Risk Matrix Calculator
Create risk matrices and calculate risk scores. Prioritize risks by likelihood and impact. Free privacy-first risk assessment tool.
Want to learn more?
Learn how to use risk matrices to assess likelihood and impact of security threats.
Read the guideFramework Selection
Select the risk management framework to use (e.g., NIST, ISO 27005)
Assessment Details
Description of the risk event, threat, or vulnerability
Probability of the risk occurring
Severity of the consequence if the risk occurs
Risk Assessment Framework Needed?
Our team implements risk management programs with registers, assessments, and treatment plans.
What Is a Risk Matrix
A risk matrix (also called a risk heat map) is a visual tool that plots risks on a grid based on their likelihood of occurrence and potential impact. By categorizing risks into cells ranging from low (green) to critical (red), a risk matrix enables rapid prioritization of security risks, business risks, and project risks.
Risk matrices are the most widely used risk assessment tool in cybersecurity, project management, and enterprise risk management. They appear in virtually every compliance framework — ISO 27005, NIST SP 800-30, COBIT, and COSO ERM all recommend risk matrix approaches for risk evaluation and communication.
Risk Matrix Structure
A typical 5x5 risk matrix maps likelihood (vertical axis) against impact (horizontal axis):
| Likelihood / Impact | Negligible | Minor | Moderate | Major | Catastrophic |
|---|---|---|---|---|---|
| Almost Certain | Medium | High | Critical | Critical | Critical |
| Likely | Low | Medium | High | Critical | Critical |
| Possible | Low | Medium | Medium | High | Critical |
| Unlikely | Low | Low | Medium | Medium | High |
| Rare | Low | Low | Low | Medium | Medium |
Impact Categories
| Level | Financial | Operational | Reputational | Regulatory |
|---|---|---|---|---|
| Negligible | <$10K | No disruption | No attention | No violation |
| Minor | $10K-$100K | Minor disruption | Local attention | Warning |
| Moderate | $100K-$1M | Significant disruption | Industry attention | Fine |
| Major | $1M-$10M | Major disruption | National attention | Major penalty |
| Catastrophic | >$10M | Business-threatening | Global attention | License revocation |
Common Use Cases
- Security risk assessment: Evaluate and prioritize cybersecurity risks based on threat likelihood and potential business impact
- Board risk reporting: Present risk posture to executives and boards using visual heat maps that communicate risk levels without technical detail
- Project risk management: Identify and prioritize risks to project timelines, budgets, and deliverables
- Compliance risk evaluation: Assess the likelihood and impact of compliance failures across regulatory frameworks
- Vendor risk assessment: Categorize third-party risks based on the vendor's criticality and the sensitivity of data they access
Best Practices
- Define scales clearly — Ambiguous terms like "likely" mean different things to different people. Define each level with specific criteria: "Likely = expected to occur within the next 12 months based on historical data."
- Use consistent scales across the organization — Everyone should use the same likelihood and impact definitions. Inconsistent scales make risk comparison meaningless.
- Include multiple impact dimensions — A single "impact" score oversimplifies. Evaluate financial, operational, reputational, and regulatory impact separately, then use the highest rating.
- Review and update regularly — Risk ratings change as threats evolve, controls are implemented, and business context shifts. Review quarterly at minimum.
- Supplement with quantitative analysis — Risk matrices are excellent for communication and initial prioritization but are inherently subjective. For high-value decisions, supplement with quantitative risk analysis (ALE, Monte Carlo simulation).
Frequently Asked Questions
Common questions about the Risk Matrix Calculator
A risk matrix is a visual tool that helps organizations assess and prioritize risks by plotting likelihood against impact on a grid. Each cell represents a risk level (Low, Medium, High, Critical) based on the combination of how likely a risk is to occur and how severe its consequences would be. This tool supports multiple industry-standard frameworks including NIST.
The choice of framework depends on your industry and requirements. NIST is widely used in government and cybersecurity contexts. ISO 27005 is popular for information security management. Choose a framework that aligns with your compliance requirements and organizational risk management practices.
Likelihood should be assessed based on historical data, threat intelligence, and expert judgment about how often the risk event might occur. Impact considers the potential consequences including financial loss, operational disruption, reputational damage, and regulatory penalties. Be consistent in your criteria across all risk assessments.
Yes, the tool includes a Risk Register feature that stores your assessments in your browser local storage. You can add completed assessments to the register, review historical assessments, and export your entire risk register to CSV format for reporting and documentation purposes.
The scenario library contains common risk scenarios across different categories such as cybersecurity threats, operational risks, compliance risks, and natural disasters. Each scenario includes typical likelihood and impact ratings as a starting point. You can select a scenario and adjust the ratings based on your specific context.
After calculating a risk score, the tool provides actionable recommendations based on the risk level. Critical and high risks typically require immediate action and mitigation strategies. Medium risks should be monitored and addressed within a defined timeframe. Low risks may be accepted or addressed as resources allow.
ℹ️ Disclaimer
This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.