Risk assessment matrix: Overview and guide

Key Takeaway: A risk assessment matrix plots likelihood against impact to rank risks as low, moderate, or high. In 2026, practitioners are extending matrices to cover AI, third-party, and ICT risk under NIST CSF 2.0, DORA, and the new COSO generative AI guidance. Quarterly refreshes — or continuous monitoring for high-velocity risks — are now the practitioner standard.

Risk assessment matrices remain the workhorse of qualitative risk prioritization across cybersecurity risk management, fraud risk, and operational resilience programs. What has changed over the past couple years is the scope: NIST CSF 2.0 added a "Govern" function in February 2024, DORA's ICT third-party register became mandatory in January 2025, and the February 2026 COSO guidance on generative AI pushes teams from point-in-time scoring to continuous monitoring. This guide walks through how to build, score, and maintain a matrix that holds up to current framework and regulator expectations.

Earn 8 CPEs at GRC Now 2026 | July 8-9

SAVE MY VIRTUAL SPOT

What is a risk assessment matrix?

A risk assessment matrix — also called a probability and severity or likelihood and impact matrix — is a visual tool that ranks potential risks by plotting two intersecting factors: the likelihood a risk event will occur and the potential impact if it does. The grid converts subjective judgment into a defensible, color-coded ranking auditors and management can act on.

Depending on likelihood and severity, risks are categorized as high, moderate, or low. As part of the risk management process, companies use risk matrices to prioritize risks and develop an appropriate mitigation strategy. Matrices work at both the project level and the enterprise level.

Take COVID-19 as a worked example. Supply-chain disruption was a high-level enterprise risk — high probability of occurring and significant business impact. At the project level, COVID-19 created "key person" and timeline risk if a critical team member was out for an extended period. The likelihood and impact may differ at each level, but the matrix logic is the same.

Even unusual risk events can carry severe consequences. A fatal workplace injury is rare in most industries but is high-impact and reportable to OSHA. That is why building an accurate picture of the full risk landscape — rare events included — is foundational to any credible risk management plan.

Discover what will separate risk leaders from laggards in the year to come.

Download Now

Hazard vs. risk: a quick terminology note

In safety, operational, and compliance contexts, a hazard is the source or condition that could cause harm (an unpatched server, an unvetted vendor, a loose contract clause), while a risk is the combination of likelihood and impact if that hazard is realized. Matrices evaluate risks, not hazards — hazard identification is step one of the assessment process.

How does a risk matrix work?

Risks come in many forms: strategic, operational, financial, and external. A risk assessment matrix presents these risks on a chart, color-coded by severity — high in red, moderate in yellow, low in green. Every matrix has two axes: one for likelihood of occurrence and one for impact.

Likely risk events may have a 61% to 90% chance of occurring, while highly unlikely events are extremely rare, with a less than 10% chance of occurring. Depending on the business and its risk appetite, an insignificant impact may cause negligible damage — such as a loss of less than $1K — while a catastrophic impact might create losses of $1M or more.

By grading the risk event's likelihood and impact, the matrix provides a quick snapshot of the threat landscape. With that picture in front of them, audit, risk, and compliance professionals can foresee and plan around the events most likely to disrupt business objectives.

Why is a risk matrix important?

A risk matrix gives organizations a structured view of their risk environment so they can mitigate exposures before they materialize. The magnitude and complexity of business risks continues to grow. The European Banking Authority's December 2025 Risk Assessment Report identifies elevated operational risks for financial institutions, driven by cyber/ICT threats, fraud, and legal exposures — a pattern that mirrors what enterprises across sectors are now contending with:

Image: KPMG 2024 Key Risk Areas

The matrix is critical to risk management for three reasons:

1. Easy prioritization of risks

Not all risks are equal. A matrix lets you rank the most severe risks your company faces, so resources track to exposure. Every company must accept some level of risk to operate, but calibrated, analysis-backed risk-taking is what separates a defensible program from a reactive one.

Some operational risks — reputational damage from a data breach, or a sharp rise in operating costs after a natural catastrophe — must be prioritized ahead of lower-tier exposures. Rating and color-coding these risks lets audit, risk, and compliance teams identify the most pressing threats and plan accordingly.

2. Targeted strategy for managing risks

Just as risks differ in likelihood, they differ in impact. A matrix concentrates attention and resources on the highest-impact events — the ones that can erase the most value. From a project management perspective, a brief workflow bottleneck creates little impact if there is float built into the schedule. A cost risk that materially escalates the project budget, by contrast, requires a targeted mitigation plan.

Murphy's law applies: what can go wrong will go wrong. Planning for cost risk from factors like scope creep keeps projects on track, and the matrix is what makes that planning systematic rather than ad hoc.

3. Real-time view of the evolving risk environment

Risks are emergent and recurring. The matrix lets you identify specific risks, score their probability and severity, and maintain a current view of the environment.

While emergent risks are unknowable by definition, organizations can spot areas of strategic vulnerability by strengthening their enterprise risk management processes. Watching for early warning signs and trigger events helps maintain business continuity in an increasingly dynamic risk landscape.

Strategic risk assessment tools like the matrix also let companies track patterns of risk — threats that are likely to recur and therefore demand a year-over-year mitigation strategy.

How to build a risk assessment matrix

Creating a matrix does not require specialized software. A spreadsheet in Google Sheets or Microsoft Excel will do, and many teams start with a template before graduating to a GRC platform. There are four core steps, with a fifth — monitoring — that we cover in the next section.

Step 1: Identify the risk landscape

Develop a comprehensive picture of the total risk landscape. Project risks differ in category and remediation strategy from enterprise-level or macro-level risks. Project teams should tailor their focus based on the scope of their assessment.

Hold brainstorming sessions with key stakeholders to mine insights and generate the list of risks that becomes the foundation of the matrix. Risk analysis is subjective by nature, so broad stakeholder input minimizes the chance of missing something material.

Categorize risks across these four buckets:

• Strategic risk: risks tied to failed business decisions.
• Operational risk: risks tied to breakdowns in internal processes or procedures.
• Financial risk: risks tied to financial loss.
• External risk: risks tied to uncontrollable sources.

Increasingly, programs add a fifth category for technology and AI risk — covering cyber, model risk, third-party AI, and "shadow AI" (uncontrolled, undocumented AI adoption). The February 2026 COSO generative AI guidance recommends maintaining an ongoing GenAI use-case inventory with named owners as a baseline practice.

Begin with the highest-level risks tied to business functions, then narrow to specific processes within those functions, such as supplier management. Carry forward prior risks that have already been identified.

Step 2: Determine the risk criteria

After brainstorming, define the criteria you will use to evaluate risks. Matrices typically use two intersecting criteria:

• Likelihood: the level of probability (x-axis) that the risk will be realized.
• Impact: the level of severity (y-axis) if the risk is realized.

Consensus on the criteria matters. It shapes the math behind the matrix and the mitigation conversations that follow. Accurate measurement is the foundation of credible risk management.

Step 3: Assess the risks

Score each risk against the criteria using a predefined qualitative scale, anchored to a recognized standard such as ISO/IEC 27005:2024 for information security risk. The simplest version is a three-tier scale:

• High risk
• Moderate/Medium risk
• Low risk

A 5×5 scale is also common, with 1 representing extremely low risk and 5 representing extremely high risk. The added granularity helps differentiate "moderate" risks that would otherwise collapse into the same cell and supports more precise resource allocation.

Organizations can adopt a 3×3 or 5×5 template, or build their own. Best practice requires at least three categories for both probability and impact.

Calculating a risk score

Many teams assign a cumulative risk score by multiplying the likelihood score by the impact score (Likelihood × Impact = Risk Score). On a 5×5 matrix, scores range from 1 to 25, with cutoffs typically set at 1–6 (low/green), 7–14 (moderate/yellow), and 15–25 (high/red).

For example, a data breach assessed at Likelihood = 3 (Possible) and Impact = 4 (Major) yields a score of 12, placing it in the high-risk zone and triggering immediate mitigation planning.

Some organizations apply weighting to elevate certain risk categories — for instance, weighting cyber or third-party risks more heavily for a project where those exposures dominate. Any weighting methodology, score cutoff, or change in approach should be documented in policy and procedure so the matrix remains auditable.

Step 4: Prioritize the risks

Compare the risk rankings (high, medium, low) against the criteria (likelihood and impact). Prioritize risks with the highest combined likelihood and impact, and build a risk assessment plan to mitigate them.

The risk landscape is constantly evolving, so the matrix should be refreshed multiple times a year — at least annually under most frameworks, with quarterly reviews the practitioner standard. Failing to update the risk assessment strategy means missing the emerging risks most likely to disrupt continuity.

Choosing between a 3×3 and a 5×5 matrix

The two dominant scales under ISO 31010 and PMI guidance are 3×3 and 5×5. The right choice depends on program maturity and the precision your audit and risk decisions require.

• 3×3 matrix: nine likelihood/impact combinations. Best for smaller organizations, early-stage programs, or quick project-level triage where speed and stakeholder consensus matter more than granularity.
• 5×5 matrix: 25 combinations. Preferred for enterprise risk management, regulated industries, and any program that needs to differentiate between "moderate" risks that would look identical on a 3×3.
• 4×4 matrix: 16 combinations. Used by some teams specifically to force a decision by eliminating the neutral middle tier.

How to determine the likelihood of a risk occurring

Determining likelihood is essential — mis-score the probability and you forfeit the chance to prevent avoidable losses.

Most companies use the following five categories on a 5×5 matrix:

1. Highly likely. Almost certain to occur. Typically risks with 91% or more likelihood.
2. Likely. A 61%–90% chance of occurring. These risks need regular attention and a consistent mitigation strategy.
3. Possible. A 41%–60% chance of occurring. Active monitoring required.
4. Unlikely. An 11%–40% chance of occurring. Lower priority but still tracked.
5. Highly unlikely. Low probability of occurring, but high-impact instances (e.g., fatal workplace injury) still warrant a mitigation plan.

If the business is using a 3×3 matrix, three categories suffice:

1. Unlikely. Relatively low chance of occurring.
2. Likely. Predicted to occur and requires a mitigation strategy.
3. Highly likely. Almost guaranteed to occur and requires a mitigation strategy.

The 5 levels of severity in a risk matrix

A standard 5×5 matrix pairs the likelihood scale above with five severity levels:

1. Severe/Catastrophic (5). Existential threats — losses of $1M or more, regulatory action, or fatal incidents.
2. Major (4). Significant damage to objectives, finances, or reputation.
3. Moderate (3). Noticeable operational or financial disruption.
4. Minor (2). Limited, recoverable damage.
5. Negligible/Insignificant (1). Minimal impact, often under $1K in losses.

Worked example. Suppose an organization identifies a data breach risk. Assessment puts likelihood at "Possible" (3) and impact at "Major" (4), producing a risk score of 12. The risk plots in the high-risk red zone, indicating that mitigation strategies should be developed and implemented immediately.

Limitations of qualitative risk matrices

Qualitative matrices are powerful but imperfect. The three most documented weaknesses are subjectivity in scoring, range compression (distinct risks collapsing into the same cell), and inconsistent calibration across assessors — criticisms now common in empirical risk matrix research and practitioner literature.

Address these weaknesses by:

• Anchoring each likelihood and impact level to quantitative thresholds (e.g., dollar bands, probability percentages).
• Running calibration workshops so assessors apply the scales consistently.
• Supplementing the matrix with quantitative methods — Monte Carlo simulation, FAIR for cyber — for high-impact risks where the cost of analysis is justified.
• Documenting scoring rationale to support audit defensibility.

The 2026 COSO generative AI guidance specifically pushes organizations toward probabilistic, continuous-monitoring approaches for risks where deterministic scoring breaks down — model drift being the canonical example.

How to maintain your risk assessment matrix

The threat landscape is constantly changing, so the matrix needs regular attention. Whether you are building an enterprise risk management program, a cybersecurity risk management program, or strengthening internal controls to prevent fraud, both external and internal risks require recurring assessment.

Schedule periodic reviews — internal or external, including dedicated IT risk assessments — and roll the findings into the central matrix. Get management and leadership buy-in: an appropriate manager should review and sign off on the matrix every time it is updated. Set a cadence of at least quarterly, with annual being the absolute floor under most frameworks.

High-velocity risk categories warrant a tighter loop. Cyber, third-party, AI/model risk, and geopolitical risks should be monitored continuously or on an event-driven basis, a shift codified in NIST CSF 2.0, the 2026 COSO generative AI guidance, and DORA's incident-reporting requirements. Trigger an off-cycle review whenever there is a material business change (M&A, new product, new jurisdiction), a regulatory update, a significant incident, or a near-miss.

Risk mitigation and action plans should be updated alongside the matrix. Risks shift in likelihood and impact over time, and yesterday's mitigations may not hold up against today's environment. Account for regulatory, economic, geopolitical, and technological changes that could materially affect your risk plan.

A current matrix is what lets you spot emerging threats early and allocate resources where they have the most leverage.

Risk trends to stay ahead of in 2026

Download Now

Aligning the matrix with 2025–2026 regulations

Recent regulatory activity has reshaped what a defensible matrix needs to cover:

• NIST CSF 2.0 (Feb 2024) added a sixth core function, "Govern," elevating governance, risk strategy, roles and responsibilities, and supply-chain risk as first-class categories. Add rows for governance gaps (undefined risk appetite, unclear AI ownership, inadequate third-party oversight) rather than focusing exclusively on technical control failures.
• DORA (effective Jan 17, 2025) makes ICT third-party registers and critical incident reporting mandatory for the EU financial sector. Add ICT third-party risk as a dedicated category and capture incident-reporting thresholds explicitly in your impact scale.
• ENISA NIS2 guidance (Jun 2025) specifies technical cybersecurity risk management measures. Reflect these in your cyber scoring criteria.
• PCAOB AS 2110 (effective Dec 15, 2026) broadens audit risk assessment to include non-financial performance measures (NFPMs). External auditors will expect to see NFPM coverage in your matrix.

Map each row to the relevant regulatory citation so external auditors and regulators can trace coverage end to end.

Ready to reduce the likelihood of risks?

Using a risk assessment matrix consistently reduces both the likelihood of the risks your business faces and the magnitude of their impact. Effective risk management has always been critical, but the pace of regulatory change and AI adoption has raised the bar on cadence, granularity, and documentation. Pair the matrix with integrated risk management software that supports collaboration and real-time visibility across the program.

Begin mitigating risk with a single click — get started with RiskOversight today!

Frequently asked questions

What are the 5 steps of risk assessment?

The five-step process recognized across ISO 31000, NIST, and COSO ERM is: (1) identify the risks and hazards; (2) determine the risk criteria (likelihood and impact scales); (3) assess and score each risk; (4) prioritize risks and assign mitigation strategies; and (5) monitor, review, and update the matrix on a recurring cadence. The fifth step is increasingly emphasized in NIST CSF 2.0 and the 2026 COSO generative AI guidance, which call for continuous monitoring rather than point-in-time assurance.

What are the 5 levels of a risk matrix?

A 5×5 matrix uses five severity levels: (1) Negligible/Insignificant (minimal impact, often under $1K), (2) Minor (limited, recoverable damage), (3) Moderate (noticeable disruption), (4) Major (significant damage to objectives, finances, or reputation), and (5) Severe/Catastrophic (existential threats, losses of $1M+, regulatory action, or fatal incidents). These pair with five likelihood tiers from Highly Unlikely through Highly Likely to produce the risk score.

What is the difference between a 3×3 and a 5×5 risk matrix?

A 3×3 matrix offers nine likelihood/impact combinations and suits smaller organizations, early-stage programs, or quick project-level triage. A 5×5 matrix produces 25 combinations, enabling more granular prioritization and better resource allocation — making it the preferred choice for enterprise risk management and regulated industries that need to differentiate risks that would look identical on a 3×3. Both are recognized under ISO 31010 and PMI guidance.

How do you calculate a risk score using a risk assessment matrix?

Risk score is most commonly calculated by multiplying the likelihood rating by the impact rating (Likelihood × Impact = Risk Score). On a 5×5 matrix, scores range from 1 to 25, with cutoffs typically at 1–6 (low/green), 7–14 (moderate/yellow), and 15–25 (high/red). A data breach scored at Likelihood = 3 and Impact = 4 yields a 12, placing it in the high-risk zone. Document any weighting methodology in policy so the math remains auditable.

What are the main limitations of qualitative risk matrices?

The main limitations are subjectivity in scoring, range compression (distinct risks collapsing into the same cell), and inconsistent calibration across assessors. Mitigate these by anchoring each level to quantitative thresholds (dollar bands, probability ranges), running calibration workshops, supplementing the matrix with quantitative methods like Monte Carlo or FAIR for top-tier risks, and documenting scoring rationale. The 2026 COSO generative AI guidance pushes organizations toward probabilistic, continuous-monitoring methods for risks where deterministic scoring breaks down.

How should you incorporate AI and "shadow AI" risks into your matrix?

Add AI and generative AI as a distinct risk category with sub-rows for model risk, data leakage, hallucination, third-party AI dependencies, and shadow AI (uncontrolled, undocumented adoption). The February 2026 COSO guidance recommends maintaining a continuously updated GenAI use-case inventory, assigning ownership for each use case, and right-sizing human oversight based on the risk profile — financially relevant outputs require higher assurance. Score these risks on continuous KPIs like model drift, override rates, and transaction volume rather than point-in-time ratings.

How often should you update your risk assessment matrix?

Refresh the enterprise matrix at least annually to satisfy most framework requirements (ISO 31000, COSO ERM), with quarterly reviews the practitioner standard for any moderately mature program. High-velocity categories — cyber, third-party, AI/model, geopolitical — now warrant continuous or event-driven monitoring under NIST CSF 2.0, the 2026 COSO generative AI guidance, and DORA. Trigger an off-cycle review for material business changes, regulatory updates, significant incidents, or near-misses, and document each refresh with management sign-off.

About the authors

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.