Calculator inputs
Use the responsive grid below: three columns on large screens, two on smaller screens, and one on mobile.
Example data table
This static example helps users understand how scores can vary across assets.
| Asset | Impact | Threat | Weakness | Control Effectiveness | Residual Risk | Level |
|---|---|---|---|---|---|---|
| Customer Portal | 80.00 | 72.00 | 44.00 | 63.26 | 28.80 | Moderate |
| Payment API | 95.00 | 84.00 | 58.00 | 51.00 | 47.55 | Elevated |
| HR Records Store | 87.50 | 58.00 | 42.00 | 71.50 | 25.48 | Moderate |
| Endpoint Fleet | 68.50 | 70.00 | 56.00 | 55.40 | 35.96 | Moderate |
Formula used
Impact = (Asset Value × 3.5) + (Business Impact × 4.0) + (Data Sensitivity × 5.0)
Threat = (Threat Likelihood × 6.0) + ((Exposure Frequency ÷ 30) × 40)
Weakness = (Vulnerability Severity × 6.0) + (Compliance Gap × 0.4)
Inherent Risk = (Impact × 0.38) + (Threat × 0.32) + (Weakness × 0.30)
Control Effectiveness = (Coverage × 0.15) + (Preventive × 0.20) + (Detective × 0.18) + (Corrective × 0.15) + (Recovery × 0.15) + (Monitoring × 0.17)
Residual Risk = (Inherent Risk × (1 − Control Effectiveness ÷ 100)) + (Compliance Gap × 0.10)
How to use this calculator
- Enter the asset or system name you want to assess.
- Score the business, asset, data, threat, and vulnerability factors honestly.
- Estimate current control performance using percentages for preventive, detective, corrective, recovery, and monitoring strength.
- Set a risk appetite threshold that reflects your organization’s acceptable residual exposure.
- Click Calculate Residual Risk to show the result above the form.
- Review the component table, graph, and suggested actions.
- Export the result as CSV or PDF for reporting, governance reviews, or audit documentation.
FAQs
1) What is residual risk?
Residual risk is the exposure that still remains after current controls are considered. It helps teams understand whether existing safeguards reduce risk enough for business acceptance.
2) Why is inherent risk different from residual risk?
Inherent risk measures exposure before safeguards are applied. Residual risk shows what remains after control effectiveness and compliance gaps are factored into the assessment.
3) Why include a compliance gap penalty?
A compliance gap can mean key safeguards are missing, weak, or not evidenced. The penalty stops teams from understating residual exposure when governance obligations remain open.
4) What scale should I use for percentage controls?
Use 0 for absent or ineffective controls and 100 for highly effective, validated controls. Be consistent across assessments so trend analysis remains useful.
5) Can this calculator support board or audit reporting?
Yes. The score, status, graph, and downloadable files make it useful for governance reporting, treatment planning, and control review discussions.
6) How often should residual risk be reassessed?
Reassess after major changes, high-severity findings, control failures, material incidents, or meaningful threat shifts. Quarterly reviews are also common for important systems.
7) What does the risk appetite threshold do?
It marks the level of residual risk your organization is willing to tolerate. Scores above that threshold usually need treatment, escalation, or formal acceptance.
8) Is this score a replacement for a full risk program?
No. It is a structured decision aid. Mature programs still need asset inventories, threat intelligence, testing, governance, and documented treatment workflows.