ISO 31000 Risk Matrix: Likelihood × Consequence
A practical, colour-coded 5×5 risk matrix aligned to the ISO 31000 risk management framework. Use it to prioritise risks, communicate risk levels to stakeholders, and drive treatment decisions.
What Is an ISO 31000 Risk Matrix?
A risk matrix is a visual tool that maps the likelihood of a risk event occurring against the consequence (impact) if it does occur. The intersection of these two dimensions produces a risk rating that helps organisations prioritise which risks require immediate treatment and which can be accepted or monitored.
ISO 31000:2018 describes a six-step risk management process that includes risk identification, risk analysis, and risk evaluation. A risk matrix is one of the most widely used tools for the analysis and evaluation steps. It translates qualitative or semi-quantitative assessments into a visual format that boards, executives, and operational teams can act on.
The matrix below uses a standard 5×5 format — five likelihood levels and five consequence levels — which is the most common configuration in Australian organisations and aligns with guidance in AS/NZS ISO 31000:2018 and the international standard IEC 31010 (risk assessment techniques).
5×5 Risk Matrix: Likelihood vs Consequence
| Likelihood ↓ Consequence → | Insignificant | Minor | Moderate | Major | Catastrophic |
|---|---|---|---|---|---|
| Almost Certain | Medium | High | High | Extreme | Extreme |
| Likely | Medium | Medium | High | High | Extreme |
| Possible | Low | Medium | Medium | High | High |
| Unlikely | Low | Low | Medium | Medium | High |
| Rare | Low | Low | Low | Medium | Medium |
Risk Level Definitions
Low
Accept and monitor. No specific treatment plan required. Review during routine risk assessments.
Medium
Manage with standard controls. Assign an owner and monitor regularly. Escalate if conditions change.
High
Requires senior management attention. Develop a treatment plan with defined actions, owners, and deadlines.
Extreme
Requires immediate executive action. Halt or modify the activity until the risk is reduced to an acceptable level.
How to Build Your Risk Matrix — Step by Step
Follow these six steps to create a risk matrix calibrated to your organisation's context, as described in the ISO 31000 framework.
Define your risk criteria
Establish the criteria your organisation will use to evaluate risk significance. ISO 31000 clause 6.4 requires that criteria reflect your objectives, stakeholder expectations, and risk appetite. Document what "unacceptable" looks like before you start assessing.
Set your likelihood scale
Define five levels of likelihood with clear, measurable descriptions. Use frequency-based definitions (e.g., "Expected to occur more than once per year") rather than vague terms. See the likelihood scale table below.
Set your consequence scale
Define five levels of consequence across the impact dimensions relevant to your organisation — financial, operational, reputational, safety, regulatory. Each level should have a specific threshold, not just a label.
Map existing risks onto the matrix
For each identified risk, assess its likelihood and consequence using the scales you defined. Plot the risk in the corresponding cell. Consider both inherent risk (before controls) and residual risk (after existing controls).
Assign risk ratings and priorities
Each cell produces a risk rating (Low, Medium, High, Extreme). Use these ratings to prioritise treatment actions. Extreme and High risks typically require a formal treatment plan with defined owners and deadlines.
Review and update regularly
Risk is dynamic. Review your matrix quarterly at a minimum, and after any significant incident, organisational change, or regulatory update. ISO 31000 emphasises that monitoring and review runs continuously throughout the process.
Defining Your Scales
The most common reason risk matrices fail is vague scale definitions. Each level must be specific enough that two different assessors would assign the same rating to the same risk. Below are example scales that you can adapt to your organisation's context.
Likelihood Scale
| Level | Rating | Description | Example Frequency |
|---|---|---|---|
| 5 | Almost Certain | Expected to occur in most circumstances | More than once per year |
| 4 | Likely | Will probably occur in most circumstances | Once per year |
| 3 | Possible | Could occur at some time | Once every 1–3 years |
| 2 | Unlikely | Not expected but possible | Once every 3–10 years |
| 1 | Rare | May occur only in exceptional circumstances | Less than once in 10 years |
Consequence Scale
| Level | Rating | Financial Impact | Operational Impact |
|---|---|---|---|
| 5 | Catastrophic | Threatens organisational survival | Complete loss of critical operations for >1 month |
| 4 | Major | Significant financial loss requiring board attention | Major disruption to operations for >1 week |
| 3 | Moderate | Material financial loss manageable within budget | Disruption to some operations for >1 day |
| 2 | Minor | Small financial loss absorbed within normal operations | Minor disruption, quickly resolved |
| 1 | Insignificant | Negligible financial impact | No meaningful operational impact |
Common Risk Matrix Mistakes
A risk matrix is only as useful as the thinking behind it. Avoid these common pitfalls:
Mistake 1
Using vague scale definitions. If "Likely" means different things to different people, your risk ratings will be inconsistent. Define each level with measurable thresholds — frequencies, dollar amounts, or operational timeframes.
Mistake 2
Not calibrating to your organisation's context. A $50,000 loss is "Catastrophic" for a startup and "Insignificant" for a bank. Your consequence scale must reflect your organisation's size, risk appetite, and operating environment.
Mistake 3
Treating the matrix as the entire risk assessment. A risk matrix is one output of risk analysis — not a replacement for the full ISO 31000 process. It should be supported by risk registers, treatment plans, and monitoring activities.
Mistake 4
Not reviewing after incidents. A risk matrix is a living document. If a "Rare" event occurs, your likelihood rating was wrong — update it. Trigger-based reviews are as important as scheduled reviews.
Mistake 5
Using a single matrix for all risk types. Cyber risks, safety risks, and financial risks may need different consequence scales. Consider domain-specific matrices that roll up into an enterprise-level view.
Download: Free ISO 31000 Risk Matrix Template
Get a ready-to-use 5×5 risk matrix template that includes:
- Pre-defined likelihood and consequence scales with measurable thresholds
- Colour-coded risk rating grid (Low, Medium, High, Extreme)
- Example risk register with columns for risk description, owner, inherent rating, controls, and residual rating
- Guidance notes for adapting the template to your organisation's context
The template aligns with AS/NZS ISO 31000:2018 and is used by Australian organisations across government, finance, healthcare, and critical infrastructure.
Resources
Continue building your risk management knowledge:
- ISO 31000 Overview — The hub page covering ISO 31000 fundamentals and Australian adoption.
- ISO 31000 Risk Management Guide — Deep dive into the principles, framework, and six-step process.
- PECB ISO 31000 Risk Manager — Self-paced eLearning with exam voucher ($599 AUD).
- ISO 27001 Certification Guide — The information security management system that uses ISO 31000 risk methodology.
- ControlStack — Browse ISO 27001, Essential Eight, and ISM controls alongside risk management guidance.
- Free Resources — Download templates, checklists, and implementation guides.
Frequently Asked Questions
Common questions about ISO 31000 risk matrices.
What is a 5x5 risk matrix?
A 5×5 risk matrix is a grid that maps five levels of likelihood (Rare to Almost Certain) against five levels of consequence (Insignificant to Catastrophic) to produce 25 possible risk ratings. Each cell is classified as Low, Medium, High, or Extreme, giving organisations a visual tool to prioritise which risks need immediate treatment and which can be monitored.
How do you calculate risk in ISO 31000?
ISO 31000 does not prescribe a single formula. In practice, most organisations use Risk = Likelihood × Consequence as a starting point. The standard emphasises that risk analysis should consider the sources of risk, their positive and negative consequences, the likelihood of those consequences, existing controls, and the level of confidence in the analysis. A risk matrix is one tool for visualising the output of this analysis.
What are the 5 levels of risk?
A typical 5-level risk scale includes: (1) Low — accept and monitor, (2) Medium — manage with standard controls, (3) High — requires senior management attention and a treatment plan, (4) Extreme — requires immediate executive action, and (5) Critical — used in some frameworks for risks that threaten organisational survival. ISO 31000 does not mandate specific levels; organisations define them based on their own risk appetite and context.
What is the difference between a risk matrix and a heat map?
A risk matrix is a structured grid with defined likelihood and consequence scales used during risk analysis. A heat map is a colour-coded visual representation often used to communicate risk assessment results to stakeholders. In practice, the terms are used interchangeably, but a heat map is typically a presentation layer on top of the underlying risk matrix data.
Is a risk matrix mandatory in ISO 31000?
No. ISO 31000 is a guidelines standard, not a requirements standard, so nothing in it is mandatory. The standard describes the risk management process — including risk identification, analysis, and evaluation — but does not prescribe specific tools. A risk matrix is one of the most common tools organisations use to implement the analysis and evaluation steps, but alternatives such as bow-tie analysis, Monte Carlo simulation, and fault tree analysis are equally valid.
How often should a risk matrix be reviewed?
ISO 31000 recommends that risk management be iterative and dynamic. In practice, most organisations review their risk matrix quarterly at a minimum, with additional reviews triggered by significant incidents, changes in business context, new regulatory requirements, or the completion of risk treatment actions. The review frequency should be proportionate to the rate of change in your operating environment.
Master Risk Management with ISO 31000
The PECB ISO 31000 Risk Manager credential validates your ability to build risk frameworks, facilitate risk assessments, and apply the matrix methodology in practice — from enterprise risk registers to board-level reporting.