Risk Assessment Calculator

About the Risk Assessment Calculator

Risk assessment is the foundation of security decision-making. The classic likelihood × impact model provides a simple but effective framework for evaluating and prioritizing threats. Each risk is rated on two dimensions: how likely it is to occur (1–5) and how severe the consequences would be (1–5). The product gives a risk score from 1 to 25.

This calculator computes the risk score and maps it to severity categories using industry-standard thresholds. It produces a visual risk matrix that shows where each risk falls in the heat map, making it easy to identify and communicate critical risks. Use it for security risk assessments, project risk management, compliance reporting, or any scenario where risks need to be evaluated systematically.

When This Page Helps

Structured risk assessment turns subjective security concerns into quantifiable, comparable scores. This enables evidence-based prioritization of security investments and helps communicate risk to non-technical stakeholders using a universally understood matrix format.

How to Use the Inputs

1. Rate the likelihood of the risk occurring (1=Rare to 5=Almost Certain).
2. Rate the impact if the risk materializes (1=Insignificant to 5=Catastrophic).
3. View the calculated risk score (1–25).
4. Check the severity classification (Low, Medium, High, Critical).
5. Use the risk matrix heatmap to visualize the position.
6. Repeat for each identified risk to build a prioritized risk register.

Example Calculation

Tips & Best Practices

• Use consistent rating criteria across all risks for meaningful comparisons.
• Document the rationale behind each likelihood and impact rating.
• Re-assess risks quarterly or after significant environment changes.
• Involve multiple stakeholders to reduce individual bias in ratings.
• Track risk scores over time to measure the effectiveness of mitigations.
• Use residual risk (post-mitigation) scores to verify that controls are working.

Risk Matrix Methodology

The 5×5 risk matrix is the most widely used qualitative risk assessment method. It's adopted by ISO 27005, NIST 800-30, and most enterprise risk management frameworks. Its simplicity makes it accessible to all stakeholders while providing sufficient granularity for prioritization.

Rating Calibration

The quality of a risk assessment depends entirely on consistent, well-calibrated ratings. Establish clear definitions for each level of both likelihood and impact, using concrete examples relevant to your organization. Review and update these definitions annually.

From Assessment to Action

Risk scores should drive specific actions: Critical (16–25) — immediate remediation required. High (10–15) — near-term remediation planned. Medium (5–9) — monitor and address in regular cycle. Low (1–4) — accept or address opportunistically.

Limitations

The multiplicative model can produce the same score for very different risks (e.g., 2×5=10 vs 5×2=10). Consider both the individual ratings and the product when making decisions. A low-likelihood/catastrophic-impact risk may need different treatment than a high-likelihood/moderate-impact risk.

Frequently Asked Questions

• What is the difference between inherent and residual risk?

  Inherent risk is the risk level before any controls are applied. Residual risk is what remains after mitigations are in place. Both should be assessed: inherent risk shows the potential without controls, while residual risk shows the current actual exposure.

• How do I rate likelihood consistently?

  Use a standardized scale: 1=Rare (< 5% chance/year), 2=Unlikely (5–20%), 3=Possible (20–50%), 4=Likely (50–80%), 5=Almost Certain (> 80%). Calibrate against actual incident data when available.

• How do I rate impact consistently?

  Define impact in terms relevant to your organization: 1=Insignificant (< $10K loss), 2=Minor ($10K–$100K), 3=Moderate ($100K–$1M), 4=Major ($1M–$10M), 5=Catastrophic (> $10M or existential). Customize dollar values to your organization's scale.

• Is a 5×5 matrix better than a 3×3?

  A 5×5 matrix provides more granularity, which is useful when you have many risks to differentiate. A 3×3 matrix (3=Low/Medium/High) is simpler and sufficient when fewer risks are being assessed or when rapid triage is needed.

• Should I use quantitative or qualitative risk assessment?

  Start with qualitative (likelihood × impact matrix) for initial triage and prioritization. Use quantitative methods (annualized loss expectancy, Monte Carlo simulation) for the highest-priority risks where precise dollar estimates justify the additional effort.

• How many risks should I assess?

  Focus on the top 20–50 risks for a meaningful assessment. Trying to assess hundreds of risks leads to assessment fatigue and inconsistent ratings. Consolidate related risks and focus on those most relevant to your organization's threat landscape.