Risk Matrix

The risk matrix is a graphical representation of an organisation's risk appetite. The risk associated with an item is calculated from the values of associated risk variables which form the axes of the matrix. The severity of a risk is determined by comparing risk variable values against the risk matrix.

Classic Risk Matrix

Using the example matrix above, a likelihood of 3 and impact of 2 determines the severity of the risk to be yellow (low).

It is important to note that the value of the likelihood or impact may not be an integer. This can cause risk scores that are numerically higher to be classed as a lower severity. For example, take the above matrix and assume that the right or top edge of each table cell is the number indicated on the scale (this setting can be customised). If the likelihood has a score of 4 and the impact a score of 4 then, through multiplication, the risk score is 16 and the matrix classifies this risk as red (high). Alternatively suppose that the likelihood is 3.9 and that the impact is 4.9 - the risk score is now 19.11 but the severity of the risk is only orange (medium). This is expected behaviour.

Linear Risk Matrix

The linear risk matrix is an alternative way to classify risks in which the severity of risks directly correlates to the calculated risk score. The usage of the matrix is the same but the scale is continuous rather than discrete.