Probability/Impact Matrix
How can probability/impact matrix support strategic choice or positioning?
Contents
The probability/impact matrix is used to determine the overall priority of each risk in the risk register to the program. It also serves as way to.
A probability/impact matrix helps a programme prioritise uncertain events by combining the likelihood of occurrence with the magnitude of effect on objectives. It also gives stakeholders a shared visual language—often red, amber and green—for discussing escalation and response. The colour or label is an aid to judgment, not the risk itself.
When to use it
- Prioritise risks recorded in a programme risk register.
- Align teams on probability, impact and escalation thresholds.
- Communicate a portfolio of risks to governance bodies.
- Reassess exposure after responses, new evidence or changing stakeholder tolerance.
Context
This artefact supports programme risk management and must be tailored to the organisation’s objectives, governance, stakeholders, delivery lifecycle and risk appetite. Define scales and thresholds before scoring live risks so that participants do not move the rules to obtain a preferred colour.
What it is
Risk probability describes uncertainty about whether an event will occur. Impact describes the consequence for agreed objectives if it does. A matrix maps the two assessments to a priority band.
Probability/Impact Matrix
Probability
Impact Very High High Medium Low Very Low
Catastrophic Very High High Moderate Moderate Very Low
Critical High High Moderate Very Low Very Low
Marginal Moderate Moderate Very Low Very Low None
Negligible Moderate Low Very Low None None
Before assigning priority, consider:
The time the risk is expected to occur
The programme phase in which exposure exists
Whether probability or impact is expected to change
The date after which the risk no longer affects the programme
The ease of managing or controlling the risk
The completeness and clarity of the risk description
The programme’s vulnerability if the event occurs
Whether the cause sits within the programme or elsewhere
Review the matrix as responses are implemented, risks close and new risks enter
the register. Record the resulting priority and rationale in the risk register.
The matrix can be qualitative or linked to defined quantitative ranges. Impact may need separate dimensions for benefits, cost, schedule, safety, compliance, reputation and stakeholders. Combining them into one band can hide a catastrophic consequence, so specify escalation overrides.
How to use it
Define the risk as an uncertain event with a cause and an effect on objectives. Agree probability and impact scales with observable anchors, the time horizon, appetite, tolerance and who may approve each band.
Estimate inherent exposure before responses and residual exposure after current controls. Record evidence, assumptions and disagreement rather than manufacturing consensus. Where an event can affect several objectives, score each dimension and apply the organisation’s escalation rule.
Add factors the matrix cannot express well: proximity, velocity, duration, detectability, interconnectedness and controllability. A low-probability catastrophic risk may require action regardless of its calculated cell. Likewise, several individually modest risks can combine into material programme exposure.
Assign an owner, response, trigger, due date and review cadence. Re-score only when evidence or controls change, retaining the prior assessment for audit. Report changes in rationale as well as colour.
Top practical tip
Define probability and impact anchors, escalation overrides and decision rights before the workshop. Record the evidence and rationale beside every score.
Top pitfall
Do not treat colour multiplication as objective truth. Ordinal categories, hidden uncertainty and combined risks can make a neat matrix materially misleading.
Further reading
- Project Management Institute (twenty nineteen). The Standard for Risk Management in Portfolios, Programs, and Projects. Project Management Institute.
- Cox, L.A. (two thousand and eight). “What’s Wrong with Risk Matrices?” Risk Analysis.