Risk Matrix: A Practical Guide to Prioritising Risk by Likelihood and Impact

A risk matrix is a practical risk management tool used to assess and prioritise risks by considering two main factors:

Likelihood
Impact

At its simplest, a risk matrix asks:

How likely is this risk to happen, how serious would it be if it did happen, and how much attention does it need?

That makes it useful for business planning, project management, charity governance, health and safety, cyber security, public sector reporting, property management, construction, service delivery, audit preparation and board oversight.

A risk matrix does not remove risk. It does not predict the future. It helps people make better judgements about which risks need the most attention.

Used properly, a risk matrix helps organisations move from a long list of risks to a clear view of priorities.

What is a risk matrix?

A risk matrix is a visual tool that plots risks according to their likelihood and impact.

Likelihood means how probable the risk is.

Impact means how serious the consequences would be if the risk occurred.

The result is usually shown as a grid. The grid may be three by three, four by four or five by five.

A simple five by five matrix might use:

Likelihood

1. Rare
2. Unlikely
3. Possible
4. Likely
5. Almost certain

Impact

1. Minor
2. Moderate
3. Significant
4. Major
5. Severe

The risk score is often calculated as:

Likelihood x Impact = Risk Score

For example:

A risk with likelihood 4 and impact 5 would have a score of 20.

That would normally be treated as a high risk.

A risk with likelihood 2 and impact 2 would have a score of 4.

That would normally be treated as a low risk.

The purpose is not mathematical perfection. The purpose is to support judgement, prioritisation and action.

Risk matrix and risk register

A risk matrix and a risk register are closely connected, but they are not the same.

A risk register records the risks, controls, owners, actions, deadlines and review dates.

A risk matrix helps assess and prioritise those risks.

In simple terms:

The risk register records the risk.

The risk matrix helps judge how serious it is.

A risk register without a scoring method can become a flat list. A risk matrix gives structure to the assessment.

However, a risk matrix on its own is not enough. It should usually feed into a risk register so that risks are owned, controlled and reviewed.

History and development of risk matrices

Risk matrices developed as part of wider risk management practice.

As organisations became more formal in their approach to governance, projects, safety, quality, audit and compliance, they needed a simple way to assess and compare risks.

The matrix became popular because it is visual, easy to understand and adaptable. It can be used by boards, trustees, project teams, managers, auditors, health and safety officers and operational teams.

Risk matrices are now widely used across:

1. Project management
2. Health and safety
3. Engineering
4. Public sector governance
5. Internal audit
6. Financial control
7. Charity management
8. Cyber security
9. Construction
10. Business continuity
11. Compliance
12. Enterprise risk management

The strength of the risk matrix is its simplicity.

The weakness is also its simplicity.

It can help prioritise risks, but it should not be treated as a precise scientific instrument. It depends on judgement, definitions, evidence and consistency.

The two axes of a risk matrix

1. Likelihood

Likelihood is the probability that the risk will occur.

A common five point scale is:

1. Rare
   The risk is not expected to occur, but it is possible.
2. Unlikely
   The risk could occur, but it is not expected in normal circumstances.
3. Possible
   The risk may occur at some point.
4. Likely
   The risk is expected to occur in many circumstances.
5. Almost certain
   The risk is expected to occur frequently or soon.

Likelihood should be assessed using evidence where possible.

Useful evidence may include:

1. Past incidents
2. Near misses
3. Audit findings
4. Industry experience
5. Staff feedback
6. Customer complaints
7. External events
8. Supplier performance
9. Financial trends
10. Project history
11. System reports
12. Professional judgement

Likelihood should not be guessed casually. It should be discussed and challenged.

2. Impact

Impact is the seriousness of the consequences if the risk occurs.

A common five point scale is:

1. Minor
   Limited effect, easily managed.
2. Moderate
   Noticeable effect, manageable with some intervention.
3. Significant
   Serious effect requiring management action.
4. Major
   Substantial disruption, cost, harm or reputational damage.
5. Severe
   Critical impact on safety, finances, operations, compliance, reputation or strategic objectives.

Impact should be considered across several areas.

These may include:

1. Financial impact
2. Operational impact
3. Legal impact
4. Compliance impact
5. Safety impact
6. Safeguarding impact
7. Reputational impact
8. Service delivery impact
9. Customer impact
10. Staff impact
11. Environmental impact
12. Strategic impact

The same risk may have different types of impact.

For example, a cyber incident may create financial cost, service disruption, legal reporting duties, reputational damage and customer concern.

Risk scoring

The most common method is:

Likelihood x Impact = Risk Score

For example:

Likelihood	Impact	Score
2	3	6
3	4	12
4	5	20
5	5	25

Scores are usually grouped into bands.

For example:

Score	Rating	Typical response
1 to 4	Low	Monitor
5 to 9	Medium	Manage through normal controls
10 to 16	High	Action required
17 to 25	Very high	Urgent action or escalation

These bands should be tailored to the organisation.

A care provider, charity, public body or regulated business may have a very low appetite for some risks, even if the numerical score is not the highest.

Colour coding and heat maps

Risk matrices are often shown as heat maps.

Typical colours are:

1. Green for low risk
2. Amber or yellow for medium risk
3. Orange for high risk
4. Red for very high risk

Colour coding helps decision makers see priorities quickly.

However, colour should support judgement, not replace it.

A risk should not be ignored simply because it falls into amber rather than red. Equally, a red risk should not automatically trigger panic. It should trigger proper review, challenge and action.

The colour is a prompt for discussion.

Inherent risk and residual risk

A good risk matrix can be used at two stages.

Inherent risk

Inherent risk is the level of risk before controls are considered.

For example:

A business that holds sensitive customer data has a high inherent cyber risk.

A charity relying on one major funder has a high inherent funding risk.

A construction project with uncertain ground conditions has a high inherent cost and delay risk.

Inherent risk helps the organisation understand the natural level of exposure.

Residual risk

Residual risk is the level of risk after controls are considered.

For example:

Cyber risk may be reduced by:

1. Multi factor authentication
2. Staff training
3. Backups
4. Patch management
5. Incident response planning
6. Cyber insurance
7. Access controls
8. Supplier due diligence

The residual risk is what remains after those controls.

This is often the most important risk rating for management.

However, both inherent and residual risk are useful. Inherent risk shows the scale of exposure. Residual risk shows what still needs attention.

Types of risk matrix

Three by three matrix

A three by three matrix is simple.

It may use:

Likelihood

1. Low
2. Medium
3. High

Impact

1. Low
2. Medium
3. High

This is useful for small organisations, simple projects or early discussions.

The disadvantage is that it can be too crude. Many risks end up in the middle.

Four by four matrix

A four by four matrix gives more detail than a three by three matrix but avoids the complexity of a five by five version.

It may use four levels of likelihood and four levels of impact.

This can be useful for teams that want more nuance but still want a simple tool.

Five by five matrix

A five by five matrix is very common.

It gives more gradation and allows risks to be scored from 1 to 25.

This is useful for organisations with a reasonable level of risk maturity.

The disadvantage is that people may treat the scoring as more precise than it really is.

Custom matrix

Some organisations design custom matrices.

For example, a health and safety matrix may define impact in terms of injury severity. A financial matrix may define impact using monetary thresholds. A charity matrix may include safeguarding, funding and reputational thresholds. A public body may include statutory duty, service impact and public confidence.

A custom matrix is often better than a generic one, provided it remains clear and usable.

Why risk matrices matter

Risk matrices matter because organisations usually face more risks than they can address at once.

A long risk list can be overwhelming.

A risk matrix helps answer:

1. Which risks need urgent attention?
2. Which risks can be monitored?
3. Which risks are within appetite?
4. Which risks need more controls?
5. Which risks need board or trustee review?
6. Which risks are increasing?
7. Which risks should be escalated?
8. Which risks need resources?

The risk matrix helps turn risk discussion into prioritisation.

It is especially useful where management attention, money, staff time and board capacity are limited.

When to use a risk matrix

A risk matrix is useful whenever risks need to be assessed and prioritised.

Common uses include:

1. Risk registers
2. Board reporting
3. Trustee reporting
4. Project management
5. Health and safety
6. Business continuity
7. Cyber security
8. Financial control
9. Audit planning
10. Compliance review
11. Procurement
12. Contract management
13. Property management
14. Construction projects
15. Event planning
16. Change management
17. Safeguarding
18. Service redesign
19. Strategy implementation
20. Scenario planning

It is especially useful when a group needs a shared view of risk.

It is less useful if treated as a tick box exercise or used without clear definitions.

Risk matrices in different industries

SMEs and owner managed businesses

For SMEs, a risk matrix should be simple and practical.

Typical SME risks include:

1. Cash flow pressure
2. Loss of a major customer
3. Late customer payment
4. Supplier failure
5. Owner dependency
6. Key staff loss
7. Cyber attack
8. Tax non compliance
9. Rising costs
10. Weak management information
11. Loss of premises
12. Reputational damage

A small business may not need a complicated risk framework. It needs a clear view of what could hurt the business most.

For SMEs, the risk matrix should help answer:

1. What could threaten cash?
2. What could stop delivery?
3. What could damage reputation?
4. What are we too dependent on?
5. Which risks should we act on this month?

Manufacturing

Manufacturing businesses face operational, safety, quality and supply chain risks.

Typical risks include:

1. Machinery breakdown
2. Production delay
3. Supplier failure
4. Quality defects
5. Health and safety incidents
6. Energy cost increases
7. Product recall
8. Stock shortages
9. Labour shortages
10. Environmental compliance failure
11. Customer concentration
12. Logistics disruption

A manufacturing risk matrix should use evidence such as downtime data, defect rates, maintenance reports, near misses, supplier performance and customer complaints.

Impact should include cost, quality, safety, delivery and customer confidence.

Retail and ecommerce

Retail and ecommerce risks often involve stock, customer demand, technology, fulfilment and reputation.

Typical risks include:

1. Stock obsolescence
2. Weak consumer demand
3. Website outage
4. Payment failure
5. Cyber incident
6. High return rates
7. Poor reviews
8. Supplier delays
9. Delivery failure
10. Margin erosion
11. Platform dependency
12. Seasonal demand shocks

The risk matrix should help retailers avoid focusing only on sales.

A product may sell well but create risk through poor margin, high return rates or unreliable supply.

Professional services

Professional services firms face risks around quality, deadlines, regulation, professional liability and reputation.

Typical risks include:

1. Missed filing deadlines
2. Professional negligence
3. Poor engagement letters
4. Weak file review
5. Cyber breach
6. Client concentration
7. Staff turnover
8. Conflicts of interest
9. Regulatory non compliance
10. Poor billing discipline
11. Loss of key staff
12. Reputational damage

For accountants, solicitors, consultants, architects and advisers, a risk matrix should consider both financial impact and professional consequences.

Some risks may have a modest immediate cost but severe reputational or regulatory impact.

Charities and voluntary organisations

For charities, a risk matrix is especially useful for trustee oversight.

Typical risks include:

1. Loss of major funding
2. Safeguarding failure
3. Volunteer shortages
4. Staff burnout
5. Weak reserves
6. Service demand exceeding capacity
7. Poor impact reporting
8. Regulatory non compliance
9. Reputational damage
10. Trustee vacancies
11. Data protection breach
12. Poor financial controls

For charities, impact should not be measured only in money.

Safeguarding, beneficiary wellbeing, service continuity, public trust and mission impact may be more important.

Public sector and local government

Public bodies use risk matrices to support governance, service delivery and accountability.

Typical risks include:

1. Budget overspend
2. Failure to meet statutory duties
3. Demand exceeding capacity
4. Legal challenge
5. Contractor failure
6. Cyber incident
7. Workforce shortages
8. Poor procurement
9. Public dissatisfaction
10. Service disruption
11. Data quality weakness
12. Policy change

In public sector settings, risk impact should include statutory duties, residents, service users, equality, public confidence and value for money.

Property and construction

Property and construction risks can be high value and time sensitive.

Typical risks include:

1. Planning refusal
2. Cost inflation
3. Contractor failure
4. Ground conditions
5. Utilities delays
6. Health and safety incidents
7. Legal title issues
8. Funding withdrawal
9. Interest rate increases
10. Tenant default
11. Market demand weakness
12. Programme delay

A risk matrix in property and construction should be linked to viability appraisal, programme management, cost planning, funding, planning strategy, legal advice and contingency.

Some risks may have a low likelihood but severe impact, such as major structural failure or contractor insolvency.

Technology and software

Technology risks can change quickly.

Typical risks include:

1. Cyber attack
2. Data breach
3. System outage
4. Technical debt
5. Platform dependency
6. Poor product market fit
7. Customer churn
8. Skills shortage
9. AI disruption
10. Integration failure
11. Regulatory change
12. Supplier failure

For technology businesses, a risk matrix should be reviewed frequently.

A risk that was amber last quarter may become red quickly if customer expectations, cyber threats or regulation change.

Healthcare and social care

Healthcare and care organisations need careful risk assessment because safety, dignity and safeguarding are central.

Typical risks include:

1. Safeguarding failure
2. Medication errors
3. Staff shortages
4. Poor care quality
5. Inspection failure
6. Infection control issues
7. Data breach
8. Service continuity failure
9. Poor handovers
10. Family communication failures
11. Staff fatigue
12. Funding pressure

In this sector, the risk matrix must support professional judgement.

A simple numerical score should never override safety concerns.

Education and training

Education providers face risks around safeguarding, learner outcomes, funding, staffing and compliance.

Typical risks include:

1. Safeguarding concerns
2. Poor learner outcomes
3. Low enrolment
4. Funding changes
5. Staff shortages
6. Inspection findings
7. Poor attendance
8. Weak employer engagement
9. Digital platform failure
10. Curriculum relevance
11. Estate safety issues
12. Data protection breach

A risk matrix in education should consider learners, staff, safeguarding, quality, funding and reputation.

How to create a risk matrix properly

1. Define the purpose

Start by deciding what the risk matrix is for.

Is it for:

1. A project?
2. A whole organisation?
3. A charity?
4. A property portfolio?
5. A construction project?
6. A department?
7. A service?
8. A system implementation?
9. An event?
10. A board risk review?

The purpose affects the scoring.

A matrix for cyber risk may need different impact definitions from a matrix for a community event.

2. Define the scoring scale

Do not use vague scoring.

Define what each likelihood and impact score means.

For example, for likelihood:

1. Rare: may occur only in exceptional circumstances
2. Unlikely: could occur but not expected
3. Possible: may occur at some point
4. Likely: expected to occur
5. Almost certain: expected to occur frequently or soon

For impact, define categories that fit the organisation.

For example:

1. Minor
2. Moderate
3. Significant
4. Major
5. Severe

Then explain what those mean in practical terms.

3. Define impact categories

Impact should be more than financial.

Possible impact categories include:

1. Finance
2. Operations
3. Customers
4. Staff
5. Safety
6. Safeguarding
7. Reputation
8. Legal compliance
9. Service users
10. Environment
11. Strategic objectives
12. Governance

For example, a charity might define severe impact as a safeguarding failure, loss of major funding or serious reputational damage.

A manufacturer might define severe impact as a major injury, prolonged production shutdown or product recall.

4. Identify risks clearly

The matrix is only useful if the risks are well written.

Avoid vague labels such as:

1. Financial risk
2. Staff risk
3. IT risk
4. Compliance risk
5. Supplier risk

Use clear risk statements instead.

For example:

Because the organisation depends on one supplier for critical materials, there is a risk that supplier failure could stop production, leading to customer delays, lost income and reputational damage.

That is much easier to score and manage.

5. Score likelihood

Assess how likely the risk is to occur.

Use evidence where possible.

Ask:

1. Has this happened before?
2. Has it nearly happened?
3. Is it happening elsewhere in the sector?
4. Are conditions making it more likely?
5. Are controls reducing the likelihood?
6. Are we relying on assumptions?
7. Is the risk increasing or decreasing?

The score should be discussed and challenged.

6. Score impact

Assess the seriousness of the consequence.

Ask:

1. What would the financial impact be?
2. What would happen to operations?
3. Would customers or service users be affected?
4. Would staff be affected?
5. Would there be legal consequences?
6. Would reputation suffer?
7. Would safety or safeguarding be affected?
8. Would strategy be delayed or damaged?

If a risk has several types of impact, the organisation should usually score based on the most serious credible impact.

7. Plot the risk on the matrix

Once likelihood and impact have been scored, plot the risk on the grid.

This gives a visual rating.

The matrix can then show:

1. Low risks
2. Medium risks
3. High risks
4. Very high risks

This helps management see clusters and priorities.

8. Identify controls

Do not stop at scoring.

For each risk, identify existing controls.

Ask:

1. What controls already exist?
2. Are they documented?
3. Are they working?
4. When were they last tested?
5. Who owns them?
6. Are there gaps?
7. Are controls proportionate?

Controls should then be reflected in the residual score.

9. Decide action and ownership

A risk matrix should lead to action.

For each significant risk, decide:

1. What action is needed?
2. Who owns the risk?
3. Who owns the action?
4. What is the deadline?
5. What resources are required?
6. What will success look like?
7. When will it be reviewed?

A risk matrix without action is only a picture.

10. Review regularly

Risk ratings change.

A risk may become more likely. Controls may improve. A low impact issue may become more serious. A new external factor may change the assessment.

Review the matrix when:

1. Strategy changes
2. A project milestone is reached
3. A risk becomes an issue
4. A control fails
5. A new risk emerges
6. External conditions change
7. An incident occurs
8. A board or trustee review is due

Common mistakes in using risk matrices

Mistake 1: Using vague definitions

If likelihood and impact are not clearly defined, different people will score risks inconsistently.

A score of 4 may mean one thing to one person and something different to another.

Mistake 2: Treating the score as exact science

Risk scoring is judgement based.

A score of 15 is not scientifically precise.

The score should support discussion, not end it.

Mistake 3: Ignoring low likelihood, high impact risks

Some severe risks may be unlikely but still need serious attention.

Examples include major cyber attacks, serious safeguarding failures, fire, contractor insolvency, data loss or health and safety incidents.

Do not ignore severe impact simply because likelihood appears low.

Mistake 4: Scoring everything as high

If every risk is red, the matrix does not help prioritise.

High scoring should be reserved for genuinely serious risks.

Mistake 5: Scoring based on fear rather than evidence

Some risks feel alarming but are well controlled. Others feel routine but are poorly managed.

Evidence and challenge matter.

Mistake 6: Ignoring controls

A risk matrix should distinguish between inherent and residual risk.

If controls are ignored, the assessment may overstate or understate the real position.

Mistake 7: Not considering different impact types

A risk may have modest financial impact but severe reputational or safeguarding impact.

Impact should be assessed broadly.

Mistake 8: Using the same matrix for every context

A generic matrix may not fit every organisation.

A care provider, construction project, charity, software company and retailer may need different impact definitions.

Mistake 9: No link to action

The matrix should lead to decisions.

If nothing changes after the matrix is reviewed, it is not being used properly.

Mistake 10: Not updating the matrix

A risk matrix can become outdated quickly.

Old scores can create false confidence.

Limitations and weaknesses of risk matrices

Risk matrices are useful, but they have limits.

They can oversimplify risk

A risk matrix reduces complex uncertainty into two scores.

That is useful, but it can hide detail.

Some risks have multiple causes, multiple consequences and changing conditions.

They depend on subjective judgement

Likelihood and impact are often estimated.

Different people may score the same risk differently.

A good process should include challenge and evidence.

They can create false precision

A risk score of 16 may not be meaningfully different from a risk score of 15.

The exact number should not be over interpreted.

They may hide risk velocity

Risk velocity means how quickly a risk could affect the organisation.

A cyber attack, safeguarding incident or financial crisis may escalate quickly.

Two risks with the same score may need different responses if one develops much faster.

They may not show interdependencies

Risks are often connected.

For example, staff shortages may increase service quality risk. Poor service quality may increase reputational risk. Reputational risk may affect funding or sales.

A simple matrix may not show these links.

They can be gamed

People may score risks lower to avoid escalation or higher to secure resources.

That is why governance, review and challenge are important.

They do not replace judgement

A matrix supports decision making.

It does not make decisions by itself.

Boards, trustees and managers still need to interpret the results carefully.

Risk matrix compared with other tools

Risk matrix and risk register

The risk matrix scores and prioritises risks.

The risk register records the full management response.

Use the matrix to assess risk.

Use the register to manage it.

Risk matrix and issue log

A risk is something that may happen.

An issue is something that has already happened.

A risk matrix is for uncertainty. An issue log is for active problems.

Risk matrix and SWOT

SWOT identifies strengths, weaknesses, opportunities and threats.

A risk matrix helps assess specific threats in terms of likelihood and impact.

Use SWOT for broad diagnosis. Use a risk matrix for prioritisation.

Risk matrix and PESTLE

PESTLE identifies external factors.

Some PESTLE findings become risks.

For example, a legal change identified in PESTLE may be scored in the risk matrix as a compliance risk.

Risk matrix and scenario planning

Scenario planning explores different futures.

A risk matrix assesses specific risks.

Scenario planning can reveal emerging risks that should be added to the matrix.

Risk matrix and business continuity planning

A risk matrix may identify disruption risks.

A business continuity plan explains how the organisation would respond if disruption occurs.

The matrix helps prioritise. The continuity plan prepares the response.

Risk matrix and internal audit

Internal audit tests controls.

A risk matrix helps identify where audit attention may be needed.

High residual risks may justify audit review.

Alternatives and complementary frameworks

Risk register

Use a risk register to record risks, controls, owners, actions and review dates.

The matrix should usually feed into the register.

Bow tie analysis

Bow tie analysis maps causes, controls and consequences.

Use it for complex risks, especially safety, operational, compliance and cyber risks.

Scenario planning

Use scenario planning where uncertainty is broad and future conditions may change significantly.

Sensitivity analysis

Use sensitivity analysis when financial assumptions need testing.

For example, interest rates, sales volume, wage costs or build costs.

Stress testing

Use stress testing to examine how an organisation would perform under severe but plausible conditions.

Fault tree analysis

Use fault tree analysis for technical or engineering risks where root causes need detailed analysis.

Failure Mode and Effects Analysis

Use Failure Mode and Effects Analysis for process, product, engineering or quality risks.

It examines possible failure modes, effects and controls.

Business continuity plan

Use a business continuity plan for response planning after disruption.

Internal audit review

Use internal audit to test whether controls are actually working.

A practical risk matrix template

A useful risk matrix template should include:

1. Risk reference
2. Risk description
3. Risk category
4. Cause
5. Potential impact
6. Likelihood score
7. Impact score
8. Overall score
9. Risk rating
10. Existing controls
11. Residual likelihood
12. Residual impact
13. Residual score
14. Required action
15. Risk owner
16. Action owner
17. Deadline
18. Review date
19. Status
20. Commentary

Example:

Risk reference: R001

Risk description: Because the organisation relies on one major customer for 40% of income, there is a risk that loss of that customer would significantly reduce cash flow and profitability.

Likelihood: 3, Possible

Impact: 5, Severe

Inherent score: 15, High

Existing controls: Regular account management, service review meetings and contract monitoring.

Residual score: 12, High

Action: Develop new customer pipeline and reduce dependency to below 30% within 12 months.

Risk owner: Managing Director

Review date: Monthly

Questions to ask when using a risk matrix

Likelihood questions

1. How likely is the risk to happen?
2. Has it happened before?
3. Has it nearly happened?
4. Is it happening in similar organisations?
5. Are conditions making it more likely?
6. Are controls reducing the likelihood?
7. Is likelihood increasing or decreasing?
8. What evidence supports the score?
9. Are we being too optimistic?
10. Are we being too cautious?

Impact questions

1. What would happen if the risk occurred?
2. What would the financial impact be?
3. What would the operational impact be?
4. Would customers or service users be affected?
5. Would staff be affected?
6. Would there be legal or regulatory consequences?
7. Would reputation be damaged?
8. Would safety or safeguarding be affected?
9. Would the strategy be delayed or damaged?
10. What is the worst credible impact?

Control questions

1. What controls already exist?
2. Are controls documented?
3. Are controls working?
4. When were they last tested?
5. Who owns the controls?
6. Are controls proportionate?
7. Are there gaps?
8. Could controls fail?
9. Is residual risk still too high?
10. What further action is needed?

Prioritisation questions

1. Which risks are highest rated?
2. Which risks are outside appetite?
3. Which risks need urgent action?
4. Which risks need board or trustee review?
5. Which risks can be monitored?
6. Which risks need more evidence?
7. Which risks are increasing?
8. Which risks are linked?
9. Which risks need resources?
10. Which risk should be discussed first?

Governance questions

1. Who approves the scoring method?
2. Who reviews the matrix?
3. How often is it updated?
4. Who challenges the scores?
5. How are risks escalated?
6. How are actions tracked?
7. Does the matrix link to the risk register?
8. Does it inform board reporting?
9. Does it inform audit planning?
10. Is it being used for real decisions?

The best way to think about a risk matrix

A risk matrix is not a prediction tool.

It is a prioritisation tool.

A good risk matrix should be:

1. Clear
2. Simple
3. Evidence informed
4. Consistent
5. Linked to objectives
6. Linked to controls
7. Connected to action
8. Regularly reviewed
9. Challenged properly
10. Used in decision making

A weak risk matrix says:

“This risk is red, this risk is amber, this risk is green.”

A strong risk matrix asks:

“What does this rating tell us about priority, control, ownership, escalation and action?”

The key question is not simply:

What score should this risk have?

The better question is:

What does the score tell us about what we should do next?

Conclusion: a risk matrix turns risk assessment into clear priorities

A risk matrix remains useful because organisations need a simple way to assess and compare risks.

It helps managers, trustees, boards and project teams understand which risks are most likely, which would have the greatest impact, and which need urgent attention.

Used badly, a risk matrix becomes a colourful box ticking exercise.

Used properly, it becomes a practical management tool. It supports prioritisation, challenge, governance and action.

The real value is not in the colours or the score.

The real value is in the decisions that follow.

A strong risk matrix helps an organisation move from saying, “We have identified the risks,” to asking, “Which risks matter most, are they properly controlled, and what action is needed now?”