A 5×5 risk matrix (likelihood × impact) is one of the most common tools in enterprise risk management. Used well, it prioritizes risks and supports consistent decisions. Used poorly, everything ends up red—or everything green. This guide covers best practices for building and using a 5×5 matrix.
Why Use a Risk Matrix?
- Consistency: Everyone assesses likelihood and impact on the same scale.
- Prioritization: Higher scores get more attention and resources.
- Communication: Boards and executives understand a simple grid better than raw numbers.
- Traceability: You can link each risk to controls and treatment plans.
| L \ I | I5 | I4 | I3 | I2 | I1 |
|---|---|---|---|---|---|
| L1 | 5 | 4 | 3 | 2 | 1 |
| L2 | 10 | 8 | 6 | 4 | 2 |
| L3 | 15 | 12 | 9 | 6 | 3 |
| L4 | 20 | 16 | 12 | 8 | 4 |
| L5 | 25 | 20 | 15 | 10 | 5 |
Green: low · Yellow: medium · Orange: high · Red: extreme. Calibrate scales to your risk appetite.
Defining Likelihood and Impact
Likelihood (1–5 or 1–4)
Define what each level means in your context. For example:
| Level | Meaning (example) |
|---|---|
| 1 | Rare: has not occurred in the industry in recent memory |
| 2 | Unlikely: could occur but not expected in the short term |
| 3 | Possible: has occurred in similar organizations |
| 4 | Likely: expected to occur at least once in the planning horizon |
| 5 | Almost certain: will occur or is already occurring |
Calibrate with your industry and history. Avoid vague terms; use frequency or probability where you can.
Impact (1–5 or 1–4)
Define impact in terms that matter to your organization: financial loss, reputational damage, regulatory sanction, safety, strategic delay. For example:
| Level | Meaning (example) |
|---|---|
| 1 | Negligible: minimal effect on objectives |
| 2 | Minor: localized impact, easily contained |
| 3 | Moderate: significant impact on one function or project |
| 4 | Major: serious impact on strategy or multiple functions |
| 5 | Severe: existential or regulatory/critical failure |
Use the same scale for inherent risk (before controls) and residual risk (after controls) so you can show risk reduction.
Calibrating to Risk Appetite
Your risk appetite defines how much risk you're willing to accept. Use it to set the thresholds for your matrix:
- Green: Within appetite; monitor.
- Yellow/Amber: Requires review; may need treatment or acceptance with explicit approval.
- Red: Beyond appetite; must be reduced or escalated.
If everything is red, your scales may be too harsh or your appetite too low. If everything is green, you may be under-assessing or your scale may be too loose. Revisit definitions and appetite with the board and risk owners.
Linking to Treatment and Ownership
A matrix is only useful if it drives action:
- Treat: Reduce likelihood or impact with controls; reassess residual risk.
- Tolerate: Accept within appetite; document and monitor.
- Transfer: Insure or contractually shift risk.
- Terminate: Stop the activity or exit the risk.
Assign an owner and review date for each risk. In a risk platform like ActiveERM, the matrix is live: when you add controls or incidents, you can update residual risk and see the heat map change. That keeps your view current and supports KRI and reporting.
For more on risk assessment and ERM, see our Risk OS and GRC Cloud pages.