GovernStack
Compliance27 May 2026·6 min read

What is a Risk Matrix? A Practical Guide for ISO 27001 and Business Risk

A risk matrix maps likelihood against impact to score and prioritise risks. This guide explains how to build one, what the colour zones mean, and how it fits into ISO 27001 and ISO 31000.

A risk matrix is one of the most widely used tools in enterprise risk management, project management, and information security. It provides a simple, visual way to assess and prioritise risks by mapping two dimensions — the likelihood of a risk occurring and the impact if it does. The resulting score guides decisions about which risks need immediate action, which can be monitored, and which are acceptable.

How a risk matrix works

In a standard 5×5 risk matrix, each dimension is scored on a scale of 1 to 5. Likelihood and impact are multiplied together to produce a risk score from 1 (lowest) to 25 (highest). The matrix is colour-coded into risk zones:

Score rangeRisk levelTypical response
1–4Low (Green)Accept and monitor
5–9Medium (Yellow)Manage and mitigate
10–16High (Orange)Immediate action required
17–25Critical (Red)Escalate immediately

Scoring likelihood

The likelihood scale reflects how probable it is that the risk will materialise. Standard definitions for a 1–5 scale:

  • 1 — Rare: May occur only in exceptional circumstances. Less than once in 10 years.
  • 2 — Unlikely: Could occur but not expected. Once in 5–10 years.
  • 3 — Possible: Might occur at some point. Once in 2–5 years.
  • 4 — Likely: Will probably occur in most circumstances. At least once a year.
  • 5 — Almost certain: Expected to occur regularly. Multiple times per year.

Scoring impact

Impact measures the consequence if the risk does occur. Definitions vary by organisation but typically follow this pattern:

  • 1 — Negligible: Minimal disruption, no financial loss, resolved in hours.
  • 2 — Minor: Small financial loss, brief disruption, managed at operational level.
  • 3 — Moderate: Noticeable financial loss, temporary service degradation, management attention required.
  • 4 — Major: Significant financial loss, extended disruption, reputational damage, senior management involvement.
  • 5 — Critical/Catastrophic: Severe financial loss, potential insolvency, regulatory action, long-term reputational damage.

Risk matrix in ISO 27001

ISO 27001 — the international standard for information security management systems — requires organisations to conduct a systematic information security risk assessment. A risk matrix satisfies this requirement by providing a consistent, documented, and repeatable scoring methodology.

Under ISO 27001:2022, the risk assessment must:

  • Identify information security risks associated with the loss of confidentiality, integrity, and availability
  • Assign owners to each identified risk
  • Assess the likelihood and consequences of each risk
  • Determine risk levels and prioritise them against a defined risk appetite
  • Document the process so it can be reproduced consistently

The output of the risk assessment feeds directly into the Risk Treatment Plan — where you document what you will do about each risk: accept, avoid, transfer (e.g. through insurance), or mitigate (implementing controls from Annex A).

Residual risk and risk appetite

Inherent risk is the raw score before any controls are applied. Residual risk is the score after controls are in place. Most organisations aim to bring residual risk below a defined threshold — this threshold is the risk appetite.

For example, a ransomware attack might have an inherent score of 4 (Likely) × 5 (Critical) = 20. After implementing endpoint detection, offline backups, and incident response planning, the residual likelihood might fall to 2, giving a residual score of 10 — within an acceptable appetite of 12.

Common mistakes when building a risk matrix

  • Scoring by committee — when everyone scores independently and results are averaged, outliers are hidden. Discuss scores openly and reach a consensus.
  • Inconsistent impact definitions — "major" means different things to a startup and a FTSE 100 company. Define impact in financial terms your organisation can anchor to.
  • Treating the matrix as a one-time exercise — risk registers go stale. Review and update quarterly or after significant changes to your environment.
  • Ignoring low-probability, high-impact risks — a 1×5 = 5 risk (medium) might represent a catastrophic but rare event. Low scores don't mean low priority for tail risks.
Build and visualise your risk register with the GovernStack Risk Matrix Generator — a 5×5 colour-coded matrix following ISO 31000 and ISO 27001 conventions, with a live risk register sorted by score.