Risk Assessment Matrix: What It Is and How to Use It


Share this Article:

Our content and product recommendations are editorially independent. We may make money when you click links to our partners. Learn more in our Editorial & Advertising Policy.

Key Takeaways

  • A risk assessment matrix is a visual chart that prioritizes and tracks project risks.
  • Of more than a dozen different categories of risk, the four most important for a project manager to account for are management, organizational, technical, and external risks.
  • Building a risk assessment matrix should be a core element of your overall approach to project planning.

Featured Partners

What is a Risk Assessment Matrix?

A risk assessment matrix is a chart used for prioritizing and tracking project risks. It’s a visual aid that provides a complete overview of the risks involved and the likelihood that each one will occur, and it is vital when creating a risk management strategy.

Generally speaking, most projects present several different types of risk. Some common risks include:

  • Operational risks: This includes risks that result from poor project implementation. Depending on the project, this could include issues with production, resource allocation, procurement, distribution, and more.
  • Technological risks: Risks that affect software and hardware systems include cyber attacks, device failures, virus infections, and any sort of technological failure.
  • Performance risks: These risks describe how likely—or unlikely—it is that the project will create the desired results.
  • Scheduling risks: Anything that has the potential to disrupt the project timeline is considered a scheduling risk.
  • Cost risks: Generally the result of poor project planning or scope creep, these risks either increase project budgets or result in unfinished or incomplete projects.
  • Governance risks: These are risks that could affect the company’s reputation, their community, or their ethics, and they generally fall on the shoulders of executive board members and senior managerial staff.
  • Scope creep risks: Do your project requirements often expand beyond the initial project scope? If so, you’re probably experiencing scope creep. While it can be controlled, failure to do so could result in complete failure of the project at hand.
  • Legal risks: Most projects contain several legal risks, such as contractual and regulatory requirements, that must be followed at all times.

While other risks may exist, specific risks are often grouped into one of four categories or buckets. These buckets include:

  • Project management risks: These risks involve your project team members and how they could affect the overall success of the project at hand. Examples include project planning, communications, and project controls.
  • Organizational risks: Organizational risks refer to your ability to allocate resources, prioritize tasks, and make key decisions regarding the project.
  • Technical risks: This category includes technological risks such as issues with software or hardware. It also includes risks involved in requirements gathering, process documentation, and performance analysis.
  • External risks: Risks that are beyond the control of the PM or project team members are considered external risks. This could include weather-related risks, governmental risks, regulatory risks, societal risks, supplier-related risks, and others.

Depending on the project and the exact risks involved, some additional risk categories may need to be established.

Why is a Risk Assessment Matrix Important?

The average project is fraught with risk. Not only are there legal risks, like regulatory and contractual responsibilities, but there are financial concerns, technical and technological risks, external risks, and many more. If ignored, such risks could spell disaster for even the most skilled project managers. When properly analyzed and addressed by a veteran PM, however, many of these risks are easily mitigated.

How to Create a Risk Assessment Matrix

When creating your risk assessment matrix, the very first step involves identifying and isolating any issues that pose a threat to overall project success. For best results, review the above lists and work on identifying risks with your team. Including all project stakeholders in this manner will ensure that all of the potential threats are fully uncovered and identified.

Before the identified risks can be added to your risk assessment matrix, you’ll need to establish your risk criteria. This essentially means organizing all risks according to their likelihood and severity. However, the criteria you ultimately use depends on the exact sizing of your risk matrix.

Creating a 5×5 Risk Matrix

One of the most common examples of a risk assessment matrix is the 5×5 risk matrix. In this case, you’ll use five different likelihood ratings. From least likely to most likely, these include:

  • Improbable
  • Remote
  • Occasional
  • Probable
  • Frequent

Additionally, each likelihood rating corresponds with a numerical value. Risks that are “improbable” are given a value of one, while those identified to be “frequent” are given the maximum value of five. These likelihood ratings comprise the left side of the risk matrix.

Next, you’ll establish five different severity ratings. From least severe to most severe, these include:

  • Negligible
  • Marginal
  • Moderate
  • Critical
  • Catastrophic

Severity ratings are listed across the top of the matrix. Similar to likelihood ratings, each severity rating is assigned with a numerical equivalent. The least severe “negligible” rating, for example, has a numerical value of one. On the other end of the scale, the “catastrophic” rating has a numerical value of five.

A 5×5 risk matrix then results in one of four different risk impact ratings: low, medium, high, or extreme. Those with the lowest likelihood to occur and the lowest severity rating will be on the low end of the matrix, while risks with the highest likelihood and highest severity will appear on the extreme end of the matrix.

Creating a 4×4 Risk Matrix

The 4×4 risk matrix is very similar to the 5×5 risk matrix, except instead of resulting in a grid that contains 25 squares (5 x 5), it creates a grid with 16 (4 x 4) total squares. While it is functionally identical to the 5×5 risk matrix, the 4×4 matrix has only four different ratings of risk likelihood and severity. From least likely to most likely, the likelihood ratings in a 4×4 risk matrix are:

  • Improbable
  • Remote
  • Probable
  • Frequent

Conversely, the four severity ratings are:

  • Negligible
  • Marginal
  • Critical
  • Catastrophic

Although a 4×4 risk matrix has fewer grid squares than a 5×5 risk matrix, there are still four different risk impact ratings, which are low, medium, high, and extreme.

Creating a 3×3 Risk Matrix

Best suited for smaller projects, the 3×3 risk matrix only comprises a total of nine grid squares. Likelihood ratings for a 3×3 risk matrix include:

  • Improbable
  • Occasional
  • Probable

Listed in order from least severe to most severe, the severity ratings for a 3×3 risk matrix include:

  • Marginal
  • Moderate
  • Critical

Unlike the 5×5 and 4×4 risk matrices, the 3×3 risk matrix only produces three different risk impact ratings: low, medium, and high.

How to Use Your Risk Assessment Matrix

Now that you’ve brainstormed potential project risks and created your risk matrix, it’s time to begin measuring each risk according to the ratings indicated above. Remember that many of the risks and their respective ratings are highly subjective. Not only do they vary between industries and professions, but they can also vary between projects.

Using a 5×5 Risk Matrix

One of the most common sizes used, most project managers agree that the 5×5 risk matrix offers the perfect mixture of risk detail and clarity. However, it is generally reserved for larger projects. Most small projects can be completed using a 4×4 or 3×3 risk matrix.

When using a risk matrix, regardless of size, it’s important to remember the numerical values assigned to each likelihood and severity rating. This makes it easy to calculate a numerical value for each one of the project’s risks as you simply need to multiply the likelihood that it is to occur by the severity of its impact.

For example, a risk that would have a negligible impact on the project’s success and is considered “improbable” or unlikely to happen would have a risk impact rating of 1 (1 x 1). Any risk that would have a moderate impact and might happen “occasionally” results in an impact rating of 9 (3 x 3). On the highest end of the scale, a risk that would have a “catastrophic” impact on the project and occurs “frequently” ends up with a risk impact rating of 25 (5 x 5).

After you’ve determined the numerical risk impact rating for any given risk, compare it to the list below to determine whether it poses a low, medium, high, or extreme threat to project success.

  • Low: 1–3
  • Medium: 4–9
  • High: 10–16
  • Extreme: 15–25

You will notice a bit of crossover between the “high” and “extreme” impact ratings. This is because a risk with “critical” impact (4) that is considered “probable” (4) to happen will have an impact rating of 16 (high), but a risk with “catastrophic” (5) consequences that has a “moderate” (3) chance of occurring will have an impact rating of 15 (extreme).

Using a 4×4 Risk Matrix

Another common sizing, the 4×4 risk matrix is for large projects that don’t require the level of granular detail that the 5×5 risk matrix provides. Depending on its usage, however, the 4×4 risk matrix could result in too many risks falling into a “medium” impact rating. In cases like this, it’s rather easy for risks to be mislabeled, and as such, some mitigation strategies might fall to the wayside.

Other than that, the 4×4 risk matrix functions identically to the 5×5 risk matrix. Once a risk has been placed onto the matrix, its risk impact rating is determined by multiplying the likelihood and severity ratings. Then compare the final sum to the list below to separate risks into the “low,” “medium,” “high,” and “extreme” categories.

  • Low: 1–2
  • Medium: 3–4
  • High: 6–9
  • Extreme: 12–16

Using a 3×3 Risk Matrix

Many smaller projects can be completed with a 3×3 risk matrix. While it lacks the specificity of the 5×5 or 4×4 risk matrices, its basic design and straightforward process make it a great solution for novice PMs.

But the biggest drawback of the 3×3 risk matrix also lies in its simplicity. With only three likelihood and severity ratings, it can be difficult to accurately rank certain risks. That’s why large or complex projects often need a 4×4 or 5×5 risk matrix.

After you’ve multiplied the numerical values of the likelihood and severity ratings for each risk, compare the result against the list below in order to further categorize each project risk.

  • Low: 1–2
  • Medium: 3–4
  • High: 6–9

Risk Assessment Matrix Templates

There are a plethora of risk assessment matrix templates available online. While some of these are geared toward one particular industry or toward a specific project type, they all provide a great starting point for novice PMs and project teams who are trying to get started with the risk assessment matrix.

Someka Risk Assessment Matrix Template

Created by the team at Someka, this risk assessment matrix template is available in two different formats: Microsoft Excel and Google Sheets. Referred to as a Hazard Identification & Risk Assessment (HIRA), the document is ideal for tracking cyber threats, internal corruption, and other issues. It consists of three separate parts:

  1. Risk report: Provides a systematic examination of workplace risks, how to assess personal injuries on the job, and the likelihood of reducing risks.
  2. Risk list: This section lets the user list specific hazards, including the people who are at risk, the person responsible for overseeing the risk, and any recommended actions.
  3. Risk matrix: The last section comprises a 4×4 risk matrix for tracking the likelihood and severity of personal injuries in the workplace.

Smartsheet Risk Assessment Matrix Template

The development team at Smartsheet offers a variety of free risk matrix templates that are compatible with Smartsheet, Microsoft Excel, Microsoft Word, and Adobe software (PDF). Moreover, they provide risk matrices in several different sizes including 3×3, 3×4, and 5×5. They also provide more insight into the usage and application of risk assessment matrices in general.

TeamGantt Risk Assessment Matrix Template

Users who need a highly customizable, 3×3 risk assessment matrix template can find a basic version from TeamGantt. Available exclusively for Microsoft Excel, their simplified chart includes three different elements:

  1. Risk Assessment Matrix: This 3×3 risk matrix is simple to use and easy to customize as needed.
  2. Risk Assessment List: A pre-formatted list of all potential risks, the areas that are affected by these risks, the severity of each risk, the likelihood of each risk, the total risk impact rating, and any recommended actions
  3. Lists: A master list with all of the available severity, likelihood, and impact ratings

Risk Assessment Matrix FAQs

While risk assessment matrices tend to be highly accessible and straightforward, some users might have some remaining questions surrounding their usage or application.

Risk severity levels provide a quantifiable measurement of the threat posed by any given risk. In a 5×5 risk matrix, there are five different severity levels (negligible, marginal, moderate, critical, and catastrophic). A 4×4 risk matrix has four different severity levels (negligible, marginal, critical, catastrophic), while a 3×3 risk matrix has three different severity levels (marginal, moderate, and critical).

Classifying risks in this manner makes it easy to see which risks need to be addressed immediately and which ones can be delayed to a later date (if at all).

While risk matrices should be updated over the course of time, there is no right or wrong answer regarding the frequency of these updates. It is worth noting, however, that regular updates give you the opportunity to remove any resolved risks and add any new risks that have been uncovered since the project began. Moreover, updating the risk matrix at regular intervals is a great way to give novice PMs and new project teammates more experience with the entire process.

Absolutely! Risk matrices aren’t limited to one specific industry, field, or profession. In fact, they are often customized in order to meet the user’s exact needs. Feel free to customize your risk assessment matrix by adding more risk categories, modifying the scoring criteria, or by using a different sized matrix altogether. The most important thing to remember here is that the risk matrix needs to work for you and your team. If it doesn’t or if it’s confusing to your project teammates, then it’s time to make a change.

Yes and no. Generally speaking, smaller risk matrices work better for smaller projects. However, depending on the size and scope of the project, any matrix size should do. Most professionals don’t recommend going any larger than 5×5, however, as this often results in more complexity than it’s worth. For best results, stick to a 3×3, 4×4, or 5×5 risk assessment matrix.

Making the Most of Your Risk Assessment Matrix

In the hands of a skilled PM, a risk assessment matrix helps clarify risks and forecast their potential impact on the project as a whole. Most risk management strategies begin by prioritizing each risk on the matrix and allocating the resources needed to tackle the most impactful ones. Since it is virtually impossible to overcome every single risk, expert PMs need to know how to pick their battles and mitigate those that pose the most threat to overall project success.

Sign up for our emails and be the first to see helpful how-tos, insider tips & tricks, and a collection of templates & tools. Subscribe Now

Featured Partners

Subscribe to Project Management Insider for best practices, reviews and resources.

J.R. Johnivan Avatar

Get the Newsletter

Subscribe to Project Management Insider for best practices, reviews and resources.