The output should make the tradeoff visible enough for someone else to inspect, challenge, and act on.
risk, governance, compliance & technology framework
Classify risks by likelihood and impact/severity.
quick answer
Risk Matrix is a risk heatmap for Risk assessment. It turns the decision into named fields, evidence, and a visible risk matrix worksheet / visual.
The output should make the tradeoff visible enough for someone else to inspect, challenge, and act on.
Classify risks by likelihood and impact/severity.
Use COSO ERM Framework when its output is closer to the conversation you need: Structure governance, strategy, performance, review and information around risk.
worked example
A filled example is easier to understand than a blank template. Use it to see the shape before applying the framework to your own case.
The heatmap combines likelihood and impact so mitigation effort follows exposure rather than anxiety.
The heatmap combines likelihood and impact so mitigation effort follows exposure rather than anxiety.
generate yours
Start Ask PL with the framework, required inputs, and your context. It will ask for missing details, render the risk heatmap, and explain what decision the output should change.
Apply Risk Matrix to my situation. Context: [Decision, audience, options, evidence, and constraints.] Use the Risk Matrix structure: - Likelihood axis: - impact/severity axis: - cells with risk ratings: Ask only for missing inputs that would change the output. Then render the risk heatmap and name the decision it should change.
how to use it
Use the framework to change a decision, not to fill a worksheet. Start narrow, add evidence, then inspect what the risk matrix worksheet / visual makes clearer.
Write the concrete risk assessment choice, tradeoff, or conversation the framework should change.
Fill the important slots: Likelihood axis, impact/severity axis, cells with risk ratings.
Mark what is measured, what comes from customers, and what is still judgment.
End with the next move, the riskiest assumption, or the evidence that would change the risk matrix worksheet / visual.
quality check
Use this check after the artifact is filled. Blank fields are not failure; they are the next research question. Look for concrete evidence, missing constraints, and assumptions that would change the next move.
The framework needs a concrete decision. Broad intent turns it into a worksheet, not a decision aid.
Good framework output makes assumptions visible enough for someone else to challenge.
The diagram is useful only if it changes the next product conversation.
common mistakes
Do not use Risk Matrix as a worksheet. Name the choice, conversation, or tradeoff the output should change.
Separate measured facts, customer evidence, and leadership judgment so weak assumptions stay visible.
If the diagram does not match the decision, switch frameworks instead of stretching the boxes.
The framework should clarify the next move. It should not replace strategy, sequencing, or judgment.
use something else when
Structure governance, strategy, performance, review and information around risk.
Assess control environment, risk assessment, control activities, information/communication and monitoring.
Apply risk communication, context, assessment, treatment, monitoring and recording.
faq
Classify risks by likelihood and impact/severity.
Business context; objectives; available evidence; stakeholder judgment
Risk Matrix worksheet / visual
Use Risk Matrix when the decision matches this job: Classify risks by likelihood and impact/severity.
Avoid it when you need COSO ERM Framework's output instead: Structure governance, strategy, performance, review and information around risk.
It is both: a structure for thinking and a visible risk heatmap that makes the decision easier to inspect.
A good input names the real decision, uses concrete evidence, and separates facts from assumptions.
Use the risk matrix worksheet / visual to choose the next move, name the riskiest assumption, or decide what evidence would change the call.
Use COSO ERM Framework when the real output you need is closer to: Structure governance, strategy, performance, review and information around risk.
Yes. Describe your context and Ask PL can ask for missing inputs, render the risk heatmap, and explain what decision it should change.