3×3 Matrix

What is a Risk Matrix?

A risk matrix is a tool used during the risk assessment stage of risk management. It identifies and captures the likelihood of risks and evaluates the potential damage caused by those risks. 

A risk matrix provides a visual illustration of the risk analysis and neatly categorizes risks based on their level of probability and severity. A risk matrix tool is an effective way to get a clear understanding of risks.

Risk matrices come in different shapes and sizes. Choosing the appropriate template for a risk assessment often results in heated debates between risk management professionals. 5×5 risk matrices can be used, as well as 4×4 and 3×3. The first step is to find a system that works best for your team. Remember that a smaller number of rows and columns provides less granularity.

When is a Risk Matrix Used?

When conducting a cyber risk assessment, you need to quantify the risk levels of various scenarios taking place. An organization must first define and identify its assets, then prioritize those assets, and only then conduct an assessment.

There are various tools an organization can use to conduct a risk assessment, which can also aid in quantifying and visualizing the data.

One of those tools is a risk assessment risk analysis matrix that produces a risk score through the combination of two parameters:

  1. The impact of this risk scenario taking place
  2. The probability and frequency of this risk scenario occurring

What is a RACM?

A risk and control matrix (RACM)  is a useful tool that can help a business in ranking risks and implementing controls to reduce risks. A risk control matrix a graph  of potential risks and the protective measures taken to lower those risks. Simply expressed, by comparing the risks to the official measures taken to lower the chance of negative outcomes, a RACM paints a picture of an organization’s risk profile.

Inherent risks are built-in risks just by the nature of how those assets function. Lowering those risks can be achieved by placing controls and safeguards in place to protect the organization from those risks materializing to their full capacity. The outcome of these actions will be a new score called residual risk.

The new residual risk score will be a function of how much we have lowered the impact and probability of that risk materializing, hence what is called control effectiveness. This control effectiveness acts as a weight and will impact how low the residual risk is.

A more advanced approach can attribute the effectiveness to the impact or probability independently, which would help lead to a more accurate residual risk score, though this practice is often left for more mature security practices.

Why Is a Risk Matrix Important?

All risks aren’t equal. A risk matrix allows you to prioritize the most severe risks your company faces. While it may be tempting to address every risk, resources are always limited. At the end of the day, every organization will need to take on some level of acceptable risk to succeed.

By categorizing degrees of risk according to a traffic light color scheme on a matrix, it’s easy to identify the most pressing threats and focus on them. 

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about 3×3 Matrix

What is a 3×3 Risk Matrix?

A risk matrix contains a set of values for a risk’s probability and severity. A 3×3 risk matrix has 3 levels of probability and 3 levels of severity.

For example, a standard 3×3 risk matrix contains the following values:


  1. Low: The hazard may either be controlled or would commonly result in less than minor, illness, injury, or system damage.
  2. Moderate: The hazard may commonly cause severe injury or illness or major system damage, requiring immediate corrective action.
  3. Critical: The hazard may commonly cause death or major system loss, requiring immediate cessation of the unsafe activity or operation.


  1. Improbable: Unlikely but possible to occur during standard operations
  2. Occasional: Likely to occur sometime during standard operations
  3. Probable: Likely to occur often during standard operations

By multiplying the risk probability by its severity, you can calculate the level of acceptability of its risk. 

Benefits and Drawbacks of a 3×3 Risk Matrix

A 3×3 risk matrix is a very basic risk assessment matrix. When a risk matrix is easily understood, it’s more likely to encourage an informed discussion of how severe hazardous scenarios can be. 

Due to its straightforward design, a 3×3 matrix is prone to errors. Its simplicity can make it difficult to truly determine where the boundary between acceptable and unacceptable risk lies. In addition, with a 3×3 matrix, there are only three categories of risks. For more complex risks, a 4×4 or 5×5 matrix may be more appropriate, as they allow for more nuanced and granular risk assessments.

How Does Centraleyes Integrate a Business Risk Assessment Matrix?

Visualizing risk is not a simple task. This is why we’ve spent years developing the Centraleyes platform dashboards with state-of-the-art metrics. Data from risk assessments are fed into visually represented graphs and metrics that can be consumed by decision-makers to support smart business strategies.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Want to talk to Centraleyes about 3×3 Matrix?

Related Content

Authorization to Operate (ATO)

Authorization to Operate (ATO)

What is an ATO? An ATO is a hallmark of approval that endorses an information system…


What is StateRAMP? In 2011, the Federal Risk and Authorization Management Program (FedRAMP) laid the groundwork…
Segregation of Duties

Segregation of Duties

What is the Segregation of Duties? Segregation of duties (SoD) is like a game of checks…
Skip to content