Risk Scoring with Likelihood and Consequence Matrices

Likelihood and Consequence in Brief

5x5 likelihood/consequence matrix is the standard structure
Consistent scoring scales applied across the organisation
Residual risk after controls is what drives further action

Risk assessment - likelihood and consequence scoring

Once a risk has been identified, the next step is to assess it. A widely used approach is a 3 by 3 matrix that crosses likelihood with consequence to give a risk rating of Tolerable, Moderate or Substantial. The matrix itself is simple. The work is in defining what each likelihood and consequence level actually means for the organisation, then applying the scoring consistently.

Most organisations using ISO standards inherit the matrix from a template. That is the easy part. The harder and more important part is consistency: making sure that "Likely" means the same thing to every person who scores a risk, and that "Very Harmful" is recognised consistently across the team. Without that, two assessors looking at the same risk can score it very differently and the register becomes inconsistent.

The 3 by 3 matrix

The matrix produces nine combinations and three rating bands.

Likelihood is scored on three levels: Very Unlikely, Unlikely and Likely. Consequence is also scored on three levels: Slightly Harmful, Harmful and Very Harmful. For business continuity assessments the consequence axis is rephrased as disruption to activities (Little Impact, Some Impact, Major Impact) but the bands map across.

The combinations resolve as follows:

Tolerable - Very Unlikely with any consequence below Very Harmful, or Unlikely with Slightly Harmful only
Moderate - Very Unlikely with Very Harmful, Unlikely with Harmful, or Likely with Slightly Harmful
Substantial - Unlikely with Very Harmful, Likely with Harmful, or Likely with Very Harmful

The bands then translate into actions. Tolerable means the risk is acceptable - monitor and add controls if needed. Moderate means monitor and reduce if possible. Substantial means a risk mitigation strategy and additional controls are required, with anything still rated Substantial after controls being raised on the issues and actions register for further treatment.

Defining likelihood for your business

The labels alone are not enough. "Likely" without context means different things to different people. The way to make scoring consistent is to anchor each likelihood level to something specific - either a frequency or a probability that the team can recognise.

A common approach for general business risks is to anchor likelihood to time periods:

Very Unlikely - would be expected to occur less than once in five years
Unlikely - could occur once every one to five years
Likely - could occur within the next year, or has occurred before in the recent past

For workplace hazards, the anchor is usually exposure frequency rather than calendar time:

Very Unlikely - rarely happens; would require an unusual combination of factors
Unlikely - could happen occasionally under particular conditions
Likely - happens regularly during normal operations or could reasonably be expected to occur

For information security risks, the anchor is typically threat occurrence frequency in the wider environment plus the organisation's exposure level. For business continuity, it is the probability of disruption events affecting the organisation in any given year.

Whichever framing the organisation chooses, it should be written down. A short note in the management system manual, the relevant register or a separate procedure - somewhere a new assessor can refer to it. This makes scoring repeatable and gives auditors something to point to when they ask how the team is calibrated.

Defining consequence for your business

Consequence is more variable than likelihood because it depends on what is at stake. For different risk types, the consequence axis means different things, and the levels need to be defined accordingly.

For strategic and operational business risks, consequence usually combines several factors:

Slightly Harmful - minor financial loss, short-term disruption, reputation impact within a single customer or stakeholder
Harmful - significant financial loss, sustained disruption, reputation impact in the wider market or with regulators
Very Harmful - business-threatening financial loss, regulatory action, loss of certification, major reputation damage, or impact on the organisation's ability to operate

For workplace hazards, consequence is normally framed in terms of harm to people:

Slightly Harmful - minor injury, first aid, no time off work
Harmful - injury or illness causing time off work, reportable under RIDDOR
Very Harmful - major injury, fatality, multiple casualties or permanent disability

For information security, consequence reflects impact on confidentiality, integrity and availability:

Slightly Harmful - minor inconvenience, easily recoverable, no notifiable breach
Harmful - significant operational disruption, contained data exposure, regulatory notification required
Very Harmful - widespread data breach, systems unavailable for extended period, regulatory penalty, contractual breach with customers

For business continuity, the equivalent is disruption to activities - the impact on the organisation's ability to deliver:

Little Impact - workarounds available, no perceptible impact on customers
Some Impact - service degraded for a recoverable period, some customer impact
Major Impact - critical services suspended, customer obligations breached, recovery requires significant effort

The principle is the same across all of them: each level should describe the actual impact in language the team would recognise for that discipline, with concrete thresholds where possible.

Why generic matrices fail

A copied-in matrix that has not been adapted to the organisation does not work. Two specific patterns are common.

The first is mismatched scale. A matrix where "Very Harmful" means a fatality is appropriate for a construction site but does not work for an office-based services firm whose worst-case scenarios are different. Without recalibration to what is actually at stake, the matrix produces ratings that do not reflect the real exposure - usually a register where everything looks Tolerable because the worst case has been defined too high.

The second is split interpretation. Different team members score the same risk differently because no one has agreed what the levels mean. One person scores a particular risk as Likely / Harmful, another scores it as Unlikely / Very Harmful, both arrive at Substantial but for different reasons. When the underlying scoring is not shared, the register loses its value as a comparison tool.

The fix in both cases is to invest a small amount of time at the start defining the levels explicitly, write them down, and refer back to them when scoring. This is one of the most useful things a quality or SHEQ manager can do during management system setup or rework, and it pays back over the lifetime of the system.

Consistency across the team

Once the levels are defined, the next step is making sure everyone applies them the same way. The simplest way is a calibration session: the team that will be doing the scoring works through five to ten example risks together, scoring them independently first and then discussing differences. This reveals where the definitions need clarifying and gets everyone on the same page.

For larger organisations or where scoring is distributed, a short reference document or examples list can do the same job. The aim is that two people scoring the same risk independently arrive at similar ratings - not necessarily identical, but close enough that the register tells a coherent story.

Calibration also matters when the team changes. New people picking up the register need access to the definitions and ideally a few worked examples to anchor their scoring.

When auditing risk assessment I look for evidence that the scoring is calibrated. I will pick three or four entries on the register, ask why each was scored that way, and listen to whether the explanation matches the definitions. If the assessor cannot explain why something is Likely rather than Unlikely beyond saying it feels right, the calibration is weak.

I also look at the spread. A register where every entry is Moderate is a flag - either the assessor is anchoring to the middle to avoid making harder calls, or the levels have been defined so narrowly that nothing reaches Substantial or stays Tolerable. Either way the scoring is not doing useful work.

For workplace hazards the consequence axis matters more than people often realise. It is not just whether someone could be hurt - it is what the realistic worst case looks like. If a hazard could cause a fatality but could equally cause a minor cut, you score for the realistic worst case, not the average and not the absolute extreme.

The other point on H&S risks is that controls already in place change the assessment. Inherent rating tells you the underlying exposure. Residual rating tells you whether further action is needed.

The 3 by 3 matrix is fine. Larger matrices - 5 by 5, 7 by 7 - look more sophisticated but in practice they make scoring harder, not better. Three levels of likelihood and three levels of consequence force you to make a judgement and produce a clear answer.

Practical Compliance Guidance

The IMS1 Manual Section 2.5 sets out the risk assessment methodology at the management system level. The 3 by 3 matrix and the Tolerable / Moderate / Substantial bands are described there along with guidance on how to apply them across the family of registers.

The alphaZ documents below all use the unified scoring approach. The matrix itself is built into each register, so the work is in defining the levels for the organisation and applying them consistently rather than designing the methodology from scratch.

alphaZ document	How to use it
ISO 9001/14001/45001 IMS Toolkit	Integrated toolkit including IMS1 and the registers that use the unified scoring methodology across multiple disciplines.
ISO 9001 Management System Toolkit	Quality-only toolkit including F-IMS23 with the built-in risk rating matrix.
F-IMS23 Opportunities and Risks Register	The strategic register with risk rating columns built in, using the Tolerable / Moderate / Substantial bands. Apply the methodology described in this article when scoring entries.
ER14 Hazard and Risk Assessment Register	Workplace hazard register using the same 3 by 3 matrix with consequence framed as harm to people. Includes an Instructions sheet showing the matrix structure.
ER15 Information Security Risks Register	Information security register applying the matrix to confidentiality, integrity and availability impact, with treatment options (avoid, reduce, transfer, accept).
ER16 Business Continuity Risk Register	Business continuity register applying the matrix with the consequence axis rephrased as disruption to activities. Includes a continuity priority rating that adds importance and recovery urgency.
ER24 Consumer Vulnerability Risks Register	Consumer vulnerability register using the same Tolerable / Moderate / Substantial bands applied to vulnerability risk factors.
ER1 Issues and Actions Register	Where any risk that scores Substantial after controls is raised for further treatment and tracked through to closure.
F-HS20 Risk Assessment Template	General risk assessment template for logging risks, initial risk ratings, adding controls ad residual risk ratings.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Why use a 3 by 3 matrix rather than a 5 by 5?

A 3 by 3 matrix forces a clearer judgement and is easier to calibrate. Larger matrices give the appearance of precision but in practice the middle levels become a default that softens scoring decisions. The standards do not specify a matrix size - 3 by 3 is widely used because it works and it is consistent across most strategic and specialised registers.

Should we use inherent or residual risk?

Both have a place. Inherent risk - the rating before any controls are applied - shows the underlying exposure. Residual risk - the rating after current controls - shows what is left to manage. Strategic risks registers typically capture both: a Risk Rating column for the inherent score and a Residual Risk Rating column for the position after controls. Where the residual stays Substantial, further action is required.

What if a risk has multiple possible consequences?

Score for the realistic worst case. Not the absolute worst that could ever happen and not the most common outcome - the worst case that is reasonably foreseeable given how the risk normally manifests. Where a risk has two distinct consequence types (a workplace hazard that could cause both injury and equipment damage, for example), it can be helpful to record them as separate entries with their own scoring.

How do we score opportunities?

Opportunities can be scored using a similar matrix where likelihood becomes the chance of capturing the opportunity and consequence becomes the positive impact if captured. The Tolerable / Moderate / Substantial bands reframe as low priority, worth pursuing, and high priority. Some organisations score opportunities qualitatively rather than using the same numeric matrix, which is also acceptable - what matters is that opportunities are assessed as well as identified.

How often should risk scores be reviewed?

Existing scores should be reviewed whenever the underlying risk changes - new controls added or removed, change in business circumstances, incident that demonstrates the rating was wrong - and at the formal management review. A risk register where scores have not changed since it was first populated is usually a sign that scoring is not being actively maintained.

UK Legislation relevant to risk assessment

UK law requires organisations to assess specific categories of risk in defined ways. The 3 by 3 matrix is consistent with HSE guidance for general risk assessment under H&S legislation and meets the requirement for a suitable and sufficient assessment, though some specific assessment types (COSHH, fire, DSE) have their own structured approaches alongside the general matrix. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

Further Resources