What Is a Risk Assessment Matrix?

A risk assessment matrix is the basis for measuring potential risks based on two intersecting factors: the likelihood (or probability) of a security risk-based event occurring, and the consequence (or impact) of its impact to an entity if it did.

A risk assessment matrix completes the risk assessment template and is used to derive both current and mitigated risk levels.

Why Use a Risk Assessment Matrix?

As discussed in a previous post, the following data is expected to be documented within the risk assessment template:

  • context (external, internal and security risk);
  • assets and their criticality;
  • threats;
  • an account of the effectiveness of risk controls that currently protect assets from threats;
  • an assessment of individual risks (using the risk assessment matrix), which derives current risk ratings;
  • evaluation of whether these risk ratings are tolerable by the entity;
  • recommendation of mitigation measures if they are not;
  • re-assessment of individual risks (using the risk assessment matrix), which derives residual risk ratings; and
  • the risk owner, and timings for implementation of the controls.

The risk assessment matrix is thus a critical component of the risk assessment, because without it identified risks cannot be assessed or evaluated.

The matrix below shows two axes: the vertical axis represents the Likelihood, and the lateral axis shows the Consequence.


Risk Assessment Matrix


While this matrix, which is derived from the Security Risk Management Body of Knowledge (SRMBoK), presents measures of likelihood in qualitative and quantitative terms, it is not always necessary to do so. In truth, quantitative measures here can more realistically be referred to as semi-quantitative.

It is most common within the security industry, where incident reporting figures are not always available, to apply a qualitative descriptor and approach within the risk assessment matrix; it is not necessary to include both qualitative and quantitative, as has been done here.

Labels used here, which include Rare, Unlikely, Possible, Likely and Almost Certain, as also qualitative. These are very commonly used by practitioners and thus represent a mainstream approach.


Consequence criteria included within an assessment is not always as detailed as it is presented within the matrix above but considering the impact of a risk across multiple areas of the business is a better practice approach.

In this manner security acts as catalyst for other functional area managers to consider the potential impacts on their assets, and alert them to the need for action.

Again, the labels used here, which include Insignificant, Negligible, Moderate, Extensive and Significant, are common, but a range of others are also commonly used by assessors.

Using the Matrix

In applying the risk assessment matrix, assessors decide, in their expert view, the likelihood that a defined risk will occur, then cross reference this (in this matrix) with the worst-case consequence that may result. Where these values intersect on the coloured/numbered area of the matrix, is the risk level.

It should strike some then that the values/colours on this area of the matrix are key. When designing risk assessment matrices, assessors must ensure that this aspect of the matrix is very carefully considered.

Many assessors complete this instinctively, which can devalue the rigour and regard for an assessment. That said, many risk assessment stakeholders are not necessarily attuned to this, meaning that inaccurate risk results may go unnoticed.

There are also scientific methods to design the elements of a risk assessment matrix, and https://riskmatrix.co/ is one tool that we look to.

How to get started with SECTARA

If you see the same great benefits that we do in SECTARA, there are several methods to get started:

As a valued subscriber, you will be comprehensively supported via our Ticketing System and Knowledge Base, and you can still always contact us direct when you need to. Best of all, all subscribers are entitled to a free copy of the Security Risk Management Aide-Memoire (SRMAM) when they register (applies to both free and paid plans). SRMAM was written by Julian Talbot, the original author of SRMBoK.

We look forward to seeing you on SECTARA!