How to Score Risk Simply – the Risk Matrix

The 25 cell “Impact vs Likelihood” Risk Matrix is a great way to communicate Risk Scores.

There are many ways to measure and communicate risk – this is just one that we have found useful, and easy to communicate.

The 25 cell “Impact vs Likelihood” Risk Matrix is a popular format used to communicate Risk Scores. It helps you summarise your risks for project reporting.

The Risk Score Heatmap Matrix

This 5 x 5 (25 cell) matrix gives an easy way to associate a “Severity Score” with a Risk. NB you will see a lot of variations on this – so this is just one approach of many that Project Managers can take.

Risk Matrix used in the RAID Log
Risk Matrix used in the RAID Log

Each cell in the matrix is a combination of impact and likelihood.

This allows you to group your risks, based on a score, into some Risk Severity groups:

Risk severity scoring
Risk severity scoring

This Risk Scoring approach is used in our RAID LOG template.

An approach to assigning Impact and Likelihood scores

Project Managers use a list of score definitions, to help one another assign and understand the scores for each risk.

Here is an example approach:

ASSIGNING RISK LIKLEHOOD VALUES
Score Title Likelihood % Chance
1 Rare Rare. A very unlikely event. It could happen, but probably never will. Below 5%
2 Unlikely Not expected. Slight possibility.
An improbable sequence of events.
5% – 25%
3 Possible Moderate likelihood. Foreseeable. May have occurred in projects like this before. 25% – 50%
4 Likely Strong possibility. High likelihood.
An easily foreseeable event.
50% – 75%
5 Almost Certain Very likely.
Almost certain without any intervention.
Above 75%
ASSIGNING RISK IMPACT VALUES
Score Title Outcome / Impact / Consequence Cost / Time / Scope
Implications
1 Insignificant The project will have to make some minor changes to scope. Resolvable by management team. Can be managed. Acceptible.
2 Minor Some changes to deliverables.
Outside of Project Tollerances or Contingency.
Adjustment to scope with some impact.
3 Moderate One or more areas likely not to deliver as planned. Descoping required. Significant impact.
4 High Significant descoping required. Major Impact.
5 Extreme Serious failure of project objectives. Disastrous Impact.

Example Guidance for Project Managers according to Risk Severity

GENERAL GUIDANCE ON RISK MANAGEMENT
Extreme Escalate immediately to project authorities.
Include recommendations.
Actively control.
High Manage immediately.
Inform project authorities.
Act on mitigation and ensure you have response plans ready.
Moderate Manage risk and escalate in normal reporting.
Watch carefully for change in exposure.
Low Manage risk.

Problems with Scoring Risks with a Matrix

There are many ways to allocate weighting to risks, and to group severity, with no right or wrong answer. The allocation of severity groupings helps you give summaries to your colleagues, but the groupings you choose will need to vary depending on the project type, size and environment.

See more here on Wikipedia about the problems with Risk Matrices.

Project Managers manage their Risks in a “RAID Log”.

RAID Logs are used by project managers and programme managers to track and manage project risks.

Many projects have 10s and sometimes 100s of Risks to manage, and so it is essential to keep track of severity, status, next steps, and who owns each risk.

RAID is an acronym that stands for

  1. Risks
  2. Assumptions
  3. Issues
  4. Dependencies

Created : 2011-12-08 22:07:16
Modified : 2020-06-15 07:59:41