Working with projects, programs, and portfolios, generates a lot of data. For example, in project management you have data such as planned start, planned cost, planned story points, total number of risks, etc. That said, data on its own doesn’t give you or a stakeholder any real value. The real value comes when you analyze the data and extract intelligence out of it. This, in turn, becomes valuable information. I’m referring to things such as start variance, cost variance, and the number of high priority vs number of low priority risks.
Even so, information on its own is also insufficient. It has to be communicated in the right way and with a right format. Management practitioners call the information reports, which in turn, facilitate effective communication.
In this article, we will learn about one particular report, the Risk Matrix Report. This is widely used by risk management practitioners across projects, programs and portfolios.
In the following article, I’ll first outline the foundational blocks of creating the risk matrix, followed by building a risk matrix scoring scheme (instrumental in plotting the risk matrix). Next, I’ll inform how to generate pre- and post-mitigated risk matrix reports. And finally, I’ll share a few advanced concepts such as using other risk assessment parameters or generating a butterfly risk matrix report. In many places, I’ll be using the Primavera Risk Analysis tool to create these risk matrix reports. You can just as easily use MS Word and/or MS Excel to create such reports.
Before we proceed, let’s look at the definition of an individual risk. As per Project Management Institute (PMI):
“A risk is an uncertain event or condition that, if it occurs, will have a positive or negative impact on one or more objectives of the project.”
As you can see, a risk has two key elements: an element of uncertainty or probability, and an element of impact or consequence. Based on this, we can consider a few foundational concepts next, which will help us to build the risk matrix.
The Probability Scales
Probability of a risk is the evaluated chance that an event will occur given existing conditions. You could also say probability is the chance or likelihood of occurrence. The estimated probability of an individual risk is tied to a well-defined risk event or condition.
The probability of risk occurrence is decided in the risk management planning process, and it’s applicable for both threats (negative risks) and opportunities (positive risks). The probability scale can be numeric, textual, or a combination of both. Sample probability scales with associated textual values are shown in the below table.
As you can see, the probability of risk occurrence is considered to be “Very High” if there is more than an 80% chance of the risk occurring, whereas probability will be “Very Low” if the risk has a 1% to 10% chance of occurrence.
The Impact Scales
Another arm of individual risk is the impact of the risk to the project, program, or portfolio if the risk occurs and is fully realized. Risk impact is measured as a deviation from the project’s scope, schedule, cost, and performance baselines or objectives. You could say risk impact is the consequence or effect of the risk–if and when the risk happens.
While developing impact scales, you have to consider the impact type. This is likely defined in terms of scope, cost, quality, etc., whereas impact scales can be numeric, textual, or in ranges based on impact types. Every impact scale is clearly defined with deviations from the expected baseline data.
Like probability scales, impact scales are also defined in the risk management planning process. They are applicable to both threats and opportunities, too. An example impact scale with associated numeric and textual values is shown in the below table.
Notice that the schedule impact for a risk is considered to be “Very High” if the schedule is delayed by more than 30 days, whereas the impact is “Very Low” if the schedule is delayed by 1 to 5 days. Similarly, other impact types with associated scales are defined in the above table.
The Appetite or Tolerance Scales
Another scale to look at when building a risk matrix is the risk appetite scale or tolerance scale. Risk appetite informs the degree of uncertainty a stakeholder is willing to accept in anticipation of a reward, whereas risk tolerance is the degree of uncertainty a stakeholder will withstand. This is typically expressed in ranges. The latter is less frequently used now, compared to the former. However, I’ll use appetite and tolerance interchangeably.
It is wise to determine appetite levels before getting too far into building a risk matrix. This is because they drive color coding for the risks. The color coding used will be dependent on the risk score, which is the multiplication of probability and impact values of a risk. This calculation and subsequent color assignment, in turn, will enable prioritizing of risks in the risk matrix. For example, the higher the risk score, the higher the risk priority. A sample for tolerance/appetite scales with associated risk scores and color coding is shown in the below table.
Building Risk Matrix with a Scoring Scheme
Now that we have looked at the foundational blocks available for creating a Risk Matrix, let’s go ahead and create one. A risk matrix can be in a 5×4, 5×3, or 3×4 grid format. For the sake of example, we will create a 5×5 probability and impact grid. This risk matrix is also known as risk assessment matrix or probability-impact (PI) matrix.
A 5×5 risk matrix is shown in the below figure. The probability and impact scoring values in the risk matrix are calculated as follows:
- Probability factors from VL to VH as 1, 3, 5, 7, and 9, respectively.
- Impact factors from VL to VH as 0.5, 1, 2, 4 and 8, respectively.
- The numbers generated by multiplying the probability and impact factors are rounded-up to the nearest whole number.
One can take a simple linear scale for both probability and impact scoring values, such 1, 2, 3, 4, and 5. However, as seen in various situations in the real world, it’s usually better represented with exponential values particularly for the impact—just as I have shown here with 0.5, 1, 2, 4, and 8 (numbers are exponentially increasing at a 2x rate).
The risk score is calculated by multiplying probability and impact factors in the above table. For a risk with a “High %” probability and “Medium” impact, the score is figured as shown below:
Probability (High %) × Impact (Medium)
= 7 × 2
Now, I’ll demonstrate how to apply the color coding scheme based on the Risk Appetite or Tolerance Scales, which we have already discussed. These results are shown in the below table.
Now we have a Risk Matrix Scoring Scheme with three zones for prioritization of risks. The three zones are as follows:
- High priority zones (in red)
- Medium priority zones (in yellow)
- Low priority zones (in green)
Using the risk analysis tool, the risk matrix scoring scheme will result as shown below.
A key thing to note in the above figure is this: going forward, the risk score will be based on the “Highest Impact” value. For example, if there are three different impacts for scope, schedule, and cost as High (H), Very High (VH), and Medium (M), respectively, then the overall impact of the risk will be Very High (VH). This is because the schedule has the highest impact (Very High) across all the impact types.
Generating a Pre-mitigated Risk Matrix Report
Finally, it’s time to generate the risk matrix reports. To generate these, I take the actual data and information from the Risk Register. The risk register is a repository where the details of individual project risks are recorded along with all their respective fields.
In our case, the risk register is shown below using the risk analysis tool. At this stage, the risks are not mitigated, and therefore, you could say the register is a pre-mitigated risk register.
Our risk register has in total 7 risks (from Risk 001 to Risk 007), with various fields populated such as risk ID, risk type, risk title, risk probability, impacts, and risk score. Risk type denotes the risk as a threat (T) or an opportunity (O). Let’s take one risk to understand how the risk score is calculated. Do note that based on the risk score, the risk will be plotted in the risk matrix.
For Risk 001 (Title – Poor understanding of design specification):
- Probability = Medium (M)
- Schedule impact = High (H)
- Cost impact = Medium (M)
- Performance impact = Very High (VH)
- Scope impact = High (H)
- Quality impact = High (H)
Hence, the overall impact of Risk 001 is Very High (VH), as we are considering the “Highest Impact” value for the risk score.
The pre-mitigated risk score for Risk 001 will be as follows:
= Probability × Impact
= Medium (M) × Very High (VH)
= 5 * 8
Similarly, risk scores have been calculated for the rest of the six individual project risks.
When this data from the above risk register is compiled and the pre-mitigated risk matrix report is generated, we will get the following matrix:
As shown above, Risk 004, Risk 001, and Risk 005 are the top three high priority risks, followed by Risk 007, Risk 002, and Risk 006, respectively. Risk 003 is of the least priority. In other words, as I’ve noted earlier, a risk matrix helps with risk prioritization and visually shows prioritized risks or risk levels.
Generating a Post-mitigated Risk Matrix Report
The risk register, after its creation during risk identification, passes through many risk management processes: risk qualification, risk quantification, risk response planning, and risk response implementation. The fields in the risk register are updated accordingly, as well.
As you implement risk responses and take action to mitigate probability and/or impact of a risk, the score of each risk is hopefully brought down.
This, in turn, creates the post-mitigated risk register, which is shown below.
Here, we have pulled-down the risk score for the risks in the register. As you can see, Risk 001’s risk score is now “4” (earlier it was “40”), the risk score for Risk 005 is now “2” (earlier it was “56”), and so on. The score calculation follows the same process I outlined above while discussing the pre-mitigated risk register.
For example, post mitigation, for Risk 001 (Title – Poor understanding of design specification) is as follows:
- Probability = Very Low (VL)
- Schedule impact = High (H)
- Cost impact = Medium (M)
- Performance impact = Very Low (VL)
- Scope impact = Medium (M)
- Quality impact = Medium (M)
Hence, the overall impact is High (H), as we are considering the “Highest Impact” value for the risk score.
The post-mitigated risk score for Risk 001 will be:
= Probability × Impact
= Very Low (VL) × High (H)
= 1 * 4
As we take data from the register and generate the post-mitigated risk matrix report, it will show as below.
Risk scores for the three high priority risks—Risk 004, Risk 001, and Risk 005, are now brought significantly down. Similarly, the same has occurred for Risk 007 and Risk 002.
Using Additional Risk Parameters
Risk management has a number of additions and changes in the latest edition of the PMBOK Guide. You, as a risk management practitioner, can now include additional risk assessment parameters such as risk manageability, risk urgency, risk propinquity, etc.
Let’s consider one such parameter—Risk Manageability, which informs the ease with which the risk can be managed. In other words, if the risk is easily manageable, the risk manageability score will be higher. Risk manageability is only scaled with weighting factors, a sample of which is shown below.
Here, a risk considered “difficult” to manage will have a lower weighting factor as compared to a risk considered “very easy” to manage. Correspondingly, this risk manageability value will impact the score of the risk being considered.
Let’s look at one risk from our pre-mitigated risk register to understand. For Risk 001, risk manageability is valued as “difficult.” As you apply the risk manageability factor to this risk, the risk score will change from “40” to “32.”
For Risk 001 (Title – Poor understanding of design specification), the calculation is determined as shown below:
- Earlier pre-mitigated score = 40.
- Risk manageability value is “difficult,” so the weighting factor = 0.8
- New pre-mitigated score = 40 × 0.8 = 32
This is depicted in the pre-mitigated risk register as shown below.
For Risk 001, the pre-mitigated score is now 32. Earlier the risk score was 40. And for Risk 006, which is an opportunity, the pre-mitigated risk score has gone up to 8, from an earlier value of 7. Did you notice? At this stage it is worth noting that risk management is fundamentally about minimizing individual project threats and maximizing the individual project opportunities.
If you are using other risk assessment parameters such as risk urgency, risk proximity, etc., you can model these parameters in the risk register, calculate the pre-mitigated risk scores, and then proceed with risk response implementation to calculate the final, post-mitigate risks scores.
Butterfly Risk Matrix Report
Many times, stakeholders want to see both the threats and opportunities in a single risk matrix report. In such cases, a butterfly risk matrix report can be used. It is called a butterfly matrix because of its shape, (the two wings on either side resembles a butterfly).
The below pre-mitigation butterfly matrix is generated from the pre-mitigated risk register’s data with the help of a risk analysis tool.
Let’s understand how the above butterfly risk matrix can be read and interpreted.
- The matrix is divided into two wings—the left wing is for opportunities or positive risks, whereas the right wing is for threats or negative risks.
- For both wings, in the X-axis, we have the impact, whereas on the Y-axis, we have the probability.
- In our case, Risk 006 is an opportunity as shown in the pre-mitigated risk register. Hence, it’s plotted on the left wing.
- Again, in our example, Risk 005, Risk 004, Risk 001, Risk 007, Risk 002, and Risk 003 are all threats. Hence, they are plotted on the right wing.
- The prioritization of risk along with the color-coded highlighting and counts are shown on both sides of the butterfly matrix.
Like a pre-mitigation butterfly matrix report, you can also create a post-mitigation butterfly matrix.
Irrespective of the number of processes, practices, and principles that you follow for risk management in your organization, risk matrix reports are likely to be useful in managing and monitoring risks. Additionally, if you are an aspiring Risk Management Professional (RMP), you will need to understand how risk matrix reports are interpreted. In fact, on the exam for such, you should expect situational, as well as graphical questions, on this topic.
 Online Course: Practical Risk Management Professional (RMP) with Primavera Risk Analysis, by Satya Narayan Dash
 Book: I Want To Be A RMP: The Plain and Simple Way To Be A RMP, 2nd Edition, by Satya Narayan Dash
 Project Management Body of Knowledge (PMBOK) Guide, 6th Edition, by Project Management Institute (PMI)
 The Standard for Risk Management in Portfolios, Programs, and Projects, by Project Management Institute (PMI).