A risk matrix analyzes project risks based on likelihood and severity. Once you map your risks, you can calculate overall impact and prioritize risks accordingly. In this piece, you’ll learn how to create a risk matrix template and how to use the information from this analysis tool to develop a comprehensive risk management plan.
Risks are a part of any project, and there’s no surefire way to know which ones will occur and when. Sometimes, you'll get through an entire project without experiencing a single hiccup. Other times, you’ll feel like all the odds are against you. Without the help of a crystal ball, the only way to prevent project risks is to proactively prepare for them.
A risk matrix helps you analyze risk by assigning each event as high, medium, or low impact on a scale of one through 25. Once you assess the severity and likelihood of each risk, you’ll prioritize your risks and prepare for them accordingly. In this article, we’ll explain how to create a risk matrix template and offer helpful tools for turning your results into action.
Watch a live demo and Q&A session to help you streamline goal-setting, accelerate annual planning, and automate how teams intake strategic work.
A risk matrix is a risk analysis tool to assess risk likelihood and severity during the project planning process. Once you assess the likelihood and severity of each risk, you can chart them along the matrix to calculate risk impact ratings. These ratings will help your team prioritize project risks and effectively manage them.
As part of the process, you’ll need to brainstorm a list of risks to chart in your risk matrix. The risks you may face will likely fall into these categories:
Strategic risk: Strategic risks involve performance or decision errors, such as choosing the wrong vendor or software for a project.
Operational risk: Operational risks are process errors or procedural mistakes, like poor planning or a lack of communication among teams.
Financial risk: Financial risk can involve various events that cause a loss of company profit, including market changes, lawsuits, or competitors.
Technical risk: Technical risk may include anything related to company technology, such as a security breach, power outage, loss of internet, or damage to property.
External risk: External risks are out of your control, like floods, fires, natural disasters, or pandemics.
There are other risk categories to consider depending on your work industry. For example, if you have government clients, then you also want to brainstorm legal risks. If your company sells a physical product, you may have to think about manufacturing risks.
When creating your risk matrix template, you’ll first identify your scale of severity, which you’ll place in the columns of your matrix. The scale of severity measures how severe the consequences will be for each risk. In a five-by-five matrix, there are five levels in your scale of severity.
Negligible (1): The risk will have little consequences if it occurs.
Minor (2): The consequences of the risk will be easy to manage.
Moderate (3): The consequences of the risk will take time to mitigate.
Major (4): The consequences of this risk will be significant and may cause long-term damage.
Catastrophic (5): The consequences of this risk will be detrimental and may be hard to recover from.
You’ll then identify your scale of likelihood, which you’ll place in the rows of your risk matrix template. The scale of likelihood identifies the probability of each risk occurring.
Very likely (5): You can be pretty sure this risk will occur at some point in time.
Probable (4): There’s a good chance this risk will occur.
Possible (3): This risk could happen, but it might not. This risk has split odds.
Not likely (2): There’s a good chance this risk won’t occur.
Very unlikely (1): It’s a long shot that this risk will occur.
When you place a risk in your matrix based on its likelihood and severity, you’ll find the level of risk impact. The risk impact is both color-coded from green to red and rated on a one through 25 scale.
Low (1-6): Low-risk events likely won’t happen, and if they do, they won’t cause significant consequences for your project or company. You can label these as low priority in your risk management plan.
Medium (7-12): Medium-risk events are a nuisance and can cause project hiccups, but if you take action during project planning to prevent and mitigate these risks, you’ll set yourself up for project success. You shouldn’t ignore these risks, but they also don’t need to be a top priority.
High (13-25): High-risk events can derail your project if you don’t keep them top of mind during project planning. Because these risks are likely to happen and have serious consequences, these are most important in your risk management plan.
You don’t have to stick to the labels above for your risk matrix template if they don’t feel right for your company or project. You can customize the size and terminology of your matrix to your needs.
Once you’ve created a risk matrix, you can use it as a comprehensive analysis tool. The best part about a risk matrix template is that you don’t need to change it for every project. Once you have one, you can reuse it and share it with others.
You’ll need a list of potential risks to make use of your risk matrix. In this step, you’ll determine what risks may affect the specific project you’re working on.
To come up with relevant risks for your project, you’ll need to understand your project scope and objectives. This includes the project’s:
Using your project scope as a guide, think of risky situations that might affect your project. If you’re not sure where to start, try brainstorming techniques like mind mapping or starbursting to list as many risks as you can under each risk type.
When you created your risk matrix, you defined the criteria for your risk severity and likelihood. Now that you have a list of project risks, categorize them using the matrix criteria. Start with the scale of severity and go through each risk you’ve listed. Consider the following questions:
What is the most negative outcome that could come from this risk?
What are the worst damages that could occur from this risk?
How hard will it be to recover from this risk?
Which of the five severity levels most closely matches this risk?
You may not always have the perspective you need to know how severe the consequences of a risk are. In that case, work with other project stakeholders to determine the potential risk impact.
Once you’ve defined the severity of each risk, you’ve completed half of the risk analysis equation. Next, identify the likelihood of each risk. To do this, consider the following questions:
Has this risk occurred before and, if so, how often?
Are there risks similar to this one that have occurred?
Can this risk occur, and if so, how likely is it to occur?
Team collaboration is also crucial in this step because you may not have a good idea of similar risks that have occurred in past projects. Make sure to reference past projects and analyze the probability of each risk with your team in order to create a more accurate mitigation plan.
Read: How to capture lessons learned in project managementThe last part of your risk analysis equation is to calculate risk impact. The equation you’ll use is:
Likelihood x severity = risk impact
Place each risk in your matrix based on its likelihood and severity, then multiply the numbers in the row and column where it lands to find the level of risk impact. For example, if you think the risk of a data breach is of major severity (4) and probable likelihood (4), you’d multiply four by four to get a risk impact of 16. This is considered a high-risk impact.
You should now have a risk impact level on a scale of 1–25 for each risk you’ve identified. With these number values, it’s easier to determine which risks are of top priority. When you have risks with the same risk impact score, it will be up to you and your team to determine which risk to prioritize. Risks with equal risk impact may require equal attention as you create your action plan.
Your risk response plan should include steps to prevent risk and ways to mitigate risk if unfortunate events occur. Because so much goes into project planning, the best strategy when tackling risks may be to divide and conquer.
Read: How to create an action plan that drives resultsThe size of your risk matrix template determines how closely you can analyze your project risks. A larger risk matrix template offers more room on the risk impact spectrum, while a smaller risk matrix template keeps your risk impact rating simpler and less subjective.
Each square in your matrix represents a risk level of likelihood and severity, so you shouldn’t make your risk matrix smaller than three squares in length and width.
A five-by-five risk matrix is ideal so you can further analyze each risk. Once you chart your risks along your finished risk matrix template, this matrix creates a larger color spectrum to see the impact of each risk as high, medium, or low.
The example below shows a five by five risk matrix template.
You can download a free risk matrix template using the link below. Use this template to chart your project risks and determine their overall level of risk impact.
You can use the same risk matrix template when measuring risk across multiple projects. However, it’s important to remember that the risks you face will evolve. The environment changes, technology becomes smarter, and the workplace grows. Every project faces unique risks, and you must reevaluate these risks year after year.
When you pair your risk matrix template with work management software, you can use past data to inform current processes. Asana helps you share the results of your risk matrix with stakeholders so you can collaborate on a risk management plan. Once you have a solid plan in place, you can monitor your team in real-time as they take action.
Create a risk management plan template