Calculator
Example data table
| Scenario | Area | L | I | Controls | Mode | Residual | Level |
|---|---|---|---|---|---|---|---|
| Vendor due diligence gaps | Procurement | 4 | 4 | 45% | EXTENDED | 7.269 | Medium |
| Late privacy notices | Data Privacy | 3 | 3 | 70% | STANDARD | 2.700 | Low |
| Sanctions screening drift | Sanctions | 2 | 5 | 55% | EXTENDED | 2.997 | Low |
| Safety training overdue | Health & Safety | 4 | 3 | 50% | STANDARD | 6.000 | Medium |
| Unreconciled journal entries | Financial Reporting | 3 | 5 | 60% | EXTENDED | 4.095 | Low |
Formula used
Inherent score is calculated as:
Inherent = Likelihood × Impact
Residual score depends on the chosen mode:
- Standard: Residual = Inherent × (1 − Control%/100)
- Extended: Residual = Inherent × Modifier × (1 − Control%/100) × (1 − Detection%/200)
Modifier adds context while staying close to 1.0:
Modifier = 1 + 0.05(Penalty−3) + 0.05(Reputation−3) + 0.04(Velocity−3) + 0.04(Frequency−3)
Risk level is assigned using your thresholds: Low ≤ t_low, Medium ≤ t_med, High ≤ t_high, else Critical.
How to use this calculator
- Enter a scenario name and select the compliance area.
- Pick likelihood and impact using the 1–5 descriptions.
- Move the control slider to reflect current effectiveness.
- Use extended mode to include detection and context drivers.
- Set thresholds to match your risk appetite statement.
- Click calculate, then download CSV or PDF for records.
FAQs
1) What is a compliance risk matrix?
It is a grid that combines likelihood and impact to rank compliance issues. It helps teams prioritize monitoring, remediation, and escalation using consistent scoring rules.
2) What is the difference between inherent and residual risk?
Inherent risk assumes no controls exist. Residual risk estimates what remains after controls and detection activities reduce exposure. Residual scores are usually used for action planning.
3) How should I choose likelihood and impact?
Use evidence such as prior incidents, audit findings, control testing, transaction volume, and regulatory history. Define scoring criteria in policy so different assessors rate scenarios consistently.
4) What does control effectiveness mean here?
It is an estimate of how well preventive and detective controls reduce the chance or consequence of non-compliance. Use control testing results, exception rates, and design reviews to set a realistic percentage.
5) Why does extended mode include a modifier?
Some scenarios are riskier due to penalty severity, reputational impact, speed of escalation, or how often the activity happens. The modifier nudges the score without overpowering the base matrix.
6) Can I align thresholds with my organization’s risk appetite?
Yes. Adjust the Low, Medium, and High maximum thresholds to match your governance rules. Keep them increasing so the categories remain consistent and easy to interpret.
7) How should I use the PDF and CSV exports?
Use CSV for tracking and dashboards, and PDF for audit or committee packets. Exported results capture inputs, scores, and thresholds so you can reproduce decisions later.
8) What if my organization uses a 1–10 scale?
You can approximate by mapping 1–10 into 1–5 bands, or adjust thresholds to reflect the larger range. Keep definitions stable so comparisons remain meaningful across periods.