What is Risk Matrix Calibration?
Risk matrix calibration is the process of assigning specific, measurable criteria to each level of likelihood and impact on a risk matrix, so that risk scores are consistent and comparable across an organisation.
Calibration is not a one-time setup task. It must be repeated when an organisation changes its risk tolerance, adds new risk categories, or onboards staff who were not part of the original calibration exercise. Every business and organisation is unique, and therefore so are the risk reference values appropriate to it.
Risk categories are the classification of risks per a business’s activities and provide a defined overview of the underlying and potential risks faced by the company. The most commonly used risk category classifications include financial, schedule, performance, reputation, health, safety and environment.
Key Takeaways
- Risk matrix calibration means assigning specific, agreed criteria to each level of likelihood and impact, so that risk scores are consistent across your organisation
- Without calibration, two people assessing the same risk may score it differently, making it impossible to compare or prioritise risks reliably
- Calibration must be tailored to each organisation, a “major” financial loss means a very different amount to a small business versus a large enterprise
- The most commonly calibrated risk categories are financial, schedule, performance, reputation, health, safety, and environmental
- Calibration criteria should be validated with stakeholders and reviewed whenever the organisation changes significantly — and at minimum once a year
What is a Risk Matrix?
A risk matrix (sometimes called a risk assessment matrix) is used during the risk management process’s risk assessment stage. It identifies and captures risk event likelihood (probability) and evaluates the potential impact (consequences) caused by those risk events.
Risk Evaluation
When the risk analysis is complete, it’s necessary to compare the estimated risks against the risk criteria of the organisation.
Risk criteria may include, for example, cost, health, safety, environmental standards, legal requirements, socioeconomic factors, and the concerns of stakeholders.
Risk evaluation supports decisions regarding the significance of a risk to the organisation and whether a specific risk should be accepted, controlled, or mitigated.
How to Calibrate a Risk Matrix
Calibrating a risk matrix is not a one-size-fits-all exercise. The steps below provide a structured approach that can be adapted to any organisation, sector, or project type.
Identify Your Risk Categories
Begin by listing every risk category relevant to your organisation’s activities. Common categories include financial, schedule, performance, reputation, health, safety, and environmental. Include only the categories that are meaningful to your operations — not every organisation needs every category.
Example: a construction firm may prioritise safety and environmental categories, while a software company may focus on schedule and performance.
Define Your Likelihood Scale
Agree on what each likelihood level means in concrete, observable terms. A five-level scale — remote, unlikely, possible, probable, highly probable — is standard, but each label must be given a specific definition that anyone in your organisation can apply consistently.
Example: “Possible” might mean the event has occurred previously within the same country, while “Probable” means it has occurred within your sector.
Define Your Impact Criteria for Each Category
For every risk category, assign a specific threshold to each impact level (insignificant through to extreme). These thresholds must reflect your organisation’s size and risk appetite — a financial loss that is minor for a large enterprise could be catastrophic for a small business.
Example: for financial impact, “Minor” might be a loss under £100k for one organisation and under £10m for another.
Validate Criteria With Stakeholders
Share the draft calibration criteria with key stakeholders across departments — project managers, finance leads, health and safety officers, and senior leadership. Calibration only works if the people using the matrix agree that the criteria reflect operational reality. Adjust based on their input before finalising.
Example: your finance team may confirm that a £500k loss qualifies as “Moderate”, while operations may argue it would be “Major” given their budget constraints.
Test the Calibration Against Known Risks
Apply the calibration criteria to a set of historical or well-understood risks and score them using the new matrix. Check that the resulting scores feel proportionate and consistent. If a known high-impact event scores as “moderate”, the criteria need adjusting.
Example: score three or four past risk events your organisation has experienced and confirm the calibrated matrix would have flagged them at the appropriate level.
Document and Communicate the Calibrated Matrix
Record the agreed calibration criteria in a formal risk management document and distribute it to everyone involved in risk assessment. Consistent use depends on everyone working from the same reference point. Revisit and update the calibration whenever there is a significant change to the organisation’s size, structure, or risk appetite.
Example: publish the calibrated matrix in your risk register template and include it in onboarding materials for new project managers.
Risk Likelihood
Risk Likelihood is the probability of a risk event occurrence. The likelihood of risk has five qualitative ranges [Ref: The Institute of Risk Management]:
- Remote
- Unlikely
- Possible
- Probable
- Highly Probable
Risk Impact
The Risk Impact considers the consequence if the risk event occurred and has five levels [Ref: The Institute of Risk Management]:
- Insignificant
- Minor
- Moderate
- Major
- Extreme
The risk event is then assigned a risk value, obtained as the function of Likelihood and Impact.
Examples of Risk Matrix Calibration
Likelihood
| Likelihood | Example Criteria |
| Remote | Not known to have happened anywhere |
| Unlikely | Has happened previously somewhere |
| Possible | Has happened previously in the local country |
| Probable | Has happened previously in the sector |
| Highly Probable | Has happened previously in the organisation |
Impact
Financial
| Impact | Example Criteria |
| Insignificant | A financial loss of <$10k |
| Minor | A financial loss of <$100k |
| Moderate | A financial loss of <$1m |
| Major | A financial loss of <$10m |
| Extreme | A financial loss of <$100m |
Schedule
| Impact | Example Criteria |
| Insignificant | A schedule loss of 1 day |
| Minor | A schedule loss of 4 days |
| Moderate | A schedule loss of 1 week |
| Major | A schedule loss of 1 month |
| Extreme | A schedule loss of 1 year |
Reputation
| Impact | Example Criteria |
| Insignificant | Attention within the organisation only. Insignificant organisational impact. |
| Minor | Local media attention. Minor organisational impact. |
| Moderate | National media attention and possible public inquiry. Moderate organisational impact. |
| Major | International media attention and public inquiry. Major organisational impact. |
| Extreme | International media attention and public inquiry. Organisation closes down. |
Performance
| Impact | Example Criteria |
| Insignificant | Requires minor trade-offs to achieve the target. No impact on organisation. |
| Minor | Performance below target but acceptable. No changes. No organisational impact. |
| Moderate | Performance below target. Moderate changes are required. Limited organisational impact. |
| Major | Performance is unacceptable. Major changes are required. Major organisational impact. |
| Extreme | Performance is unacceptable. |
Health
| Impact | Example Criteria |
| Insignificant | No harm to people |
| Minor | A few people suffer from diseases |
| Moderate | Some people suffer from grave diseases |
| Major | Possible deaths and/or many people suffering from grave diseases |
| Extreme | Likely deaths |
Safety
| Impact | Example Criteria |
| Insignificant | Minor injury or no harm to people |
| Minor | A few minor injuries |
| Moderate | Some serious injuries |
| Major | Possible deaths and serious injuries |
| Extreme | Likely deaths |
Environmental
| Impact | Example Criteria |
| Insignificant | Minor release |
| Minor | Small release |
| Moderate | Significant release |
| Major | Large release |
| Extreme | Large uncontrolled release |
Frequently Asked Questions
What Is Risk Matrix Calibration?
Risk matrix calibration is the process of defining specific, measurable criteria for each level of likelihood and impact on a risk matrix. Without calibration, two people assessing the same risk may score it differently. Calibration ensures that ratings like “moderate” or “probable” mean the same thing across your entire organisation.
Why Is Calibrating a Risk Matrix Important?
A risk matrix is only as useful as the consistency of the scores it produces. Calibration removes subjectivity from the assessment process, making it possible to compare risks across projects, departments, or time periods. It also helps decision-makers prioritise and allocate resources based on like-for-like risk scores.
How Do You Calibrate a 5×5 Risk Matrix?
To calibrate a 5×5 risk matrix, define concrete criteria for each of the five likelihood levels (from remote to highly probable) and each of the five impact levels (from insignificant to extreme) across every risk category your organisation uses — such as financial, schedule, reputation, health, safety, and environmental. The criteria should reflect your organisation’s size, sector, and risk appetite, since a “major” financial loss will mean different amounts to different businesses.
What Is the Difference Between Risk Likelihood and Risk Impact?
Risk likelihood refers to the probability that a risk event will occur — for example, whether something has happened before in the sector or the organisation. Risk impact refers to the consequence if that event does occur — for example, the financial cost, schedule delay, or harm to people. A risk score is calculated by combining both dimensions.
What Are the Five Levels of Risk Impact?
As defined by the Institute of Risk Management, the five standard levels of risk impact are: insignificant, minor, moderate, major, and extreme. What each level means in practice, in terms of financial loss, injuries, schedule delay, or reputational damage, must be defined through calibration and will vary between organisations.
Can the Same Risk Matrix Be Used Across Different Organisations?
The structure of a risk matrix (its likelihood and impact levels) can be standardised, but the calibration criteria must be tailored to each organisation. A financial loss of £100,000 may be insignificant for a large corporation but catastrophic for a small business. Calibration exists precisely to account for these differences.
How Often Should a Risk Matrix Be Recalibrated?
A risk matrix should be recalibrated whenever there is a significant change in the organisation — such as growth in revenue, entry into a new sector, a merger, or a change in regulatory requirements. As a minimum, it is good practice to review calibration criteria annually to ensure they still reflect the organisation’s risk appetite and operating environment.
What Risk Categories Are Commonly Used in a Risk Matrix?
The most commonly used risk categories include financial, schedule (delivery timeline), performance, reputation, health, safety, and environmental. Organisations may add or remove categories depending on their industry and activities, for example, a construction firm may place greater weight on safety, while a financial services firm may prioritise regulatory and reputational risk categories.
Final Thoughts
Before evaluating a risk event, the risk categories must be calibrated.
Each business and organisation is unique. Therefore, so are the risk reference values. For example, a loss of $100k could have a minor impact on one company but become the final closure factor for another.
