How to Score Risk Simply – the Risk Matrix

The 25 cell “Impact vs Likelihood” Risk Matrix is a great way to communicate Risk Scores.

There are many ways to measure and communicate risk – this is just one that we have found useful, and easy to communicate.

The 25 cell “Impact vs Likelihood” Risk Matrix is a popular format used to communicate Risk Scores. It helps you summarise your risks for project reporting.

The Risk Score Heatmap Matrix

This 5 x 5 (25 cell) matrix gives an easy way to associate a “Severity Score” with a Risk. NB you will see a lot of variations on this – so this is just one approach of many that Project Managers can take.

Risk Matrix used in the RAID Log
Risk Matrix used in the RAID Log

Each cell in the matrix is a combination of impact and likelihood.

This allows you to group your risks, based on a score, into some Risk Severity groups:

Risk severity scoring
Risk severity scoring

This Risk Scoring approach is used in our RAID LOG template.

An approach to assigning Impact and Likelihood scores

Project Managers use a list of score definitions, to help one another assign and understand the scores for each risk.

Here is an example approach:

ScoreTitleLikelihood% Chance
1RareRare. A very unlikely event. It could happen, but probably never will.Below 5%
2UnlikelyNot expected. Slight possibility.
An improbable sequence of events.
5% – 25%
3PossibleModerate likelihood. Foreseeable. May have occurred in projects like this before.25% – 50%
4LikelyStrong possibility. High likelihood.
An easily foreseeable event.
50% – 75%
5Almost CertainVery likely.
Almost certain without any intervention.
Above 75%
ScoreTitleOutcome / Impact / ConsequenceCost / Time / Scope
1InsignificantThe project will have to make some minor changes to scope. Resolvable by management team.Can be managed. Acceptible.
2MinorSome changes to deliverables.
Outside of Project Tollerances or Contingency.
Adjustment to scope with some impact.
3ModerateOne or more areas likely not to deliver as planned. Descoping required.Significant impact.
4HighSignificant descoping required.Major Impact.
5ExtremeSerious failure of project objectives.Disastrous Impact.

Example Guidance for Project Managers according to Risk Severity

ExtremeEscalate immediately to project authorities.
Include recommendations.
Actively control.
HighManage immediately.
Inform project authorities.
Act on mitigation and ensure you have response plans ready.
ModerateManage risk and escalate in normal reporting.
Watch carefully for change in exposure.
LowManage risk.

Problems with Scoring Risks with a Matrix

There are many ways to allocate weighting to risks, and to group severity, with no right or wrong answer. The allocation of severity groupings helps you give summaries to your colleagues, but the groupings you choose will need to vary depending on the project type, size and environment.

See more here on Wikipedia about the problems with Risk Matrices.

Project Managers manage their Risks in a “RAID Log”.

RAID Logs are used by project managers and programme managers to track and manage project risks.

Many projects have 10s and sometimes 100s of Risks to manage, and so it is essential to keep track of severity, status, next steps, and who owns each risk.

RAID is an acronym that stands for

  1. Risks
  2. Assumptions
  3. Issues
  4. Dependencies

Created : 2011-12-08 22:07:16
Modified : 2020-06-15 07:59:41