A Risk Matrix is a 2D matrix that calculates the risk score for a given risk. A risk is an uncertain event that will impact the project. Project managers try to mitigate negative risks, or threats, and enhance positive risks, or opportunities.

The risk matrix is an important tool for the project team because it helps establish common definitions for risk severity and probability.

The Risk Score of a risk is severity times probability. This is the formula used during the Qualitative Risk Analysis process to determine whether a risk is High, Medium, or Low priority. Only the high priority risks will move onto the Quantitative Risk Analysis process, where the project team will assess the amount of contingency reserve that can be set aside.

Risk Score = Severity * Probability

To create your own Risk Matrix as you follow along this guide, download this free excel template.

Components of the Risk Matrix

Risk Classification

1. External Risks: Risks from third party vendors, service providers, alliances, external market, political, social, cultural, and environmental factors

2. Technological Risks: Risks arising from instable technology

3. Stakeholder Risks: Lack of support, management failure, organizational structure

4. Regulatory Risks: Noncompliance of rules and regulations, policies

5. Project Execution Risks: Risks arising due to lack of resources, poorly managed project scope, non-commitment of management

6.  Legal Risks: Noncompliance of applicable laws, ethical standards

7.  Release Risks: Risks arising due to failure in delivery of products and services

8.  Reputation Risks: Risks from negative customer experience, feedback, perception to the organization reputation in the market

Risk Description

Provide risk elements associated with specific risk classification

Impact Severity

Provide the impact severity from 1 – 5, with 5 being the highest impact and 1 the smallest impact:

1. Little or no impact

2. Minor impact

3. Moderate impact

4. Significantly impacted

5. Highest impact

Note: The risk severity categories can vary depending on your organization. You can consult your PMO or look through lessons learned databases to find examples for risk matrix from previous projects. For example, some projects use ‘Negligible’, ‘Marginal’, ‘Critical’, and ‘Catastrophic’ as their risk severity instead.

Risk Probability

Determine the probability the risk will occur. Provide the probability 1 – 5 with 5 being the highest and 1 the smallest probability:

1. <= 10%

2. >= 10%

3. > 25%

4. > 50%

5. > 75%

Again, like the risk severity, the risk probability categories can change depending on your organization’s rules or project circumstances.

Risk Score

Risk score is equal to impact times Probability

Response Plan

Plan risk response based on the risk score. Base plan as Correction Plans, Prevention Plans and Warning Plans.


Person responsible for implementing the response plan


Timeline for implementing the response plan

Common definition

Meet with your team to establish common definitions for severity and probability levels. Ensure that your project team is aware of and contributing to the Risk Matrix.

Different team members will be responsible for looking after different risks on your project. Without common definitions, one team member may rate a risk as High priority, while another might rate a similar risk as Low priority.

The definitions can be included in the same document as the Risk Matrix or in a separate file.

Risk Scores

The last step is to fill in your Risk Scores. For example, a high probability and high severity risk will receive a High priority risk score. A low probability and low severity risk will receive a Low priority risk score.

You and your team need to fill in every cell in the Risk Register. Each cell represents the risk score of the intersecting risk severity and probability.

Here is an example of Risk Matrix:

risk matrix example

Problems with the Risk Matrix

Although the Risk Matrix is an important project tool, it does have a few flaws.

Even with risk definitions, risk severity and probability are still both subjective.
Mistakes occur. A low priority risk can be assigned high priority. Hence, more resources will be allocated to this risk than necessary.

Despite its setbacks, the Risk Matrix is still critical in risk management. It is archived at the end of the project. It also helps the project team complete the Risk Register.

Click here to learn how to create a Risk Register.

To start creating your own Risk Matrix, download this excel template to get started.

Want to learn how you can get PMP® certified in 6 weeks? Register below for a FREE class to learn how!

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn how you can get PMP certified in the next 6 weeks. Sign up for a free class & get our free study plan.