📊Business
Risk Matrix Generator
A risk matrix is one of the most widely used tools in enterprise risk management, ISO 27001 risk assessments, and project management. It maps the likelihood of a risk occurring against its potential impact, producing a risk score that guides prioritisation and treatment decisions. This free risk matrix generator lets you add multiple risks, visualise them on a professional 5×5 matrix, and see colour-coded risk ratings that follow standard risk management conventions.
Risk Matrix
← Impact →
Negligible
Minor
Moderate
Major
Critical
Almost Certain
5
10
15
20
25
Likely
4
8
12
16
20
Possible
3
6
9
12
Phishing /…
15
Unlikely
2
4
6
Key staff …
8
10
Rare
1
2
3
4
5
Low (1–4)Medium (5–9)High (10–16)Critical (17–25)
Risk Register (2)
12
Phishing / credential theft
L:3 × I:4 · CISO · High
6
Key staff departure
L:2 × I:3 · HR · Medium
5×5 risk matrix following ISO 31000 and ISO 27001 conventions. Use Ctrl+P / Cmd+P to print or save as PDF.
Frequently Asked Questions
What is a risk matrix?
A risk matrix (also called a probability-impact matrix or risk assessment matrix) is a visual tool that plots risks based on their likelihood of occurring and their potential impact if they do. The intersection of these two dimensions produces a risk score, enabling organisations to prioritise risks objectively.
How do I score likelihood and impact?
On a 1–5 scale: Likelihood 1 = Rare (may occur in exceptional circumstances), 2 = Unlikely (could occur but improbable), 3 = Possible (might occur at some point), 4 = Likely (will probably occur), 5 = Almost Certain (expected to occur regularly). Impact 1 = Negligible, 2 = Minor, 3 = Moderate, 4 = Major, 5 = Critical/Catastrophic.
What do the colour zones mean in a risk matrix?
Standard conventions: Green (1–4) = Low risk, acceptable with monitoring. Yellow (5–9) = Medium risk, manage and mitigate. Orange (10–16) = High risk, immediate action and treatment plans required. Red (17–25) = Critical risk, escalate immediately and prioritise treatment.
How is a risk matrix used in ISO 27001?
ISO 27001 requires organisations to assess information security risks using a defined and repeatable methodology. A risk matrix satisfies this requirement by providing a consistent scoring mechanism. The standard requires risks to be owned, assessed, and treated — with residual risks compared against an accepted risk appetite.
Can I export my risk matrix?
This tool allows you to print or save the risk matrix as a PDF using your browser's built-in print function (Ctrl+P / Cmd+P, then select "Save as PDF"). For full editable exports in Excel or PowerPoint format, consider our downloadable risk register templates (coming soon).
Related Tools
Cybersecurity
GDPR Fine Estimator
Estimate your maximum GDPR fine exposure based on violation type and annual global turnover.
Cybersecurity
Breach Cost Calculator
Estimate the total financial impact of a data breach based on industry, size, and scope.
Business
Meeting Cost
Calculate the real cost of a meeting based on attendees, seniority, and duration.