Risk Matrix Calculator
Create risk matrices and calculate risk scores. Prioritize risks by likelihood and impact. Free privacy-first risk assessment tool.
Framework Selection
Select the risk management framework to use (e.g., NIST, ISO 27005)
Assessment Details
Description of the risk event, threat, or vulnerability
Probability of the risk occurring
Severity of the consequence if the risk occurs
Need Professional IT & Security Help?
Our team of experts is ready to help protect and optimize your technology infrastructure.
What Is a Risk Matrix
A risk matrix (also called a risk heat map) is a visual tool that plots risks on a grid based on their likelihood of occurrence and potential impact. By categorizing risks into cells ranging from low (green) to critical (red), a risk matrix enables rapid prioritization of security risks, business risks, and project risks.
Risk matrices are the most widely used risk assessment tool in cybersecurity, project management, and enterprise risk management. They appear in virtually every compliance framework — ISO 27005, NIST SP 800-30, COBIT, and COSO ERM all recommend risk matrix approaches for risk evaluation and communication.
Risk Matrix Structure
A typical 5x5 risk matrix maps likelihood (vertical axis) against impact (horizontal axis):
| Likelihood / Impact | Negligible | Minor | Moderate | Major | Catastrophic |
|---|---|---|---|---|---|
| Almost Certain | Medium | High | Critical | Critical | Critical |
| Likely | Low | Medium | High | Critical | Critical |
| Possible | Low | Medium | Medium | High | Critical |
| Unlikely | Low | Low | Medium | Medium | High |
| Rare | Low | Low | Low | Medium | Medium |
Impact Categories
| Level | Financial | Operational | Reputational | Regulatory |
|---|---|---|---|---|
| Negligible | <$10K | No disruption | No attention | No violation |
| Minor | $10K-$100K | Minor disruption | Local attention | Warning |
| Moderate | $100K-$1M | Significant disruption | Industry attention | Fine |
| Major | $1M-$10M | Major disruption | National attention | Major penalty |
| Catastrophic | >$10M | Business-threatening | Global attention | License revocation |
Common Use Cases
- Security risk assessment: Evaluate and prioritize cybersecurity risks based on threat likelihood and potential business impact
- Board risk reporting: Present risk posture to executives and boards using visual heat maps that communicate risk levels without technical detail
- Project risk management: Identify and prioritize risks to project timelines, budgets, and deliverables
- Compliance risk evaluation: Assess the likelihood and impact of compliance failures across regulatory frameworks
- Vendor risk assessment: Categorize third-party risks based on the vendor's criticality and the sensitivity of data they access
Best Practices
- Define scales clearly — Ambiguous terms like "likely" mean different things to different people. Define each level with specific criteria: "Likely = expected to occur within the next 12 months based on historical data."
- Use consistent scales across the organization — Everyone should use the same likelihood and impact definitions. Inconsistent scales make risk comparison meaningless.
- Include multiple impact dimensions — A single "impact" score oversimplifies. Evaluate financial, operational, reputational, and regulatory impact separately, then use the highest rating.
- Review and update regularly — Risk ratings change as threats evolve, controls are implemented, and business context shifts. Review quarterly at minimum.
- Supplement with quantitative analysis — Risk matrices are excellent for communication and initial prioritization but are inherently subjective. For high-value decisions, supplement with quantitative risk analysis (ALE, Monte Carlo simulation).
Frequently Asked Questions
Common questions about the Risk Matrix Calculator
A risk matrix is a visual tool that helps organizations assess and prioritize risks by plotting likelihood against impact on a grid. Each cell represents a risk level (Low, Medium, High, Critical) based on the combination of how likely a risk is to occur and how severe its consequences would be. This tool supports multiple industry-standard frameworks including NIST.
ℹ️ Disclaimer
This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.