Enter Assessment Inputs
Use the fields below to score likelihood, impact, controls, and thresholds. The calculator supports weighted scoring for advanced IT risk reviews.
Example Data Table
| Risk | Likelihood | Impact | Inherent Risk | Control Effectiveness | Residual Risk | Level |
|---|---|---|---|---|---|---|
| Ransomware on support platform | 4.45 | 4.10 | 18.25 | 58% | 7.40 | Moderate |
| Privileged access misuse | 3.60 | 4.35 | 15.66 | 42% | 8.96 | Moderate |
| Cloud misconfiguration | 4.10 | 3.75 | 15.38 | 35% | 9.80 | Moderate |
Formula Used
Likelihood Score = ((Base Likelihood × Weight) + (Threat Exposure × Weight) + (Vulnerability × Weight) + (Asset Criticality × Weight)) ÷ Total Likelihood Weights
Impact Score = ((Confidentiality × Weight) + (Integrity × Weight) + (Availability × Weight) + (Financial × Weight) + (Compliance × Weight) + (Reputation × Weight)) ÷ Total Impact Weights
Inherent Risk = Likelihood Score × Impact Score
Control Power = minimum of 85% and [55% × Control Effectiveness + 20% × Detection Maturity Factor]
Residual Likelihood = max(1, Likelihood Score × (1 - Control Power))
Residual Impact = max(1, Impact Score × (1 - Impact Mitigation))
Residual Risk = Residual Likelihood × Residual Impact
Risk Reduction % = ((Inherent Risk - Residual Risk) ÷ Inherent Risk) × 100
Gap to Appetite = Residual Risk - Risk Appetite
How to Use This Calculator
- Enter a clear IT risk title, owner, and affected asset.
- Score likelihood, threat exposure, vulnerability, and asset criticality from 1 to 5.
- Score impact dimensions from 1 to 5 across business and security areas.
- Adjust the weights to reflect your organization’s assessment model.
- Enter existing control effectiveness and current detection maturity.
- Set rating thresholds and the risk appetite target.
- Submit the form to generate inherent and residual risk results.
- Review the matrix chart, result table, and recommended treatment action.
- Use the CSV or PDF buttons to save outputs for governance records.
FAQs
1. What does inherent risk mean?
Inherent risk is the raw exposure before control strength and detection maturity are applied. It helps show the natural severity of a threat scenario.
2. What does residual risk mean?
Residual risk is the remaining exposure after current controls reduce likelihood and impact. It shows whether the risk is still above tolerance.
3. Why use weighted scoring?
Weighted scoring lets your team emphasize the factors that matter most. For example, availability may matter more than reputation for some services.
4. Can I change the matrix thresholds?
Yes. The calculator lets you set custom boundaries for low, moderate, and high ratings, plus a separate appetite target for governance decisions.
5. How should I score control effectiveness?
Use a realistic percentage based on preventive, corrective, and compensating controls. Strong documentation and tested controls usually justify higher values.
6. What is detection maturity?
Detection maturity reflects how quickly and reliably the organization can discover suspicious activity. Better monitoring usually lowers the remaining likelihood score.
7. Is this calculator suitable for audits?
Yes. It provides structured inputs, consistent formulas, exportable results, and a documented method that supports risk reviews and audit preparation.
8. Can I use this for third-party risks?
Yes. Replace the asset with the relevant supplier service, score the impact categories, and adjust weights to reflect vendor-specific exposures.