Risk Matrix: Templates, Examples, and the 5x5 Method (2026)
A risk matrix is the grid that turns a vague worry into a ranked decision. You take each risk, judge how likely it is, judge how hard it would hit, and plot it where those two answers meet. The cell it lands in is colored green, yellow, orange, or red, and that color tells the team what to do next. It is the most widely used risk tool in project management, and it fits on a single page.
It is also one of the most criticized tools in the field. The researchers who study risk scoring have a warning. A careless matrix can rank a smaller risk above a larger one, and send the team chasing the wrong fire. This guide does both halves honestly. It shows you how to build a matrix that works. You get an interactive builder, a worked agency example, and templates for the 3x3, 4x4, and 5x5 sizes. Then it shows you exactly where the matrix misleads, so you use it as a conversation starter rather than a verdict.
Quick answer: what a risk matrix is
A risk matrix is a grid that scores each risk on two axes: likelihood, the chance it happens, and impact, the damage if it does. You rate both on a scale, usually 1 to 5, and multiply them. The product is the risk score, and it places the risk in a colored cell that signals priority. Green means accept, yellow means monitor, orange means mitigate, and red means act now.
The point of the grid is to force a comparison. Without it, every risk feels urgent and the loudest voice wins. With it, a team can see that a low-likelihood, high-impact risk and a high-likelihood, low-impact risk are different problems that deserve different responses. The matrix does not predict the future. It organizes a conversation about what could go wrong and what the team will do about each item.
Build your risk matrix
Add the risks you are tracking, set the likelihood and impact for each, and the builder scores them and drops them into the grid. Switch between 3x3, 4x4, and 5x5 to see how the size changes the picture. Two example agency risks are loaded so you can see the shape before you start.
Risk matrix builder
Click an empty cell to add a risk. It appears by name in the list, and as a numbered marker in the grid. Drag a marker to another cell to move it and re-score it, or on a phone tap a marker and then tap a cell. Two example agency risks are loaded to start.
Risk register
Likelihood →
The builder runs the same arithmetic you would do by hand: likelihood times impact, then a color band by where the score falls. The number is only as good as the two judgments behind it. That is the theme this guide returns to below.
A risk matrix is only useful if the team sees it.
Rock keeps your risk register on a task board next to the work it threatens, so a red risk is one click from the project it could derail. One flat price, unlimited users.
What is a risk matrix?
A risk matrix, also called a risk assessment matrix or a probability and impact matrix, is a visual tool for rating and ranking risks. It has two axes. One axis is likelihood, the chance that a risk event happens. The other axis is impact, the size of the damage if it does. Each axis is divided into levels, and the grid of cells those levels create is the matrix.
You assess a risk by choosing one level on each axis. A risk that is almost certain to happen and would be severe lands in the top corner and is colored red. A risk that is rare and minor lands in the opposite corner and is colored green. The score is usually likelihood multiplied by impact, so a 4 for likelihood and a 3 for impact gives a score of 12. That score, and the color of the cell, set the priority.
The matrix is qualitative by design. The levels are labels like "rare" and "severe," not measured probabilities and dollar figures. That is its strength and its weakness at once. It is fast and anyone on the team can use it, which is why it appears in nearly every risk management plan. It also depends entirely on the judgment of whoever assigns the levels, which is where its critics focus. David Hillson, the consultant known as the Risk Doctor, keeps the definition grounded.
"A risk is an uncertainty that matters. It could affect achievement of one or more objectives, which is why it is worth the effort to assess." - David Hillson, risk-doctor.com
Risk matrices show up far beyond project work. Safety teams use them for hazard assessment, security teams use them for threat ranking, and finance teams use them for operational risk. This guide stays in the project and delivery lane, where the risks are missed deadlines, scope changes, dependency failures, and people leaving mid-project. The mechanics are the same everywhere; only the examples change. For broader strategy work, a matrix pairs naturally with a SWOT analysis on the internal side and a PESTEL analysis on the external side.
3x3 vs 4x4 vs 5x5: which size to use
The size of a risk matrix is the number of levels on each axis. A 3x3 has three levels of likelihood and three of impact. A 5x5 has five of each. Bigger is not better. The right size is the one that matches how much you actually know about your risks. More cells imply more precision than a qualitative judgment can usually support.
| Size | Levels per axis | Best for | Watch out for |
|---|---|---|---|
| 3x3 | Low, medium, high | Quick triage, small projects, a first pass when the team is new to risk work | Too coarse to separate a real priority from a near miss; most risks cluster in the middle |
| 4x4 | Four levels, no middle | Teams that want to force a choice; the missing center stops everyone defaulting to "medium" | Even-sized grids feel unnatural to rate and are the least common, so templates are scarcer |
| 5x5 | Five levels each | The default for project and delivery work; enough range to rank without false precision | Tempts teams to treat a score of 12 as meaningfully different from 11 when the inputs are guesses |
For most agency and product teams, the 5x5 is the right starting point. It gives enough room to separate the genuine priorities from the noise, and it is the size most templates and stakeholders expect. If your team is new to risk reviews, start with a 3x3 for the first few sessions. The smaller grid keeps the conversation moving. It stops people arguing over whether a risk is a 3 or a 4 before they even have the habit of reviewing risks.
How to build a risk matrix in five steps
Building the matrix is the easy part. The work is identifying real risks and rating them honestly. These five steps produce a matrix the team will actually use, not one that gets built once and forgotten.
- Identify the risks Run a short session with the people doing the work and list what could go wrong. Pull from past projects, the project plan, and known dependencies. Write each risk as a cause and effect, not a vague worry. "Client is slow to approve designs, which pushes the launch date" beats "client problems." A good pre-mortem session, where the team imagines the project has already failed and works backward, surfaces risks a checklist misses.
- Set your likelihood and impact scales Define what each level means before you rate anything. For a 5x5, write a one-line definition for each likelihood level (rare, unlikely, possible, likely, almost certain) and each impact level (negligible, minor, moderate, major, severe). Anchor impact to something concrete: days of delay, percent of budget, or effect on the client relationship. Shared definitions are what stop two people scoring the same risk differently.
- Rate each risk on both axes For every risk, agree on a likelihood level and an impact level. Do this with the team, not alone, because the disagreement is the valuable part. If two people rate a risk 2 and 5 on impact, the gap means they understand the risk differently, and the conversation that resolves it is worth more than the final number.
- Plot and score Place each risk in the cell where its likelihood and impact meet, and record the score, which is the two numbers multiplied. The cell color sorts the list into priorities. This is the step the builder above automates, but a whiteboard grid and sticky notes work just as well for a live session.
- Assign owners and responses A matrix with no owners is a poster. For each risk above your action threshold, name one person responsible and decide the response: avoid it, reduce its likelihood or impact, transfer it, or accept it and monitor. Capture all of this in a RACI matrix or a risk register so the responses outlive the meeting, and revisit the matrix at each project checkpoint.
Risk matrix example: an agency website project
Here is the matrix filled in for a realistic engagement: a fixed-fee website build for a client, run by a small agency over ten weeks. The team listed six risks, rated each on a 5x5 scale, and sorted them by score. The result tells them where to spend their limited risk attention.
| Risk | Likelihood | Impact | Score | Level | Response |
|---|---|---|---|---|---|
| Client slow to approve designs | 4 | 3 | 12 | High | Build approval deadlines into the contract |
| Scope creep on the fixed bid | 4 | 4 | 16 | High | Write a change-order clause; log every request |
| Lead designer leaves mid-project | 2 | 5 | 10 | Medium | Document work weekly; cross-train a second person |
| Third-party API integration fails | 3 | 3 | 9 | Medium | Spike the integration in week one, not week eight |
| Client delays final payment | 3 | 4 | 12 | High | Invoice in milestones; pause work on overdue stages |
| Minor browser bugs at launch | 4 | 1 | 4 | Low | Accept; fix in the post-launch support window |
The ranking is the payoff. Scope creep tops the list at 16, so it gets the firmest contract language and the closest tracking. Minor browser bugs score a 4 and get accepted, because spending scarce attention there would steal it from the risks that can actually sink the project. Notice that the lead designer leaving scores lower than scope creep, even though it feels scarier. That is the matrix doing its job: separating what is dramatic from what is likely. It is also exactly where the matrix can mislead, which the next sections cover.
Risk matrices for agency teams
Most risk matrix guides use examples from construction, manufacturing, or enterprise IT. Agency and client-service work has its own risk profile, and the matrix is more useful when it is tuned to it. The risks that hurt a small agency are rarely technical. They are commercial and relational: the client who goes quiet, the scope that grows without a budget change, the one specialist whose departure stalls three projects.
Two adjustments make the matrix fit client work. First, define impact in terms the agency feels. For a fifty-person enterprise team, impact might be measured in millions. For a small agency, define impact in days of delay, percent of the fixed fee at risk, and damage to a referral-driving relationship. A risk that threatens a referral source can outweigh one that costs a few billable hours, even if the dollar figure looks smaller.
Second, run a matrix per client, not one for the whole agency. Each client engagement has different risks, a different relationship, and a different contract. Combining them into one grid hides the client-specific patterns that matter. Teams that keep a project charter per engagement already have the right unit; the risk matrix lives alongside it. The key-person risk in particular, one freelancer or lead carrying critical knowledge, is the single most underrated risk on small teams and belongs on every agency matrix.
The discipline that makes any of this work is cadence. A matrix built at kickoff and never reopened is worthless by week four, because the risks have changed. Pull it up at every milestone or sprint planning session and ask three questions: which risks have closed, which have grown, and what new ones appeared. Five minutes at a standing meeting keeps the matrix honest.
When the risk matrix lies
This is the section the other guides skip. The risk matrix is popular because it is simple, and it is dangerous for the same reason. A body of research, led by Tony Cox and Douglas Hubbard, has shown that the matrix can produce rankings that are not just imprecise but actively wrong. Using it well means knowing where it breaks.
The most cited critique is Louis Anthony "Tony" Cox's 2008 paper in the journal Risk Analysis. Cox showed mathematically that a typical matrix can correctly rank only a small fraction of risk pairs. Under some conditions, it even ranks a smaller risk above a larger one. His conclusion is blunt.
"Risk matrices can mistakenly assign higher qualitative ratings to quantitatively smaller risks. For risks with negatively correlated frequencies and severities, they can be worse than useless." - Louis Anthony Cox Jr., "What's Wrong with Risk Matrices?", Risk Analysis (2008)
Douglas Hubbard makes the practical case in The Failure of Risk Management. He devotes a chapter, titled "Worse Than Useless," to a single argument. The arbitrary boundaries between cells, and the habit of multiplying ordinal scores, add error rather than removing it. A risk scored 3 is not three times a risk scored 1, because the levels are labels, not measurements. Multiplying them produces a number that looks like math but rests on guesses.
None of this means you should throw the matrix away. It means you should use it for what it is good at and stop trusting it where it fails. Three habits keep it honest:
Treat the cell as a prompt, not a verdict. A risk landing in orange is a signal to discuss the risk, not a final ranking to act on blindly. The value is the conversation the color triggers, not the precision of the score.
Never compare scores across categories as if they were equal. A 12 for a schedule risk and a 12 for a reputation risk are not interchangeable. The matrix sorts within a conversation; it does not give you a single league table of every risk in the business.
Escalate the high-impact, low-likelihood corner by hand. The matrix systematically underweights rare catastrophes, because a low likelihood drags the score down. The lead designer leaving, a data breach, a client going bankrupt: these deserve a human second look even when the math says medium. Where a risk could end the project, judgment overrides the grid.
Common risk matrix mistakes
Beyond the structural limits, most teams trip on a handful of practical mistakes. Each one is easy to avoid once you have seen it.
- Building it once and never reopening it A risk matrix is a living document. The risks at kickoff are not the risks at week six. A matrix that is built for a proposal and then filed is theater. Review it at every milestone, or it tells you about a project that no longer exists.
- Rating risks alone When one person assigns all the scores, the matrix records that person's blind spots. The disagreement between two raters is the most useful output. Rate as a team and treat every gap in scores as a question to resolve, not an error to average away.
- Letting everything pile into the middle On a 5x5, teams that are unsure default to scoring most risks a 3. The matrix fills its center and tells you nothing. Force the spread: if everything is medium, the scales are not defined sharply enough, or the team is avoiding the hard calls.
- Treating the score as precise A score of 12 is not measurably worse than an 11. The inputs are qualitative judgments, so the output is a rough band, not a decimal. Act on the color and the order, not on small differences between numbers that look exact but are not.
- Forgetting owners and responses A ranked list of risks with no one assigned to them changes nothing. Every risk above the action threshold needs a named owner and a decided response. The matrix points; the owner and the response are what actually reduce the risk.
- Ignoring the rare catastrophe The matrix pushes low-likelihood, high-impact risks into the middle, where they are easy to dismiss. A one-in-twenty chance of a project-ending event is not a medium concern. Pull those risks out for a separate, human-judgment review.
What we recommend at Rock
Rock is not a dedicated risk management tool, and a risk matrix does not need one. The pattern we see among teams who use Rock is simple. They keep the risk register where the work lives. Risks then get reviewed in the same rhythm as tasks, not in a spreadsheet nobody opens.
In practice that looks like a list or board in the project space with one card per risk. Each card carries the likelihood, the impact, the score, the owner, and the response. A simple label or column groups cards by level, which gives the same red-orange-yellow-green read as the grid without a separate file. Because the risks sit next to the tasks they threaten, the weekly review covers them without anyone scheduling a separate risk meeting. That cadence is the whole game; a matrix only protects a project if the team keeps looking at it.
Teams running several client projects in parallel should give each client its own space and risk board. The reason is the same one that says build the matrix per client. The work types, the contracts, and the relationships differ, so the risks do too. Pair the board with a project management framework and the risk review becomes one more checkpoint in a routine the team already runs.
Free resource: the Project Management template gives you a space with boards ready to hold tasks and a risk register side by side.
Frequently asked questions
What is a risk matrix in simple terms?
A risk matrix is a grid that ranks risks by two questions: how likely is it, and how bad would it be. You rate each risk on both, plot it where the answers meet, and the color of the cell tells you whether to accept, monitor, mitigate, or act now. It turns a list of worries into a ranked set of priorities.
How do you calculate a risk matrix score?
Multiply the likelihood rating by the impact rating. On a 5x5 matrix, a risk rated 4 for likelihood and 3 for impact scores 12. The score sorts risks into bands, usually colored green, yellow, orange, and red, that signal the response. Remember the score is a rough band, not a precise measurement, because the inputs are judgments.
What is a 5x5 risk matrix?
A 5x5 risk matrix uses five levels of likelihood and five levels of impact, creating a grid of twenty-five cells. It is the most common size for project work because it gives enough range to separate priorities without implying more precision than qualitative ratings can support. Scores run from 1 in the safe corner to 25 in the critical corner.
What is the difference between a 3x3 and a 5x5 risk matrix?
A 3x3 has three levels per axis and is faster but coarser, so most risks bunch in the middle. A 5x5 has five levels per axis and gives finer ranking, which suits ongoing project work. Use a 3x3 for quick triage or when a team is new to risk reviews, and a 5x5 once the habit is established.
What are the four risk responses?
The four standard responses to a negative risk are avoid (remove the cause), mitigate (reduce the likelihood or impact), transfer (shift it to a third party, such as through insurance or a contract clause), and accept (acknowledge it and monitor). The matrix score guides which response fits: high scores call for avoid or mitigate, low scores for accept.
Are risk matrices reliable?
They are reliable as a tool for organizing discussion, and unreliable as a precise ranking. Research by Tony Cox and Douglas Hubbard shows a matrix can rank a smaller risk above a larger one, especially in the rare-but-catastrophic corner. Use it to prompt the right conversations, compare risks only within a category, and review high-impact risks by hand rather than trusting the score alone.
A risk matrix is a fast way to rank what could go wrong and decide what to do next. Just treat the score as a prompt, not a prophecy. Build it with the team, review it on a cadence, and pull the rare catastrophes out for a closer look. Rock keeps chat, tasks, and your risk register in one workspace. One flat price, unlimited users. Get started for free.
