What a risk matrix is
A risk matrix is a table where each risk is rated on two scales: probability (how likely the event is) and impact (how painful it is if it happens). Their product gives the priority: red zone — act now, yellow — keep under control, green — accept.
How to build one in an hour
- List 10–15 risks (cyberattack, IT outage, supplier loss, key person loss, etc.).
- Rate probability on a 1–3 scale (low/medium/high).
- Rate impact on a 1–3 scale (low/medium/high).
- Multiply — get a priority from 1 to 9.
- Start with risks scoring 6–9: they need mitigation measures and plans.
| Risk | Probability | Impact | Priority |
|---|---|---|---|
| Cyberattack / ransomware | 3 | 3 | 9 (red) |
| Loss of a key supplier | 2 | 3 | 6 (red) |
| Equipment failure | 2 | 2 | 4 (yellow) |
What to do with the result
For the red zone — reduce probability (protective measures) and prepare plans for if it materialises (BCP). The matrix is the entry point to risk management; for processes, criticality is calculated more deeply via the BIA.
See how resilient your business really is
13 questions, 5 minutes, free — results on screen and by email.
FAQ
Which scale to choose — 3 or 5 points?
For small and mid-sized business a 1–3 scale for probability and impact is enough. A 5-point scale is needed when finer prioritisation of many risks is required.
How is a risk matrix different from a BIA?
The matrix prioritises risks by probability and impact. The BIA assesses the consequences of downtime of specific processes and sets recovery times. They are used together.
