Your risk matrix should serve as the cornerstone for understanding when your business should do something about a risk and who should be informed should it materialize.

What is an Impact and Likelihood Risk Matrix?

An impact and likelihood risk matrix is the fundamental tool used to assess your risks.  A risk is any event that can introduce uncertainty in your ability to meet your business objectives.

risk matrix

Your matrix helps you think about a risk from two perspectives: the likelihood of it occurring and the impact should it occur.

A well thought out impact and likelihood risk matrix can make your risk management process simpler in the long run.  But it does take some time and effort to get it right before you can realize its benefits.


Why is a Risk Matrix important?

Your risk matrix serves many purposes, including:

  1. Aiding in the setting of your personalized risk and appetite levels
  1. Assessing the risk level of potential and actual risks, and
  1. Assessing what mitigation steps could be taken

For this reason, it is essential that you take the time to fully consider the factors that drive the building of this matrix.

Considering Your Impact Categories

When you are defining your impact categories, consider the various types of impacts a risk could have on your organization. 

Ask the ‘so what’ question to articulate why you would care about a risk event materializing.

  • The most common impact is a monetary loss. This is the direct loss sustained from the risk event.
  • You may also have a regulatory compliance aspect – where the risk event could result in you not complying with rules and regulations.
  • Also, consider the groups of people who could affect your business if their perception of your business deteriorated due to a risk event. 

These could be your customers, business suppliers, and employees, for example.

You can probably think a several other ‘so whats’ relevant for your organization. Try to be as comprehensive as you can.

Considering Your Impact Thresholds

Even though a risk has materialized, its impact may not be meaningful for your organization.  Therefore, it is important to understand your impact pain points – that is, when do you start to care and take action on the risk. 


This is totally unique to your organization.  It helps to think about it in terms of who you would notify when a risk event happened and at what point.

Start from the extremes, that is, the point when no one cares to the other end of the spectrum when everyone cares – such as a crisis situation! Then define the escalation points in between.  This could be registering the event in a risk register or informing the CEO or the Board. It is ideal if you can identify at least 3 to 6 escalation thresholds.

risk matrix

Using the impact categories identified, define the scenarios that would align with each escalation threshold. 

For example, a risk event that led to a certain monetary loss value would require that the event be registered in a risk event register. If it exceeded that amount, it would require escalation to the CEO, and so on.

What are your likelihood scales?

The other dimension of your risk matrix is your likelihood scales.  This is when you think about the frequencies likely for a risk to occur in your organization. This could be daily, weekly, monthly, quarterly, and so on.

It can be tricky to narrow the likelihood scales identified to a reasonable number.  Most of the identification points should occur within the current year because that is the time period you are making risk management decisions about the risk. 

risk matrix

However, you do want to identify likelihood frequencies beyond a year as well to capture those risks that are very unlikely to occur but would have a high impact if they did.  Before the corona virus, most organizations considered a pandemic as such a risk. If they had a good risk matrix, they were able to use their matrix to monitor and manage this risk and similar risks on an ongoing basis.

Creating the Risk Matrix

This is where the fun begins! 

Once you have identified your impact escalation points and your likelihood frequencies, you can build your risk matrix by plotting the impact and likelihood points on the x and y axis.  It doesn’t matter which axis you use for the impact and likelihood thresholds – just be consistent.  Doing this will create a multifaceted grid with all the impact and likelihood combinations you have identified.


Consider each combination and determine what type of risk that represents to you – high, medium, low, etc. It is helpful to use a color coding system to visualize the grid.

risk assessment matrix

It is common practice to use shades of red, amber, green to visually classify your risks but that is not important. 

Using the red, amber, green scale is simple but it can also be associated with bad, medium, and good messages and you may not want to convey that a high risk is necessarily bad. 

Actually, for some risks you might want to take on a high risk level based on the reward trade-off and it may not be appropriate to signal that this is a bad thing.  For this reason, you might want to consider using shades of blue, grey, etc., for example.

And there you have it. Once you have color coded the combinations, you have defined your risk levels and appetite levels. 

Congratulations! Start managing your risks better.

risk matrix

Visit our YouTube Channel

You can also view this video for more guidance:

Learn more about Optimized Risk Management.