What is a risk matrix and how is it used in physical security planning?

A risk matrix is a tool that combines the likelihood of a threat with the potential impact on assets to categorize risk levels and guide how to mitigate them. In physical security planning, you identify threats or vulnerabilities, rate their probability and the harm they could cause, and plot them on the matrix. This produces a risk rating (for example low, medium, high) that helps you prioritize which mitigations to implement first, allocating resources to the most significant risks, such as improving access control, surveillance, barriers, or incident response. It also provides a common language for communicating risk to stakeholders and measuring how new controls reduce overall risk over time. Choices that describe budgeting charts, building layout maps, or lists of personnel roles do not combine probability with impact to prioritize security actions, so they don’t serve the same function as a risk matrix.