RiskNote
Guide

5x5 risk matrix: the practical guide

The 5x5 risk matrix is the most widely used tool in risk management, and the most misunderstood. Here's a step-by-step guide with examples, and an interactive matrix you can use right on the page.

What is a 5x5 risk matrix?

A 5x5 risk matrix is a visualisation tool where each risk is placed in a grid based on two dimensions: **likelihood** (how probable it is that the risk occurs) and **consequence** (how serious it is if it does). Each is rated on a 1–5 scale.

The product of the two (L × C) gives a **risk score between 1 and 25**. The score translates to a severity level, low, medium, high, or critical, often shown with colours from green to red.

The matrix is a standard component of ISO 31000-based risk management, ISO 27005 (information security), project risk analysis per PMBOK, and many other frameworks.

Try the matrix directly

Add your own risks below. Nothing is saved anywhere, this is just so you can see how the matrix works in practice.

1
Negligible
2
Minor
3
Moderate
4
Major
5
Catastrophic
5
Almost certain
5
10
15
20
25
4
Likely
4
8
121
16
20
3
Possible
3
6
9
121
151
2
Unlikely
2
4
6
8
101
1
Rare
1
2
3
4
5
LikelihoodConsequence

Add risk

15
Unauthorised access to customer data
Likelihood: 3 × Consequence: 5 · Critical
12
Key person leaves
Likelihood: 3 × Consequence: 4 · High
10
Ransomware attack
Likelihood: 2 × Consequence: 5 · High
12
Delayed vendor
Likelihood: 4 × Consequence: 3 · High

The likelihood scale (1–5)

  • 1. Rare

    Could occur but unlikely within the assessment period. E.g. once per 10 years.

  • 2. Unlikely

    May occur but rarely. E.g. once per 5 years.

  • 3. Possible

    Has happened before or can be expected. E.g. once per 2–3 years.

  • 4. Likely

    Occurs recurrently. E.g. once per year.

  • 5. Almost certain

    Occurs regularly or is imminent. E.g. multiple times per year.

The consequence scale (1–5)

  • 1. Negligible

    Marginal impact. Handled within normal operations. No or very small cost.

  • 2. Minor

    Noticeable but limited. Requires action but not executive intervention. Small cost.

  • 3. Moderate

    Clear negative impact. Requires executive intervention. Significant cost or time loss.

  • 4. Major

    Large impact on the business. Public trust may be damaged. Large costs.

  • 5. Catastrophic

    Existential threat. Regulatory sanction, legal risk, extensive financial damage.

How the score is interpreted

  • Low (1–3): acceptable

    Document and monitor. No immediate action required.

  • Medium (4–7): watch-listed

    Consider action. Could become a problem if nothing is done.

  • High (8–14): action required

    A structured action plan is needed. Review regularly.

  • Critical (15–25): immediate action

    Top priority. Often board-level reporting or escalation to executive leadership.

Using the matrix in practice

  • 1. Identify risks

    Brainstorm with key people. Complement with AI suggestions from RiskNote or similar.

  • 2. Assess likelihood (1–5)

    Use the scale consistently. Have definitions available for everyone assessing.

  • 3. Assess consequence (1–5)

    Think worst-case without exaggeration. Consequences can be financial, operational, reputational, or regulatory.

  • 4. Place in the matrix

    Automatic in tools like RiskNote. Manual in Excel, but conditional formatting has to stay maintained.

  • 5. Prioritise actions

    Critical risks first. Document actions per risk.

  • 6. Review regularly

    Quarterly is standard. Risks move in the matrix as actions are implemented.

Common pitfalls with the 5x5 matrix

  • All risks end up in the middle

    A sign the scale isn't well defined. Make sure assessors have clear criteria for each level.

  • The matrix never gets updated

    Matrices produced once and filed away are worthless. Set a review cadence.

  • Only one person assesses

    Risk is subjective. Assess in pairs or groups, otherwise you get one person's view, not the organisation's.

  • Ignoring black swans

    Low-likelihood but catastrophic risks (L=1, C=5) score 5 and land in the green-yellow zone. But they can be existential. Use qualitative judgement, not just score.

  • The matrix as end, not means

    The matrix is a tool for communication and prioritisation. Actual risk management happens in the action plans, not in the matrix.

Frequently asked questions about the 5x5 matrix

Why 5x5 and not 3x3?

3x3 is too coarse. You only get 9 combinations and lose the nuance needed to separate “important” from “very important”. 5x5 is the most common choice.

Should L and C be multiplied or added?

Practice is multiplication. It ensures a genuinely low rating on one dimension results in a low total. Addition can give the same score (e.g. L=5+C=1 = 6 = L=3+C=3) for qualitatively different risks, avoid.

How do we define risk tolerance?

Risk tolerance is the organisation's statement of what risks are acceptable. Define score thresholds (e.g. “risks above 12 require board decision”), and tie them to the organisation's strategy and capacity to handle risk.

How often should the matrix be updated?

At least annually for strategic risks. Quarterly for operational risks. Per sprint or steering meeting for project risks. Always on major change (new vendor, system switch, regulatory change).

Can we have different matrices for different risk types?

Yes. Many organisations have separate matrices for strategic, operational, financial, and compliance risks. But the same 5x5 framework can apply to all.

Build your living risk register

The 5x5 matrix is just a visualisation layer. The risk management itself needs a register that lives, that's updated, shared, tracked. Try RiskNote for free.