risk-matrices

star 5

Visual probability-impact assessment tool that categorizes risks on a grid by likelihood and severity to prioritize mitigation efforts

lev-os By lev-os schedule Updated 3/7/2026
play_arrow Run Skill in Manus View GitHub

name: risk-matrices description: Visual probability-impact assessment tool that categorizes risks on a grid by likelihood and severity to prioritize mitigation efforts

Risk Matrices

One-Liner

Visual probability-impact assessment tool that categorizes risks on a grid (typically 5x5) by likelihood and severity to prioritize mitigation efforts and enable consistent organizational risk evaluation.

Core Concept

Risk matrices, also called Decision Matrix Risk Assessment (DMRA), provide a systematic visual method for comparing threats and determining which risks require immediate attention. By plotting likelihood (probability of occurrence) on one axis and impact (severity of consequences) on the other, organizations create a heat map where risks in the high-likelihood/high-impact quadrant demand priority action.

Key Insight: The matrix transforms subjective risk perception into standardized categories, enabling cross-functional teams and leadership to discuss risks using common language and criteria.

Foundation: Codified in ISO 31000 international risk management standard, which emphasizes that risk matrices are most effective when integrated into organizational processes with consistent assessment criteria, continuous monitoring, and cultural support.

When To Use It

TRIGGER: When facing multiple competing risks requiring prioritization, resource allocation to mitigation efforts, or standardized risk communication across teams.

CIRCUMSTANCES:

  • Project planning requiring proactive risk identification
  • Enterprise risk management (ERM) needing board-level visibility
  • Incident response determining which threats to address first
  • Compliance requirements (ISO 31000, industry regulations)
  • Cross-functional teams with different risk perception
  • Resource constraints forcing prioritization of mitigation spending
  • Audit/governance requiring documented risk assessment process

PARTICULARLY EFFECTIVE FOR:

  • Risk prioritization: Which threats need immediate attention?
  • Portfolio management: Where are we most vulnerable?
  • Communication: How do we explain risk to non-experts?
  • Consistency: How do we standardize risk evaluation across units?

How To Execute It

Step 1: Establish Risk Assessment Team

Form cross-functional team with:

  • Subject matter expertise across relevant domains
  • Authority to define risk criteria
  • Responsibility for risk ownership
  • Consistency in applying assessment methodology

Critical: Single team should assess all risks to ensure uniform criteria application, avoiding departmental bias.

Output: Designated risk assessment team with clear mandate.

Step 2: Define Likelihood Scale

Create organization-specific probability categories (typically 5 levels):

Example Scale:

  • Rare (1): <5% probability, may occur only in exceptional circumstances
  • Unlikely (2): 5-25% probability, could occur at some time
  • Possible (3): 25-50% probability, might occur occasionally
  • Likely (4): 50-75% probability, will probably occur
  • Almost Certain (5): >75% probability, expected in most circumstances

Customization: Adapt categories to industry/context (cybersecurity: daily/weekly/monthly attacks; construction: per-project probability).

Output: Documented likelihood definitions with numerical or qualitative thresholds.

Step 3: Define Impact Scale

Create consequence severity categories (typically 5 levels across relevant dimensions):

Example Scale:

  • Insignificant (1): Minimal impact, managed within normal operations
  • Minor (2): Noticeable impact, requires management attention
  • Moderate (3): Significant impact, requires dedicated resources
  • Major (4): Critical impact, threatens organizational objectives
  • Catastrophic (5): Severe impact, threatens organizational survival

Multi-Dimensional Impact: Define impact across financial loss, operational disruption, safety/health, reputation, compliance, and strategic objectives.

Output: Documented impact definitions with specific thresholds (e.g., "Major: $1M-$10M loss, 30-90 day disruption").

Step 4: Construct Risk Matrix

Build grid (typically 5x5 but can be 4x5, 3x3):

  • Y-axis: Likelihood (Rare to Almost Certain)
  • X-axis: Impact (Insignificant to Catastrophic)
  • Color Coding: Green (low), Yellow (medium), Orange (high), Red (extreme)

Risk Score Calculation: Likelihood × Impact = Risk Rating

  • Example: Likely (4) × Major (4) = Risk Score 16 (High Risk)

Heat Map Zones:

  • Green (1-6): Monitor, standard controls
  • Yellow (7-12): Active management, enhanced controls
  • Orange (13-19): Senior leadership attention, mitigation plans required
  • Red (20-25): Immediate action, executive-level escalation

Output: Standardized matrix template with scoring zones.

Step 5: Assess and Plot Risks

For each identified risk:

  1. Describe Risk Event: What specific threat/opportunity?
  2. Assess Likelihood: Which probability category?
  3. Assess Impact: Which severity category across dimensions?
  4. Calculate Risk Score: Likelihood × Impact
  5. Plot on Matrix: Position risk in appropriate cell
  6. Assign Risk Owner: Who is accountable for monitoring/mitigation?

Consistency Requirement: Use data and expert judgment, not gut feel. Reference historical data, industry benchmarks, and subject matter expertise.

Output: Populated risk matrix with all identified risks plotted and scored.

Step 6: Prioritize Mitigation Actions

Focus resources on high-risk quadrants:

Extreme Risk (Red Zone):

  • Immediate action required
  • Senior leadership/board involvement
  • Dedicated mitigation budget
  • Weekly monitoring

High Risk (Orange Zone):

  • Mitigation plans within 30-90 days
  • Management ownership
  • Monthly review

Medium Risk (Yellow Zone):

  • Standard risk management processes
  • Departmental responsibility
  • Quarterly review

Low Risk (Green Zone):

  • Monitor for changes
  • Routine controls
  • Annual review

Output: Prioritized action plan with owners, timelines, and budgets aligned to risk scores.

Step 7: Monitor and Update Dynamically

Establish continuous risk management:

  • Regular Reviews: Reassess likelihood/impact as conditions change
  • Emerging Risks: Add new threats as identified
  • Mitigation Effectiveness: Track whether controls reduce risk scores
  • Risk Appetite Changes: Adjust heat map zones as organizational tolerance evolves

Critical: ISO 31000 emphasizes monitoring and review as core components—risk landscapes shift constantly.

Output: Living risk register with quarterly (minimum) updates and ad-hoc reviews for material changes.

Real-World Applications

Cybersecurity Risk Management: CISO plots ransomware (Likely × Catastrophic = Extreme), phishing (Almost Certain × Moderate = High), DDoS (Possible × Minor = Medium). Prioritizes ransomware mitigation (backups, segmentation, incident response) over DDoS defense.

Project Management: Construction project assesses risks—weather delays (Likely × Minor = Medium), design changes (Possible × Major = High), labor strikes (Unlikely × Catastrophic = High). Focuses contingency planning on design change management and strike prevention.

Pharmaceutical R&D: Drug development evaluates clinical trial failure (Possible × Catastrophic = Extreme), regulatory delays (Likely × Major = High), manufacturing scale-up (Unlikely × Moderate = Medium). Allocates resources to de-risking clinical trial design and regulatory strategy.

Mental Model Connections

Related Frameworks:

  • Expected Value Calculation: Risk matrices provide qualitative prioritization; EV adds financial quantification
  • Scenario Planning: Risk matrices assess individual threats; scenarios explore combined risk events
  • Sensitivity Analysis: Identifies which variables most impact outcomes; risk matrices prioritize mitigation
  • Monte Carlo Simulation: Quantitative probabilistic modeling; risk matrices provide qualitative heat maps

Contrasts:

  • Base Rate Analysis: Focuses on statistical priors; risk matrices allow subjective expert judgment
  • SWOT: Strategic positioning tool; risk matrices are operational risk prioritization
  • Bayes' Theorem: Updates probability with new evidence; risk matrices use static likelihood categories

Common Pitfalls

1. Oversimplification of Complex Risks: Treating multi-dimensional risks as single likelihood/impact score loses nuance—cybersecurity may be low financial impact but catastrophic reputational.

2. Inconsistent Assessment Criteria: Different teams applying different likelihood thresholds creates false precision—"Likely" means different things to different assessors.

3. Static Assessment in Dynamic Environment: Creating matrix once annually while risks evolve daily—leading to outdated prioritization and false confidence.

4. Confusing Inherent vs. Residual Risk: Plotting inherent risk (pre-mitigation) without reassessing residual risk (post-controls) leads to over-investment in already-managed risks.

5. False Precision from Multiplication: Likelihood (4) × Impact (4) = 16 suggests mathematical rigor but underlying categories are subjective—beware spurious accuracy.

6. Neglecting Soft Elements: Focusing only on quantifiable risks (financial, operational) while ignoring culture, morale, reputation, which lack clear metrics.

7. Risk Matrix as Compliance Theater: Creating matrices to satisfy auditors without genuine integration into decision-making—checkbox exercise lacking cultural buy-in.

Validation Checks

BEFORE USING:

  • Do you have multiple risks requiring prioritization?
  • Can you form cross-functional assessment team with relevant expertise?
  • Are likelihood and impact categories definable with organizational specificity?
  • Do you have mandate to allocate resources based on risk prioritization?
  • Is leadership committed to reviewing and acting on risk matrix outputs?

SUCCESS INDICATORS:

  • Defined organization-specific likelihood and impact scales with clear thresholds
  • Constructed matrix with color-coded heat map zones
  • Assessed risks using consistent criteria with supporting data/rationale
  • Prioritized mitigation actions aligned to high-risk quadrants
  • Assigned risk owners with accountability for monitoring/mitigation
  • Established review cadence (quarterly minimum) for dynamic updating
  • Integrated risk matrix into decision-making (not compliance theater)

RED FLAGS:

  • Likelihood/impact categories lack clear definitions (e.g., "low/medium/high" with no thresholds)
  • Single person assessing all risks without cross-functional validation
  • Creating matrix once and never updating (static snapshot)
  • Risk scores driving no resource allocation or mitigation actions
  • Treating all risks as independent (ignoring cascading/correlated risks)
  • Using matrix to justify pre-determined conclusions (confirmation bias)
  • Excessive grid granularity (7x7, 10x10) creating false precision

Sources & Attribution

Origin: Evolved from safety/reliability engineering in aerospace and nuclear industries (1950s-1970s) Standardized: ISO 31000 Risk Management Guidelines (2009, updated 2018) Decision Matrix Risk Assessment (DMRA): Formalized methodology for systematic risk evaluation Key Organizations: International Organization for Standardization (ISO), Project Management Institute (PMI), National Institute of Standards and Technology (NIST) Core Innovation: Visual heat map enabling intuitive risk comparison and prioritization across diverse organizational contexts

Practitioner Note: Risk matrices are most valuable when they force uncomfortable conversations, not when they validate existing beliefs. If your matrix isn't changing resource allocation or mitigation priorities, you're doing compliance theater, not risk management.

Install via CLI
npx skills add https://github.com/lev-os/agents --skill risk-matrices
Repository Details
star Stars 5
call_split Forks 0
navigation Branch main
article Path SKILL.md
Occupations
Financial Risk Specialists
More from Creator
lev-os
lev-os Explore all skills →