Risk Matrix: 5x5 or 3x3?

NIST (The National Institute of Standards and Technology) recommends a 3x3 risk matrix for classifying risks, similar to this 3x3 matrix. In most cases you are weighting Likelihood x Impact, usually the ratings are HIGH, MEDIUM and LOW (as is the case with NIST), but 1,2 and 3 are just as justified (and equally relative to the rater or reader without further definition).

I prefer a 5x5 approach, which offers more detail and clarity. Some might argue that a 5x5 matrix is too much information and too much work for smaller projects. I think that's not the case. Either a smaller project is simpler than a larger one and therefore has less risks (so the burden of 5x5 is not great) or the project (regardless of size) is full of risks and needs that greater detail.

One of the things I like about the 5x5 matrix is that it allows you to mark the extremes, insignificant risks in particular are good to be able to breakout, rather than having them in with somewhat greater risks under the classification of 'LOW'. Should you bother with documenting insignificant risks? I think you need to classify all possible events that fall under the definition of risk that you have settled on and the definiton of insignificant. If you identify risks that are within your measurement extremes, you should include them.