Free Risk Matrix Template: A 5x5 Template You Can Adapt in Minutes
Use this free risk matrix template to score likelihood and impact, define risk levels, and standardize risk assessments. Includes a 5x5 template, sample thresholds, and practical setup guidance.
Most teams searching for a risk matrix template do not actually need a prettier spreadsheet. They need a template that makes risk scoring consistent.
That means the template has to do four jobs:
- Define the scoring model
- Show how scores map to risk levels
- Make prioritization visual
- Trigger the right follow-up action
If you have not built the underlying methodology yet, start with our full guide to the risk matrix. If you already know the method and just need a practical starting point, use the template below.
Integrated Risk Matrix Template
Use the embedded template below to review starter risks, add your own directly on the matrix, and export a CSV built from the template pack.
Interactive Template
Free 5x5 risk matrix template
Start with a preloaded template pack, adjust the matrix, and export a working CSV.
Template Risks
5
Preloaded and editable directly on the matrix.
High Or Critical
2
Useful for spotting where escalation rules should start.
Next Step
Click any cell
Review starter risks, add your own, then export the CSV.
Start with the preloaded template pack
Click any cell to review starter risks, add your own, and shape the CSV before you download it.
Tracking 5 template risks across the matrix
Use the template pack to get aligned quickly, then export the CSV when it looks close to your environment.
1 to 5
Low
Monitor or accept
6 to 12
Medium
Create treatment plan
15 to 20
High
Actively mitigate
21 to 25
Critical
Escalate immediately
The Core 5x5 Risk Matrix Template
This is a common starting format for most organizations using qualitative risk scoring:
| Likelihood \ Impact | 1 - Negligible | 2 - Minor | 3 - Moderate | 4 - Major | 5 - Catastrophic |
|---|---|---|---|---|---|
| 5 - Almost Certain | 5 | 10 | 15 | 20 | 25 |
| 4 - Likely | 4 | 8 | 12 | 16 | 20 |
| 3 - Possible | 3 | 6 | 9 | 12 | 15 |
| 2 - Unlikely | 2 | 4 | 6 | 8 | 10 |
| 1 - Rare | 1 | 2 | 3 | 4 | 5 |
Use the score to assign a level:
- 1-5: Low
- 6-12: Medium
- 15-20: High
- 21-25: Critical
If you want the reasoning behind those breakpoints, see the threshold section in Risk Matrix Explained. If you want to test scores interactively, use the risk matrix calculator.
This template is intentionally illustrative. It should be calibrated to your organization's context, risk appetite, and regulatory environment rather than copied unchanged.
Likelihood Scale Template
The grid is only useful when each level is clearly defined. A strong template gives assessors language they can apply consistently.
| Level | Label | Probability | Time-Based Definition |
|---|---|---|---|
| 1 | Rare | Less than 5% | Not expected in the next 5 years |
| 2 | Unlikely | 5-20% | Could occur once in 2-5 years |
| 3 | Possible | 20-50% | Could occur once in the next 1-2 years |
| 4 | Likely | 50-80% | Expected at least once this year |
| 5 | Almost Certain | Greater than 80% | Expected multiple times this year |
Impact Scale Template
Use impact dimensions that fit your organization. The table below is a general-purpose starting point.
| Level | Label | Financial | Operational | Regulatory |
|---|---|---|---|---|
| 1 | Negligible | Less than $10K | Less than 1 hour disruption | No regulator interest |
| 2 | Minor | $10K-$100K | Hours of disruption | Minor finding |
| 3 | Moderate | $100K-$500K | Days of disruption | Inquiry or warning |
| 4 | Major | $500K-$2M | Weeks of disruption | Formal investigation |
| 5 | Catastrophic | More than $2M | Months of disruption | Major fine or license risk |
Smaller companies should lower these thresholds. Larger enterprises may need higher values or additional impact dimensions.
Risk Level Response Template
This is the part most templates miss. Scores should drive decisions.
| Score Range | Level | Typical Response | Review Cadence |
|---|---|---|---|
| 1-5 | Low | Monitor or accept | Semi-annually |
| 6-12 | Medium | Create treatment plan | Quarterly |
| 15-20 | High | Actively mitigate and escalate | Monthly |
| 21-25 | Critical | Immediate action and executive escalation | Continuous or monthly |
Without response rules, your matrix is just a visual. With them, it becomes an operating tool.
Template Fields to Add Beside the Matrix
The matrix alone is not enough. In your risk register, each risk should also capture:
- Risk title
- Description in cause-event-consequence form
- Category
- Inherent likelihood
- Inherent impact
- Inherent risk score
- Risk owner
- Treatment decision
- Controls linked to the risk
- Residual likelihood
- Residual impact
- Residual risk score
- Next review date
If you need the surrounding structure, our risk register guide walks through the full artifact.
How to Adapt the Template for Different Use Cases
Cybersecurity risk matrix template
Keep the 5x5 grid, but tune impact around data loss, service outage, customer impact, and regulatory exposure. Examples are available in our risk matrix examples article.
Project risk matrix template
Use impact dimensions like budget overrun, schedule delay, dependency failure, and stakeholder confidence. The same scoring structure still works.
Vendor risk matrix template
Impact definitions should reflect data access, operational dependency, and concentration risk. This pairs well with a third-party risk management workflow.
Common Template Mistakes
Using labels without definitions
"High likelihood" means different things to different people unless the template provides probability or time-based anchors.
Copying thresholds from another company without adjusting appetite
The template should reflect your organization's tolerance for loss, disruption, or compliance exposure.
Scoring only residual risk
If you skip inherent scoring, you cannot show the value of controls or explain why a risk still matters. This is why mature programs capture both inherent risk and residual risk.
Start Simple, Then Calibrate
The best template is not the most sophisticated one. It is the one your assessors can use consistently.
Start with a 5x5 model, define each level clearly, and review a few example risks as a team. Once people score the same scenarios the same way, the template is ready to scale.
Sources and Standards
This template is informed by common qualitative risk-assessment practice and should be adapted to fit your environment. The references below support the underlying process of identifying, assessing, evaluating, treating, and monitoring risk; they do not mandate this exact template layout or threshold table.
Frequently Asked Questions
- What should a risk matrix template include?
- A practical risk matrix template includes the matrix grid itself, definitions for each likelihood and impact level, score thresholds for low-medium-high-critical, and guidance on what action each level triggers. Without those definitions, the template becomes subjective and inconsistent.
- What is the best size for a risk matrix template?
- For most organizations, a 5x5 matrix is the best default. It gives enough detail to distinguish risks without creating false precision. A 3x3 matrix can work for quick screening, but it often compresses too many risks into the middle.
- Should a template include inherent and residual risk?
- Yes. A strong risk matrix template captures both inherent risk, which is the exposure before controls, and residual risk, which is the exposure after controls. The difference between them shows whether your controls are actually reducing risk.
- Can I use the same risk matrix template for cyber, operational, and compliance risks?
- Yes, as long as you adapt the impact definitions to cover the dimensions that matter to your organization, such as financial loss, operational disruption, customer impact, or regulatory exposure. The grid structure stays the same even when examples differ by domain.
Related Articles
Risk Matrix Explained: How to Build and Use a 5x5 Risk Matrix
A complete guide to risk matrices, including how to build a 5x5 risk matrix, define likelihood and impact scales, set risk level thresholds, and use heat maps for risk visualization. Includes templates and practical examples.
7 min read
Risk Matrix Calculator: Score Likelihood and Impact on a 5x5 Matrix
Use this risk matrix calculator to score likelihood and impact on a 5x5 matrix, understand risk levels, and interpret the results. Includes an interactive matrix and guidance on using the scores consistently.
4 min read
Risk Matrix Examples: 7 Practical Examples Across Cyber, Compliance, and Operations
See practical risk matrix examples across cybersecurity, compliance, vendor, and operational risk. Learn how to score likelihood and impact and how to interpret matrix positions in real situations.
5 min read