Key Takeaways
- A risk matrix is only as reliable as the definitions behind it. When probability and impact scales lack written anchor examples, assessors are not scoring the same thing, and the resulting heat map reflects collective anxiety more than actual risk exposure.
- Amber inflation is the most common sign that a risk matrix has stopped working. When risks sit in the same cell for months without moving, the register is recording risks rather than managing them, and the two are not the same thing.
- Wide disagreement between assessors is not a problem to resolve by averaging the scores. It is a signal that someone has information the others do not, or that the risk is not defined precisely enough to score consistently.
- A risk matrix shows where risks sit today but cannot show whether the situation is improving. Adding a target assessment alongside the current score, reflecting where the risk should land once measures are applied, turns a static snapshot into a tool that tracks real progress.
- The risk matrix is a prioritisation tool. Its job is to direct attention toward the risks that matter most and prompt the conversations and follow-up analysis that turn a heat map into actual risk management.
A peer-reviewed study by Tony Cox, published in Risk Analysis in 2008, demonstrated that poorly designed risk matrices do not just produce imprecise rankings. For risks where frequency and severity are negatively correlated, they can produce decisions that are actively worse than random guessing.
This is not an argument for abandoning the risk matrix. Most organisations are not going to replace it, and for good reason. Used well, it is a fast, communicable way to direct attention to the risks that matter most. The problem is that most organisations are not using it well, and the gap between what the matrix promises and what it actually delivers is where risk management quietly breaks down.
This article is for teams that already use a risk matrix and want to get more from it. Rather than explaining what a 5x5 grid is, it names the most common traps specifically and gives you the guidance to avoid them.
The traps you are probably already in
Trap 1: Everyone has a different definition of '3'
Ask five people in your organisation what a probability score of 3 means and you will get five different answers. One person thinks it means roughly once a year, another thinks it means the organisation has seen it happen before, and a third is calibrating against their gut feeling about the current quarter.
This is the most fundamental problem with how most organisations use a risk matrix, and it is also the most fixable. Without written definitions for each score on your probability and impact scales, including real anchor examples, you are not getting consistent assessments but a vote on how anxious people feel about each risk on the day they scored it.
For each level on your probability scale, write a description and attach a concrete example from your own context. For example: 'Probability 3: has occurred at least once in the past three years in our organisation or sector. Example: supplier delivery failure in Q2 of last year.' Apply the same approach to your impact scale and make sure everyone scoring risks is working from the same document. Without that foundation, every risk score is an opinion dressed up as a number.
Trap 2: Everything is amber
Walk into a typical organisation and pull up the risk register. You will often find forty risks, thirty-two of them amber, three green, and five red covering mostly things that went wrong once and got added at the time, with none of them updated in the past six months.
This is amber inflation, and it is more common than teams want to admit. Amber feels safe because it is neither alarmist nor dismissive, and marking something amber lets everyone feel like they have acknowledged a risk without committing to do anything about it. In practice, it is a way of recording a risk without actually managing it.
If your matrix is producing a uniform amber cluster, the scoring has not been challenged. A risk that has been amber for two years, with no measures in place and no change in context, should either be moving toward red because it is serious and requires action, or toward green because it is genuinely being managed. A risk that stays amber indefinitely is being recorded and not being addressed nor managed.
A practical rule: any risk that has been in the same cell for more than six months should be reviewed and either re-scored with justification or escalated.
Trap 3: The matrix is treated as an output, not a conversation starter
The risk matrix shows you where your risks cluster, and that is a useful starting point. But the matrix tells you nothing about what to do next, which risks are connected, what is causing them, or whether your existing measures are actually working.
Teams that use the matrix as an endpoint, scoring it, colouring it, and filing it, are treating a navigation tool as a destination. The visual is meant to generate questions, not answer them. Why are three separate risks sitting in the top-right corner? Are they related? Is there a single measure that would address all three, or are they completely independent? These are the questions someone in the room needs to ask, because the matrix cannot answer them.
If your risk review meetings consist of looking at the heat map and confirming that nothing has changed, you are looking at a picture of risk management rather than actually doing it.
Trap 4: Averaging scores instead of analysing disagreement
When a group of people scores a risk, the temptation is to average their scores or to let the loudest voice in the room set the number. Both approaches discard the most valuable information the exercise produces: the disagreement itself.
If one person scores a risk as probability 2 and another scores it as probability 5, averaging to 3.5 and rounding to 4 loses the fact that two people have fundamentally different understandings of how likely this event is. That disagreement is a signal that someone has information the others do not, or that the risk is not well enough defined, or that the probability scale definitions need more work.
When you get wide score variance, the right response is to slow down and understand why and not to average your way through it.
What good practice actually looks like
Define your scales before you score anything
Before your team scores a single risk, agree on what each level of probability and impact means in your context and write it down using real examples. If your organisation operates in logistics, your impact scale should reference delivery failures, regulatory penalties, and customer contract clauses, not generic descriptions like 'significant disruption.
Defining your scales upfront is not bureaucracy. It is the difference between a score that means something and a score that merely looks like it does.
Use the matrix to prioritise, then do the analysis it cannot do for you
The risk matrix tells you where to focus your attention, and the top-right of your 5x5 grid is where your team's analytical energy should go. But the matrix cannot do the analysis for you, and that requires understanding the causes driving each high-scoring risk and the measures in place to address them.
Bow-tie diagrams are particularly useful at this stage. Once you have identified your high-priority risks from the matrix, a bow-tie forces you to map the causes driving each risk and the consequences if it materialises, giving your team the analytical depth that a colour-coded grid cannot provide on its own.
Next to the current assessment, also track the target
A risk matrix without target assessments shows you one data point: where a risk sits today. That is useful for a snapshot but insufficient for managing progress. Adding a target assessment, showing where you expect the risk to land once your measures are fully implemented, gives you something worth tracking over time.
Consider a construction company with twelve risks clustered in the amber zone, each with a range of measures listed against it. Nobody can say whether any of those measures are actually moving the risks because there are no target scores, no due dates, and no way to tell whether the picture is improving or static. The register looks complete. The risk management behind it is not visible at all.
When you can see the gap between where a risk sits now and where it should sit after your measures take effect, you have a basis for managing progress rather than simply recording it.
Challenge both ends of your matrix, red and green, and not just the middle
The natural instinct is to focus attention on the red risks and leave the green ones alone, but both ends of the matrix deserve more scrutiny than they typically receive.
Red risks that are high-priority but have well-established, effective measures in place may genuinely belong lower in the matrix. Not moving them creates noise and distracts attention from risks that have neither mitigation nor an owner. Equally, green risks that have been green for years are sometimes green because nobody has looked at them recently, not because they are genuinely well-managed.
Schedule a deliberate review of both ends of your matrix at least once a year. You will usually find at least one risk that has been miscategorised, either through optimism or neglect.
What software can and cannot do for your risk matrix
A tool like Risk Companion's risk matrix does not remove the need for the practices above, but it does remove the friction that makes good practice hard to sustain.
When your matrix lives in a spreadsheet, updating a score means opening a file, finding the right row, editing the cell, saving the file, and hoping nobody else has saved a different version in the meantime. When measures are managed in email threads and target assessments do not exist, you cannot show anyone whether the risk picture is improving or simply being maintained.
Risk Companion connects probability and impact scores directly to the measures assigned to each risk, with named owners and due dates. Overdue measures surface automatically. The gap between initial and target assessments is visible at a glance. And the risk matrix updates in real time as your team works, not when someone remembers to update the spreadsheet.
The judgement about what each score means, whether a risk has been correctly categorised, and what to do about the risks that matter most stays with your team. What the tool provides is clean, current data to support that judgement rather than a spreadsheet full of stale numbers nobody fully trusts.
The matrix is not the enemy
If your risk register disappeared tomorrow, would anything actually change about how your team operates?
For too many organisations, the honest answer is no, because the matrix has become a reporting artefact rather than a working tool, updated quarterly, presented to the board, and filed away until next time. The risks that actually derail projects and budgets are often not in the top-right of the heat map at all. They are the ones that never made it into the register, or the ones that have been amber so long that nobody looks at them anymore.
The risk matrix is a useful tool with real limitations, and those limitations become dangerous when teams forget they exist. The teams that get the most value from it are the ones that treat it as a starting point for a conversation rather than the conclusion of one, and that keep asking questions the matrix cannot answer for them.
Try it yourself
Risk Companion's free 14-day trial generates a demo project based on your organisation's profile, so you can see exactly how a structured risk matrix works in practice before you build your own. No credit card required.
Ready to improve your risk management?
See how Risk Companion can help you implement these best practices with powerful, easy-to-use tools. Sign up and we'll prepare a demo project tailored to your company.