1. Home
  2. Smartpedia
  3. Risk Matrix

What is a Risk Matrix?

Smartpedia: A risk matrix displays a number of risks depending on their probability of occurrence and potential impact. It represents the risk situation and is an instrument of risk communication.

Risk Matrix Definition

A risk matrix visualises a number of risks, usually in relation to their probability of occurrence and potential impact. It is a graphical representation of the identified risk situation. The positioning of the risks enables a comparison of the risks and is the basis for the definition of measures to minimise the main risks.

The risk matrix (and its synonyms risk diagram, risk graph, risk map, risk portfolio and risk profile) is often described as the result of risk analysis. However, this is not completely correct, because a risk analysis is not a one-time but an ongoing activity in a project. The extent of damage and the probability of occurrence often change over the course of the project. In addition, new risks emerge that were not present at the beginning of the project or were overlooked. Thus, the risk matrix is a working tool that documents the status of the risk analysis and serves as a basis for the definition of risk minimising measures.

Risk Matrix - risks in relation of the probability of occurrence and impact

Variants of the Visualisation

Due to the simplicity of the representation with the colour ranges green for acceptable, yellow for tolerable and red for inacceptable, a risk matrix can be understood without prior knowledge. The colours of the fields symbolise the priority with which countermeasures for risks should be taken. What exactly a risk matrix looks like is not standardised: 

  • The names of the axes in the diagram can vary.
  • The number and naming of the gradations in the extent of damage can vary: e.g. with three levels “1, 2, 3” or “low, medium, high” or five levels from “low to critical” or with percentages from 0-20% to 81-100%).
  • And the number and naming of probabilities of occurrence can also vary: e.g. with three levels “low, medium, high”, with four levels “very low, low, medium, high” or with five levels “impossible, unlikely, possible, probable, very probable”.
  • Effects such as the level of image loss, the loss of market share or the degree of employee satisfaction can be represented.


Risk Matrix in Practice

From Risk Identification to Risk Matrix

Before you can evaluate a risk and illustrate it in the risk matrix, you must first identify it. Risk identification is a process for systematically identifying and collecting potential risks that may affect a company, a project, a venture or a development. The aim of risk identification is to record internal and external sources of risk as completely and continuously as possible.

The following help in identifying risks

  • experience from previous projects,
  • an exchange between management, project leadership and the project team,
  • the questioning of external experts or knowledgeable staff,
  • and, if necessary, orientation on existing risk assessments.

Of course, risk diagrams from previous projects should never be used one-to-one without checking and revising them, but they too can be a good source for identifying risks.

The ALARP Principle

ALARP is an acronym and means “As Low As Reasonably Practicable”. Freely interpreted, ALARP is a principle of risk reduction. According to this principle, the extent of damage and the probability of a risk occurring should be reduced, taking into account a reasonable financial and technical effort, in such a way that the maximum degree of safety is guaranteed. Risks that lie within the unacceptable range of the risk matrix must be brought into the ALARP area by means of risk-reducing measures. Risks that lie within the ALARP range are often considered tolerable. Risks that lie within the acceptable range of the risk matrix are usually only observed.

Questions on the Design of the Risk Matrix

To design a risk matrix you have to answer various questions.

  • Do you use a quantitative or qualitative classification? If you have sufficient data to make a quantitative assessment of the probability of occurrence, you should choose a quantitative classification. If you only have imprecise, quantitative data, you should prefer a qualitative classification.
  • How many levels do you use per criterion and how do you name these levels?
  • Do you use units as reference values (e.g. probability of occurrence per time unit, use case, patient)?

Of course, you can also correct your decisions based on new considerations during the course of a project, but this may also lead to a reassessment of the risks.

Advantages of the Risk Matrix

The use of risk diagrams offers a number of advantages:

  • They are ideal for visualising and communicating risk assessments.
  • They give a good impression of the number and criticality of risks.
  • They promote a common understanding of risk in the organisation and increase both transparency in dealing with risks and risk sensitivity.
  • They are flexibly adaptable, so that different contexts in the evaluation of risks – e.g. probability of occurrence and potential damage to the company’s image – can be presented.
  • They are suitable for both quantitative statements (e.g. monetary levels of a potential loss) and qualitative statements (e.g. “serious” and “existence-threatening”).


Disadvantages of the Risk Matrix

There are also a number of disadvantages in the use of risk graphs:

  • It is not possible to derive an overall risk from the presentation, but it can be significant for the implementation of a project.
  • Qualitative and quantitative statements are limited because many risks with low probabilities and low impact can have the same effect as a risk with high probability and high impact.
  • In practice, a risk map is only suitable for displaying a limited number of risks, otherwise the clarity would be lost. In this case, it is advisable either to visualise only selected risks (e.g. top ten risks) or to work with several risk diagrams.
  • Changes in the assessment of risks cannot be traced because the illustration is a snapshot.


Challenges in Companies

The Flexible Use of the Risk Matrix

A risk matrix is a tool that facilitates the communication of risk assessments. It does not contain statements on an organisation’s risk appetite, nor does it visualise an overall risk or support the tracking of risks. Operational risk management often requires the calculation of key risk figures, the categorisation of risk causes and the structured work with sorted risk lists. However, since risk diagrams are not standardised, they can also be adapted flexibly. Simply visualize where your organisation’s risk appetite runs with a red line in the chart. Supplement risks with additional key figures or note down measures to minimise the probability of occurrence. You have the freedom to do this. Use your risk matrix in such a way that it gives you the best possible benefit.

Impulse to discuss:

Does it show the company’s willingness to take risks?


Here you can find a German video tutorial on how to create a risk matrix with Excel.

Here you will find additional information from our blog:

t2informatik Blog: The Principle of Effectuation

The Principle of Effectuation

t2informatik Blog: From "Dismissed" to Error Culture

From “Dismissed” to Error Culture

t2informatik Blog: Strategic Scope Management

Strategic Scope Management