Risk Input Form
Use 1 to 5 scales for scoring fields. Use 0 to 100 for control effectiveness.
Formula Used
Impact Average
(Confidentiality + Integrity + Availability) ÷ 3
Inherent Risk Score
((0.12×Asset Value) + (0.10×Data Sensitivity) + (0.18×Threat Likelihood) + (0.15×Vulnerability Severity) + (0.18×Impact Average) + (0.10×Compliance Impact) + (0.10×Internet Exposure) + (0.07×Third-Party Dependency)) × 20
Control Modifier
1 - ((Control Effectiveness ÷ 100) × 0.45)
Operational Modifier
1 - ((((Detection Capability + Recovery Readiness) - 2) ÷ 8) × 0.25)
Residual Risk Score
Inherent Risk × Control Modifier × Operational Modifier
Higher control effectiveness, faster detection, and stronger recovery lower the residual score. Priority is assigned from the residual score, while heat band comes from the likelihood-impact matrix.
How to Use This Calculator
- Enter the asset name, owner, assessment date, and risk category.
- Score each 1 to 5 factor honestly using current conditions.
- Enter control effectiveness as a percentage based on evidence.
- Add notes for controls, assumptions, dependencies, and known gaps.
- Click Calculate Risk to show the result above the form.
- Review inherent risk, residual risk, heat band, and treatment.
- Export the assessment as CSV or PDF for reporting.
Example Data Table
| Asset | Category | Likelihood | Impact Avg | Control % | Inherent Risk | Residual Risk | Priority |
|---|---|---|---|---|---|---|---|
| Customer Portal | Application | 4 | 4.33 | 55 | 78.60 | 55.78 | Moderate |
| Payroll Database | Data | 3 | 4.67 | 72 | 74.60 | 46.28 | Moderate |
| Remote Access VPN | Network | 5 | 4.00 | 40 | 83.40 | 64.24 | High |
FAQs
1. What does inherent risk mean?
Inherent risk is the score before considering current controls, monitoring strength, or recovery readiness. It shows the raw exposure tied to the asset and threat environment.
2. What does residual risk mean?
Residual risk is the remaining exposure after current controls, detection capability, and recovery readiness reduce the initial score. It is often the main value used for action planning.
3. Why is control effectiveness a percentage?
A percentage lets you reflect audit evidence, testing results, or control coverage more precisely than a simple five-point score. It also improves comparison across different assets.
4. How should I score likelihood and impact?
Use recent incidents, threat intelligence, known weaknesses, business criticality, and data classification. Apply the same scoring guidance across teams to keep assessments consistent.
5. Can this support vendor or third-party risk reviews?
Yes. Use the third-party dependency field, internet exposure, and notes sections to reflect outsourced systems, suppliers, or shared service arrangements.
6. What is the matrix score used for?
The matrix score multiplies likelihood by rounded impact. It gives a familiar heat-map style view that complements the weighted numerical risk score.
7. How often should I reassess an asset?
Critical risks should be reviewed weekly, high risks monthly, moderate risks quarterly, and low risks semiannually. Reassess sooner after major changes or incidents.
8. Can I use this for compliance reporting?
Yes. The calculator includes compliance impact, treatment guidance, notes, and export options, which help create consistent evidence for internal reviews and stakeholder reporting.