| Risk | Likelihood | Impact | Control eff % | Inherent score | Typical level |
|---|---|---|---|---|---|
| Supplier delivery delays | 4 | 3 | 20 | 12 | High |
| Minor scope changes | 3 | 2 | 30 | 6 | Medium |
| Critical security incident | 2 | 5 | 10 | 10 | Medium |
| Key staff unavailability | 3 | 4 | 15 | 12 | High |
| Regulatory compliance breach | 2 | 4 | 25 | 8 | Medium |
ImpactComposite = ImpactSingle InherentScore = Likelihood × ImpactComposite
ImpactComposite = Σ(weightᵢ × scoreᵢ) ÷ Σ(weightᵢ) ResidualScore = InherentScore × (1 − ControlEffectiveness/100)
- Enter a short risk name and optional owner.
- Choose likelihood based on credible evidence or history.
- Select an impact method: single score or weighted dimensions.
- Adjust thresholds to match your organization’s appetite.
- Estimate control effectiveness to compute residual exposure.
- Review the highlighted matrix cell and suggested response.
- Download CSV or PDF, or save items to the register.
Likelihood and Impact Scales
Most teams use 1–5 scales to keep scoring consistent. Likelihood represents frequency over a defined horizon. For example, 1 can mean under 5% probability, 3 can mean 20–50%, and 5 can mean over 80%. Impact should be anchored to measurable bands such as cost variance, schedule slip days, downtime hours, or audit findings.
Interpreting Matrix Scores
The core score is Likelihood × Impact, producing values from 1 to 25. A risk scored 4×3 equals 12, which often lands in a “High” band under common thresholds. Use the score primarily for ranking, then add context like exposure duration, affected customers, and whether the trigger is already visible. When scores tie, compare leading indicators and control coverage.
Residual Risk and Control Effectiveness
Residual risk estimates the remaining exposure after controls. This calculator applies Residual = Inherent × (1 − Effectiveness). If inherent is 12 and effectiveness is 20%, residual becomes 9.6. Calibrate effectiveness with evidence: control test pass rates, incident recurrence, patch latency, segregation-of-duties exceptions, and training completion. Re-estimate after major changes, not just annually.
Using Weighted Impact Dimensions
Multi-dimension scoring improves decisions when impacts differ by area. Composite Impact = Σ(weight×score) ÷ Σ(weight). If safety is weight 3 with score 5 and cost is weight 1 with score 2, the composite rises toward 4.25. This makes trade-offs explicit and supports governance when non-financial harm matters as much as money. Keep weights stable per program to preserve trend comparability.
Threshold Calibration and Risk Appetite
Levels convert numbers into actions. A frequent mapping is Low ≤5, Medium ≤10, High ≤15, and Extreme >15, but appetite varies by sector. Review last year’s losses, near misses, and overruns, then set thresholds so “High” triggers a defined response time, owner assignment, and steering review. Document the mapping and review it quarterly as strategy, exposure, and tolerance materially change together.
Reporting and Continuous Review
Strong reporting compares inherent versus residual, shows movement over time, and records ownership and due dates. Track the share of risks above High, average residual score, risk aging, and overdue mitigations. Re-score on scope changes, supplier shifts, incidents, or regulatory updates. Export CSV or PDF for monthly governance packs, audits, and board dashboards, and retain assumptions for repeatable scoring.
What is the difference between inherent and residual risk?
Inherent risk is the exposure before controls. Residual risk estimates exposure after controls reduce likelihood or impact, using your effectiveness percentage to adjust the score.
How should we choose likelihood scores?
Base likelihood on history, monitoring data, and expert judgment. Define each level with a frequency range, then apply the same definitions across teams to reduce scoring drift.
Why use weighted impact dimensions?
Weights let you reflect priorities such as safety, compliance, or reputation. The composite impact becomes transparent and repeatable, especially when financial and non-financial consequences compete.
What thresholds work for a 5×5 matrix?
Many organizations start with Low ≤5, Medium ≤10, High ≤15, Extreme >15. Adjust thresholds based on appetite, loss history, and escalation practices, then document the rationale.
How do I interpret an “Extreme” rating?
Extreme means the score exceeds your High maximum threshold. Treat it as urgent: escalate quickly, evaluate avoidance options, fund strong controls, and set short review intervals until reduced.
Can I export or keep a risk register?
Yes. Save entries to the session-based register, then export the register to CSV or PDF. You can also export the latest calculation immediately for reporting and sharing.