A risk matrix is a visual tool that helps organisations identify, score, and prioritise risks based on two variables: the likelihood of a risk occurring and the severity of its impact if it does. The result is a grid — typically 3×3 or 5×5 — that categorises each risk as low, medium, or high priority.
Most risk matrices fail before they are ever used. Not because the methodology is wrong — because the team that built them skipped the three steps that make a matrix actually useful and jumped straight to the spreadsheet.
If you are building your first risk matrix, or rebuilding one that nobody looks at, this is the guide you need.
In this article
A risk matrix plots risks on a grid based on two axes: likelihood (how probable the risk is to materialise, from rare to almost certain) and impact (how severe the consequences would be, from minor to critical). Each risk lands in a cell that determines its priority — and therefore how much attention and resources it deserves.
Simple in concept. Surprisingly easy to get wrong in practice.
According to Pirani's Risk Management Study 2026: Africa Chapter, 62% of organisations cite risk management culture as their primary challenge — a gap that often starts with how the risk matrix is built, not with the risks themselves.
|
3×3 Matrix |
5×5 Matrix |
|
|
Complexity |
Low — faster to build and maintain |
Medium — more granular and precise |
|
Best for |
Small teams, early-stage frameworks |
Mid-to-large institutions, regulatory requirements |
|
Risk differentiation |
3 levels (low, medium, high) |
5 levels — finer prioritisation |
|
Regulatory fit |
Acceptable for basic compliance |
Expected by CBN, BoG, and Prudential Authority |
|
Recommended when |
Starting from scratch |
Framework is established or maturing |
Most financial institutions in West Africa and South Africa use 5×5 matrices aligned with Basel III and local regulatory expectations. If you are just starting, a 3×3 is a legitimate first step — build the habit first, add granularity later.
The most common mistake is opening a spreadsheet and immediately asking "what are our risks?" before the team has agreed on what the organisation is trying to protect, what its objectives are, and what level of risk is acceptable.
A financial institution may tolerate moderate operational risks but have zero tolerance for regulatory compliance failures. That distinction — your risk appetite (the level of risk your organisation is willing to accept in pursuit of its objectives) — needs to be defined before you score anything. Without it, two people will look at the same risk and call it "high" and "medium" respectively, and your matrix will reflect opinions, not analysis.
Before you build: document your scope (which processes, units, or objectives are covered), your risk categories (operational, compliance, financial, reputational), and your risk appetite by category. One page is enough.
A 5×5 matrix has five levels of likelihood (how probable a risk is to occur) and five levels of impact (how severe the consequences would be). The mistake most teams make is labelling them — "rare, unlikely, possible, likely, almost certain" — without defining what each label means in concrete terms for their organisation.
Define each level specifically. For likelihood: "Rare = less than once in five years. Unlikely = once every two to five years. Possible = once per year." For impact: "Minor = no regulatory consequence, operational disruption under 4 hours. Moderate = potential regulatory notification required, disruption 4–24 hours."
The definitions will feel tedious to write. They are the most important part of the matrix.
When teams sit in a room and brainstorm "what are our risks?", they produce a list of categories — fraud risk, credit risk, operational risk — not actual risks. A risk is not a category. A risk is a specific event that could prevent a specific objective from being achieved.
Work process by process instead. For each key process in scope, ask: what could go wrong here? What internal failure, external event, or control weakness could cause this process to fail? This produces specific, actionable risks — "failure of core banking system during end-of-day settlement" rather than "technology risk."
Ready to start right now? Download Pirani's free Risk Matrix template in Excel — it includes a process register and risk register section built for exactly this approach. Or skip the spreadsheet entirely and build your matrix directly in Pirani's free account — with owners, controls, and board-ready reporting included from day one.
With your scales defined and your risks identified, scoring is straightforward: assign a likelihood score and an impact score to each risk, multiply them to get a risk rating, and plot each risk on the matrix.
Labelling too many risks as high can dilute focus, create panic, and undermine prioritisation. If everything is red, nothing is. A useful matrix has a realistic distribution — most risks in the medium range, a small number genuinely high, and a handful low enough to monitor but not act on immediately.
Every risk that lands in the medium-to-high zone needs an owner — a named person responsible for the control that mitigates it. Without ownership, a risk matrix is a document. With ownership, it becomes a management tool.
A quarterly 60-minute review is enough for most organisations. The questions are simple: which risks materialised? Which controls underperformed? What new risks have emerged? Has our risk appetite changed?
Document the review. That documentation is what regulators — including the Bank of Ghana, the CBN, and the South African Prudential Authority — increasingly ask to see as evidence of an active, maintained risk management framework.
It is not the methodology. It is not the software. It is whether the people who own the risks actually use it.
A matrix built in a workshop, validated with department heads, and reviewed quarterly becomes part of how the organisation makes decisions. A matrix built by the risk team alone and sent to leadership as a PDF becomes a file nobody opens.
Build it with the people who will use it. Start simple — ISO 31000 recommends exactly this: proportionate, iterative, embedded in real processes.
Two ways to get started today:
Want to learn how to build and use a risk matrix with a live example? Join the next session of the Pirani Risk Management School — this month's topic is exactly this. Free, every third Wednesday.
What is a risk matrix? A risk matrix is a tool that plots risks on a grid based on their likelihood of occurring and the severity of their potential impact. It helps organisations visualise, prioritise, and communicate risks — and is a core component of any operational risk management framework aligned with ISO 31000 or COSO ERM.
What is the difference between a 3×3 and a 5×5 risk matrix? A 3×3 matrix uses three levels of likelihood and three levels of impact — simpler and faster to complete, but less precise. A 5×5 matrix offers finer granularity and is better suited for organisations with a more complex risk profile or stronger regulatory requirements. Most financial institutions in West Africa and South Africa use 5×5 matrices aligned with Basel III and local regulatory expectations.
How often should a risk matrix be reviewed? At minimum, quarterly. A 60-minute review covering materialised risks, control performance, new risks, and risk appetite validity is sufficient for most organisations. Reviews should also be triggered by significant events — regulatory changes, new products, market entry, or major operational incidents. The Bank of Ghana's Risk Management Directive and the CBN's ERM guidelines both reference periodic review as a core requirement.
Who should own the risk matrix? The CRO or Risk Manager typically owns the methodology and process. But individual risks should be owned by the managers of the processes they affect — not centralised in the risk team. Distributed ownership is what makes a risk matrix a management tool rather than a compliance document.
Is a risk matrix the same as a risk register? No, but they are closely related. A risk register is the full inventory of identified risks, with causes, controls, owners, and ratings. A risk matrix is the visual representation of those risks plotted by likelihood and impact. In practice, the register feeds the matrix — you cannot have a meaningful matrix without a well-maintained risk register.
Where can I download a free risk matrix template? Pirani's free Risk Matrix template in Excel includes a process register, risk register, and rating section — ready to use immediately. If you want to go beyond a static spreadsheet, you can also build your matrix directly in Pirani for free.