What is a Risk Matrix, and what are they used for?

A risk matrix is a chart that displays the likelihoods and consequences associated with risk. The matrix can vary in size from a simple 1×1 chart to more complex matrices with many axes.


They help you decide how to mitigate the risks identified within your processes.

In this blog post, we’ll discuss:


What is a risk matrix?

Below, you can see an example of a simple 3×3 risk matrix taken from the Agility System’s risk control feature. As you can see the horizontal axis shows the probability of an event occurring. The vertical axis then shows the impact if it occurs.


The cells show where different combinations of probabilities and effects would fall on this scale (e.g., high impact but low probability events).


This analysis helps you understand which risks are more important than others, ‌manage risk, and perform a risk assessment.


An example of a 3x3 risk matrix
Example of a 3x3 risk matrix

Why is a risk matrix important?

The importance of using a risk matrix is that it helps you make better decisions on how to handle risk. Almost all risk matrices will include the following information: 


  • The impact of the risk and its mitigation
  • The probability of occurrence (e.g., what is the chance that this will happen)
  • The likelihood that your organisation could prevent an event from happening

When used within a risk matrix, this information shows where is best to focus resources. These resources mitigate risks that may have become more severe or costly problems.

How do you create a risk matrix?

We can create a risk matrix using many methods. The most common way is using a software tool that auto-generates a risk matrix based on the inputs provided by the user. This section will focus on how someone would create a 5×5 risk matrix using the Agility System’s risk control module.


To begin, we need to organise our risk matrix into two columns with rows. Each row represents a risk, and each column represents a category of information about the risk. The cells in the matrix contain scores for each category, which can be ‌numerical or descriptive. We can assign numerical scores based on how well an item matches its description (if something is ‘highly likely’, it would get a score of 5).

An example of a 5x5 Risk Matrix created in the Agility System

The scores are weighted so that certain categories are more important than others when deciding how to deal with risks. For example, we might see the spillage of hazardous substances in the workplace as something that has both a ‘possible’ probability of happening and a ‘moderate’ level of consequence.


It’s at this point it’s important to define a risk rating key for your matrix. This key will allow your workforce to always follow the correct ‌protocol to mitigate the risk.

After creating and defining the risk matrix and its ratings, the organisation can now use it for any related environmental risks. It will also give the workforce clear guidance on how to mitigate these types of risks.


Note: If you’d like to learn about our risk control software and how it can apply to your business, our business analysts can explain everything we do and give you a personalised demo of our software.

What are the different types of risk matrices?

Since the number of rows does not have to equal the number of columns, we can create a variety of different risk matrices. We’ve already seen an example of a 5×5 and 3×3 risk matrix. Other common types include:

1x1 risk matrix

The 1×1 risk matrix is a risk matrix that is only one column wide. It is used to evaluate the risk of a single decision or action.

10x10, 20x20 and 100x100 risk matrices

  • 10×10 risk matrix has 10 rows and 10 columns
  • 20×20 risk matrix has 20 rows and 20 columns
  • 100×100 risk matrix has 100 rows and 100 columns

You can also create rectangular matrices, which are simply those with over one row (horizontal) or column (vertical).

The next steps

Risk matrices are a useful tool to help you manage your business risks. You can use them to analyse the risks you have identified and then turn them into action.


ISO 9001:2015 indicates that risk-based thinking needs to be considered within any management system. This means taking preventive action inherent to planning, operation, analysis and evaluation activities


The Agility System can help with this. Our system allows you to create a risk matrix and apply it to your processes. This ensures that risk-based thinking is always taken into consideration by your workforce.


Request an online demo today and one of our experienced business analysts will contact you to discuss your business needs and show you how the Agility System can support your people and processes.

Revisit a section

Peter Shields
Peter Shields

With extensive experience of Quality Management, Risk & Compliance in the Energy, Nuclear & Defence industries since 1979, Peter formed BusinessPort in 1996 to specialise in Process-based Management Systems delivering both Performance and Compliance.

More insights