Inputs
Choose a scale, define thresholds, then add risks. Submit to generate the matrix, ranking, and chart.
Example Data Table
Use this sample to understand expected inputs and how the ranking behaves.
| Risk | Likelihood | Impact | Owner | Due date | Notes |
|---|---|---|---|---|---|
| Vendor delay | 4 | 3 | Ops | 2026-04-22 | Backup supplier and buffer stock. |
| Scope creep | 3 | 4 | PMO | 2026-04-15 | Change control with weekly approvals. |
| Compliance gap | 2 | 5 | Legal | 2026-04-11 | Audit checklist and evidence repository. |
Formula Used
The matrix assigns a numerical priority score to each risk using:
Categories are derived from your thresholds. This supports consistent prioritization and helps justify mitigation focus across teams.
How to Use This Calculator
- Pick a scale maximum that matches your policy.
- Set thresholds so categories align with risk appetite.
- Rename likelihood and impact labels to match your wording.
- Add risks with an owner, due date, and mitigation notes.
- Press Submit to generate the matrix and ranked table.
- Use the download buttons to export CSV or PDF reports.
Scale definitions that reduce debate
Use a single ordinal scale for likelihood and impact so estimates stay comparable across teams. For example, map likelihood to frequency bands such as rare once in five years, unlikely yearly, possible quarterly, likely monthly, and almost certain weekly. Map impact to measurable consequences such as cost, schedule slip, safety exposure, or regulatory severity. Clear definitions cut meeting time and improve auditability.
Thresholds aligned to risk appetite
Convert the score into decision bands using thresholds that match appetite. On a 1–5 matrix the maximum score is 25, so common cut points are 4, 9, and 16. Low items can be accepted or monitored, Medium items should have owners and mitigations, High items require management review, and Extreme items trigger immediate escalation. Adjust boundaries to reflect criticality and available resources.
Reading equal scores with different drivers
Multiplying likelihood by impact creates a useful spread, but identical scores can hide nuance. A score of 12 could be 4×3 or 3×4. The first indicates frequent friction with moderate damage; the second suggests rarer events with heavier consequences. Use the scatter plot to see whether prevention, detection, or contingency planning will reduce exposure fastest.
Prioritization for action and governance
After scoring, rank risks and assign accountability. Sorting by score highlights the few drivers of overall exposure, while adding owner and due date turns analysis into delivery. Keep mitigation notes brief and specific, with a leading action verb and measurable completion criteria. Re-score after controls land so governance focuses on trend, not static snapshots.
Reporting discipline with exports
Exports support consistent reporting. A CSV file feeds registers, dashboards, and portfolio rollups, while a PDF snapshot preserves context for gate approvals and audits. Include the scale, thresholds, and timestamp in every export so comparisons remain valid. When stakeholders change, exports prevent re-litigating why a risk was prioritized and what was agreed.
Calibration using evidence and feedback
Improve scoring quality through calibration. Review the top risks quarterly, compare ratings to incidents and near misses, and refine definitions where levels overlap. Capture examples for each level, then run short calibration sessions so new participants align quickly. Over time the matrix becomes a dependable decision tool, not a subjective worksheet. For faster, clearer decisions.
FAQs
What scale should I use for likelihood and impact?
Use 1–5 for most teams because it’s simple and comparable. Use 1–7 when you need finer granularity or stricter governance thresholds.
Why multiply likelihood and impact instead of adding?
Multiplication creates a wider spread of priorities and highlights high-severity combinations. It also matches common risk registers and matrix conventions.
How do I set thresholds for Low, Medium, High, and Extreme?
Start with Low≤4, Medium≤9, High≤16 for a 1–5 scale. Adjust downward for tighter risk appetite or upward for fewer escalations.
How many risks should I enter at one time?
Enter the top 10–30 active risks for practical reviews. For large programs, create separate registers by workstream and consolidate the highest scores.
How can I reduce bias in scoring?
Define each level with concrete criteria and examples. Calibrate using past incidents, review disagreements openly, and re-score periodically as evidence changes.
Can I use this for cyber, compliance, or operational risks?
Yes. The method is domain-neutral. Update impact labels to match your outcomes, such as downtime, financial loss, safety harm, or regulatory exposure.