Risk Matrix Design Template
A risk matrix is a visual tool that helps you evaluate and prioritize risks by plotting likelihood against impact. It's essential for ISO 27001's risk assessment methodology (Clause 6.1.2).
What is a Risk Matrix?
A risk matrix (also called a risk heat map) provides a structured way to:
- Visualize risk levels across your organization
- Prioritize risks for treatment
- Communicate risk to stakeholders
- Support decision-making about resource allocation
- Track risk changes over time
Standard Risk Matrix Structure
A typical 5x5 risk matrix looks like this:
| Impact -><br>Likelihood | Negligible (1) | Minor (2) | Moderate (3) | Major (4) | Catastrophic (5) |
|---|---|---|---|---|---|
| Very High (5) | Medium (5) | High (10) | High (15) | Critical (20) | Critical (25) |
| High (4) | Low (4) | Medium (8) | High (12) | High (16) | Critical (20) |
| Medium (3) | Low (3) | Medium (6) | Medium (9) | High (12) | High (15) |
| Low (2) | Low (2) | Low (4) | Medium (6) | Medium (8) | High (10) |
| Very Low (1) | Low (1) | Low (2) | Low (3) | Medium (4) | Medium (5) |
Risk Level = Likelihood x Impact
Risk Level Definitions
Critical Risk (16-25)
- Action Required: Immediate action required
- Timeline: Address within 30 days
- Escalation: Executive management must be informed
- Treatment: Must be treated, cannot be accepted
- Examples: Unencrypted customer data, no backup system, critical vulnerability unpatched
High Risk (10-15)
- Action Required: Urgent attention needed
- Timeline: Address within 90 days
- Escalation: Senior management review required
- Treatment: Should be treated unless exceptional circumstances
- Examples: Weak access controls, inadequate logging, single points of failure
Medium Risk (5-9)
- Action Required: Plan treatment
- Timeline: Address within 6-12 months
- Escalation: Department manager approval needed
- Treatment: Evaluate cost/benefit of treatment
- Examples: Minor configuration issues, non-critical vulnerabilities, limited documentation
Low Risk (1-4)
- Action Required: Monitor
- Timeline: Review annually
- Escalation: Standard reporting
- Treatment: Typically accepted
- Examples: Unlikely scenarios with minimal impact, residual risks after controls applied
Likelihood Scale Definition
Define what each likelihood level means for your organization:
Very Low (1) - Rare
- Frequency: < 1% chance per year
- Description: May occur only in exceptional circumstances
- Example Scenarios:
- Meteor strike on data center
- Simultaneous failure of primary and backup systems
- Nation-state targeting of small non-strategic company
Low (2) - Unlikely
- Frequency: 1-10% chance per year
- Description: Could occur at some time
- Example Scenarios:
- Physical break-in to secure facility
- Malicious insider attack
- Major natural disaster in low-risk area
Medium (3) - Possible
- Frequency: 10-50% chance per year
- Description: Might occur at some time
- Example Scenarios:
- Phishing attack succeeding
- Hardware failure
- Employee error causing data exposure
High (4) - Likely
- Frequency: 50-90% chance per year
- Description: Will probably occur
- Example Scenarios:
- Attempted phishing attacks
- Software vulnerabilities discovered
- Minor security incidents
Very High (5) - Almost Certain
- Frequency: > 90% chance per year
- Description: Expected to occur frequently
- Example Scenarios:
- Daily spam/phishing attempts
- Regular software updates needed
- Routine access control violations
Impact Scale Definition
Define the consequences if the risk materializes:
Catastrophic (5)
- Financial: > $1M loss or > 20% revenue impact
- Operational: Business operations halted > 1 week
- Reputational: National media coverage, mass customer exodus
- Legal/Regulatory: Major fines, criminal charges, license revocation
- Data Impact: Breach of > 100,000 records
- Examples: Complete data center destruction, major data breach, ransomware encryption of all systems
Major (4)
- Financial: $250K - $1M loss or 10-20% revenue impact
- Operational: Critical business functions disrupted 3-7 days
- Reputational: Regional media coverage, significant customer loss
- Legal/Regulatory: Significant fines, regulatory sanctions
- Data Impact: Breach of 10,000-100,000 records
- Examples: Extended system outage, significant data loss, compliance violation
Moderate (3)
- Financial: $50K - $250K loss or 5-10% revenue impact
- Operational: Important business functions disrupted 1-3 days
- Reputational: Industry awareness, some customer complaints
- Legal/Regulatory: Warning notices, minor penalties
- Data Impact: Breach of 1,000-10,000 records
- Examples: Temporary system unavailability, limited data corruption, security incident
Minor (2)
- Financial: $10K - $50K loss or 1-5% revenue impact
- Operational: Non-critical functions affected < 1 day
- Reputational: Limited awareness, few complaints
- Legal/Regulatory: Informal warnings
- Data Impact: Breach of 100-1,000 records
- Examples: Brief service disruption, isolated data quality issue, minor security event
Negligible (1)
- Financial: < $10K loss or < 1% revenue impact
- Operational: No significant business impact
- Reputational: No external awareness
- Legal/Regulatory: No regulatory interest
- Data Impact: Breach of < 100 records or no sensitive data
- Examples: Minimal inconvenience, easily corrected errors, no business impact
Customizing Your Risk Matrix
Matrix Size Options
3x3 Matrix (Simple)
- Best for: Small organizations, limited resources
- Pros: Easy to understand and implement
- Cons: Less granularity, harder to prioritize
5x5 Matrix (Standard)
- Best for: Most organizations
- Pros: Good balance of detail and usability
- Cons: Requires more careful definition
7x7 or larger (Complex)
- Best for: Large enterprises, highly regulated industries
- Pros: Maximum granularity
- Cons: Complex to manage, can slow down assessment
Risk Level Color Coding
Standard Color Scheme:
- Critical: Dark Red (#8B0000)
- High: Red (#FF0000)
- Medium: Yellow/Orange (#FFA500)
- Low: Green (#32CD32)
Risk Appetite and Tolerance
Define Your Risk Appetite
Risk Appetite Statement Example:
"Our organization accepts low risks without additional treatment. Medium risks require management approval and documented justification. High and critical risks must be treated to reduce them to medium or low levels within defined timeframes."
Risk Tolerance Thresholds
Set clear boundaries:
| Risk Level | Acceptable? | Required Action | Approval Level |
|---|---|---|---|
| Critical | Never | Immediate treatment | Executive |
| High | Exception only | Treatment plan required | Senior Management |
| Medium | With justification | Review and decide | Department Manager |
| Low | Yes | Monitor | Team Lead |
Risk Matrix Template
Use this template for your risk assessment:
Risk Assessment Matrix for: _______________ Assessment Date: _______________ Assessed by: _______________ Review Date: _______________
Risk Register Integration
| Risk ID | Risk Description | Category | Asset | Likelihood (1-5) | Impact (1-5) | Risk Score | Risk Level | Treatment Decision |
|---|---|---|---|---|---|---|---|---|
| R-001 | ||||||||
| R-002 | ||||||||
| R-003 |
Visual Risk Heat Map
Plot each risk on your matrix using the Risk ID:
High
Impact
Low Low <- Likelihood -> High
Common Pitfalls to Avoid
Inconsistent Scoring:
- Different assessors rating similar risks differently
- Solution: Clear definitions, training, calibration sessions
Anchoring Bias:
- All risks rated as "medium"
- Solution: Force distribution, use examples
Overly Complex:
- Too many rating levels or criteria
- Solution: Start simple, add complexity only if needed
No Context:
- Impact ratings without considering actual business impact
- Solution: Involve business stakeholders, use real scenarios
Static Assessment:
- Matrix created once and never updated
- Solution: Regular reviews, trigger-based reassessments
Risk Matrix Best Practices
- Involve Stakeholders: Include business units, IT, legal, finance
- Document Assumptions: Explain your likelihood and impact definitions
- Calibrate Ratings: Review sample risks as a team to ensure consistency
- Use Real Data: Base likelihood on historical incidents when available
- Consider Controls: Assess inherent risk first, then residual risk after controls
- Regular Reviews: Update at least annually or after significant changes
- Communicate Clearly: Use the matrix to explain risk to executives
- Link to Treatment: Every high/critical risk needs a treatment plan
Inherent vs. Residual Risk
Inherent Risk: The risk level BEFORE any controls are applied Residual Risk: The risk level AFTER controls are applied
Example:
Risk: Unauthorized access to customer database
| Assessment Type | Likelihood | Impact | Risk Score | Risk Level |
|---|---|---|---|---|
| Inherent Risk (no controls) | 5 (Very High) | 5 (Catastrophic) | 25 | Critical |
| Residual Risk (with MFA, encryption, access logs) | 2 (Low) | 4 (Major) | 8 | Medium |
Controls Applied:
- Multi-factor authentication
- Encryption at rest and in transit
- Access logging and monitoring
- Regular access reviews
- Principle of least privilege
Risk Matrix Documentation
Your risk assessment methodology document should include:
- Matrix Definition: Size, scale, scoring method
- Likelihood Criteria: Detailed definitions for each level
- Impact Criteria: Detailed definitions for each level
- Risk Level Definitions: Critical, high, medium, low
- Risk Appetite Statement: What risks are acceptable
- Treatment Requirements: Timeline and approval for each level
- Review Schedule: When and how often to reassess
- Roles and Responsibilities: Who assesses, who approves
- Escalation Procedures: How risks are reported up
Integration with ISO 27001
Your risk matrix supports:
- Clause 6.1.2: Information security risk assessment
- Clause 6.1.3: Information security risk treatment
- Clause 8.2: Information security risk assessment (operational)
- Clause 9.3: Management review (risk reporting)
Next Lesson: Learn how to calculate risk levels using your newly designed matrix.