How do you calculate a risk score in a matrix?

The most common method is to assign numeric values to likelihood and impact (for example 1 to 5) and multiply them: Risk Score = Likelihood × Impact. The resulting score is then mapped to a rating band such as Low, Medium, High, or Critical using predefined thresholds.

What is the difference between a 3x3, 4x4, and 5x5 risk matrix?

The numbers refer to how many levels of likelihood and impact you use. A 3x3 matrix is simpler and faster to use but less granular. A 5x5 matrix provides more nuance and is common in enterprise risk management, safety, and compliance programs.

How should I define likelihood and impact levels?

Define each level with clear, measurable criteria. For likelihood, you can use frequency or probability ranges. For impact, define ranges for financial loss, safety consequences, downtime, or regulatory effects. Consistent definitions make scores comparable across risks and teams.

Is a risk matrix enough for serious risk management?

A risk matrix is a useful visual and prioritization tool, but it should be combined with qualitative judgment, scenario analysis, and control assessments. For high-stakes decisions, complement the matrix with quantitative methods such as expected loss, Monte Carlo simulations, or detailed safety analyses.

Risk Assessment Matrix Calculator

Q: What is a risk assessment matrix?

A risk assessment matrix is a grid that combines the likelihood of a risk event with its impact to produce an overall risk rating, such as Low, Medium, High, or Critical. It helps teams prioritize which risks need mitigation or controls.

Build a configurable 3x3, 4x4, or 5x5 risk matrix, score your risks by likelihood and impact, and instantly see color‑coded risk ratings.

1. Configure your matrix

Matrix size

Use 5×5 for more granularity, 3×3 for quick, high‑level assessments.

Risk rating thresholds (based on score = Likelihood × Impact)

Low up to

Medium up to

High up to

Scores above High are treated as Critical.

2. Interactive risk matrix

Click a cell to add a risk with that likelihood and impact.

Impact (columns)

Low Medium High Critical

3. Risk register

#	Risk	Owner	Likelihood	Impact	Score	Rating	Notes	Actions
No risks added yet. Use the form above or click a cell in the matrix to add one.

How the risk assessment matrix works

A risk assessment matrix is a simple but powerful way to prioritize risks by combining how likely they are to happen with how severe their impact would be. This calculator lets you:

Choose a 3×3, 4×4, or 5×5 matrix.
Define your own likelihood and impact scales.
Set thresholds for Low, Medium, High, and Critical risk.
Maintain a risk register with owners and notes.
Export your risks to CSV for reporting.

Risk score formula

Risk score = Likelihood × Impact

Each likelihood and impact level is mapped to a numeric value (1 to N). For example, in a 5×5 matrix:

Likelihood: 1 = Rare, 5 = Almost certain
Impact: 1 = Insignificant, 5 = Catastrophic

If a risk has Likelihood = 4 and Impact = 5, then the score is 4 × 5 = 20. The calculator then compares 20 to your thresholds to assign a rating.

Default rating bands

You can adjust these in the tool, but a common configuration for a 5×5 matrix is:

Low: 1–4
Medium: 5–9
High: 10–16
Critical: 17–25

Best practices for using a risk matrix

1. Define clear scales

Ambiguous labels like “likely” or “major” lead to inconsistent scoring. Instead, define each level with concrete criteria, such as:

Likelihood: frequency per year, probability range, or number of occurrences per project.
Impact: financial loss ranges, downtime duration, safety consequences, or regulatory effects.

2. Separate inherent and residual risk

Many organizations score risks twice:

Inherent risk: before considering existing controls.
Residual risk: after considering controls and mitigations.

You can capture this by adding two entries per risk or by using the notes field to document control effectiveness.

3. Use the matrix to drive action

The goal is not just to color cells, but to decide what to do:

Critical: immediate mitigation, contingency plans, and executive visibility.
High: prioritized mitigation with clear owners and deadlines.
Medium: monitor and mitigate where cost‑effective.
Low: accept and review periodically.

4. Understand limitations

Risk matrices are qualitative and can be subjective. For high‑stakes decisions (e.g., safety, major investments), complement the matrix with:

Quantitative risk analysis (expected loss, Monte Carlo simulations).
Scenario analysis and stress testing.
Expert judgment and cross‑functional reviews.

FAQ

What is a risk assessment matrix?

A risk assessment matrix is a grid that maps the likelihood of a risk event against its potential impact. Each cell in the grid corresponds to a risk score and rating (Low, Medium, High, Critical), helping teams quickly see which risks require the most attention.

Which matrix size should I use: 3×3, 4×4, or 5×5?

3×3: good for small projects or when you need a very simple view.
4×4: a balance between simplicity and nuance.
5×5: common in enterprise risk management, safety, and compliance programs where more granularity is needed.

Can I customize likelihood and impact labels?

Yes. While this tool focuses on the numeric engine and visualization, you can define your own labels and criteria in your policy or risk register. Many teams use labels like Rare, Unlikely, Possible, Likely, Almost Certain for likelihood and Minor, Moderate, Major, Severe, Catastrophic for impact.

How often should I update my risk matrix?

Update your matrix whenever there is a significant change in your environment, such as new projects, regulations, systems, or incidents. Many organizations review key risks at least quarterly and after major changes or incidents.

Can I export and share the results?

Yes. Use the Export CSV button above the risk register to download your current risks. You can then import the file into Excel, Google Sheets, or your GRC tool, or attach it to audit and board reports.