily need significant work.

All of this is to say that: RED boxes is very bad and should be handled immediately! But YELLOW boxes are also bad and should in most cases be where the bulk of the mitigative measures are placed. But it can, with the right assessments, be acceptable. GREEN should be the main goal for every risk scenario, but that is often not a realistic accomplishment. And again, beware of top green.


  1. Risk manager Julian Talbot has a great article about using a risk matrix.
  2. He also has an article stating what is right with Risk Matrices.
  3. The Danish Emergency Management Agency also did some great work on risk matrices in their Handbook for Risk Based Dimensioning in Danish municipalities (Danish only!).
  4. Furthermore CGE Risk has a great Wiki-like page on Risk Matrices.

About the author

Mikkel K. Nyegaard

Aspiring risk manager studying Disaster & Risk management at University College Copenhagen. Currently at an intern position at RoC Consult ApS.


Other articles:

Risk strategies: Risk likelihood Reduction and Consequence Reduction 

Risk management strategies Risk likelihood and consequence reduction are two different ways to manage risk. Click here to learn more..

Controls to Reduce Risk & Pitfalls to Avoid 

Introduction There are numerous controls to avoid and reduce the risks to your project or organization. Though the risk is not always avoidable, there are ways to alter it. Below are proven controls used to alter risk. Controls – Engineering Controls: these are controls that reduce risk using engineering methods. This can include: 1. How …

Risk Management

The Perception of Risk 

Introduction Paul Slovic is an American professor of psychology at the university of Oregon. Slovic mainly studies human judgement, decision making and risk perception. He has released a large amount of research papers on the before-mentioned subjects and is considered one of the leading theorists within the risk perception field. One of Paul Slovic’s most …

Subscribe to our newsletter

Stay updated on Risk In Complex Operations