Question 1

What is a risk matrix and how do I use it?

Accepted Answer

A risk matrix is a visual tool that plots risks on a grid based on likelihood (probability of occurring) and impact (severity of consequences). Each axis typically has 3-5 levels. Risks in the upper-right (high likelihood + high impact) are critical priorities. Use the matrix to prioritize remediation efforts and communicate risk levels to stakeholders.

Question 2

How do I calculate a risk score?

Accepted Answer

Risk Score = Likelihood × Impact. Both are rated on scales (e.g., 1-5). A risk with Likelihood=4 and Impact=5 has Score=20. Some methodologies add Vulnerability or Detectability factors. This tool uses standard 5×5 matrices with color-coded zones: Green (1-4 Low), Yellow (5-9 Medium), Orange (10-14 High), Red (15-25 Critical).

Question 3

What is the difference between inherent and residual risk?

Accepted Answer

Inherent risk is the risk level before any controls are applied - the raw exposure. Residual risk is what remains after implementing mitigating controls. Calculate residual risk by reassessing likelihood and impact with controls in place. The goal is reducing residual risk to acceptable levels, not eliminating all risk.

Question 4

How do I determine likelihood ratings?

Accepted Answer

Likelihood ratings consider: historical frequency, threat actor capability and motivation, vulnerability exposure, and existing preventive controls. Use consistent definitions: Rare (1) = <5% annual chance, Unlikely (2) = 5-20%, Possible (3) = 20-50%, Likely (4) = 50-80%, Almost Certain (5) = >80%.

Question 5

How do I determine impact ratings?

Accepted Answer

Impact considers multiple dimensions: financial loss, operational disruption, reputational damage, regulatory penalties, and safety concerns. Define thresholds for your organization: Negligible (1) = <$10K impact, Minor (2) = $10K-100K, Moderate (3) = $100K-1M, Major (4) = $1M-10M, Catastrophic (5) = >$10M or business-threatening.

Question 6

How often should I update risk assessments?

Accepted Answer

Review risk matrices quarterly at minimum, and immediately after: major incidents, significant business changes, new threat intelligence, regulatory changes, or new system implementations. Assign risk owners responsible for ongoing monitoring. Treat risk assessment as a continuous process, not a one-time exercise.

Risk Matrix Calculator

Select Risk Framework

Risk Register

Need Help with Risk Assessment?

Frequently Asked Questions

Explore More Tools

Cybersecurity Budget Calculator

Data Breach Cost Calculator

Cybersecurity ROI Calculator

Cybersecurity Maturity Assessment

Vendor Risk Management "Breach-Proof" Scorecard

Cloud Security Self-Assessment (iCSAT)

ℹ️ Disclaimer

Select Risk Framework

Risk Register