How to design a risk assessment matrix. We have 5 grades for impact: Extreme, Major, Moderate, Minor, and Insignificant. These are 5 domains we use for the assessment: Financial, Operational, Reputational, Regulatory and Strategical. The question is what measures, and factors should considered for the assessment for each of the categories above? It should be measurable and as precise as possible. We would rather avoid vague measures.

776 viewscircle icon2 Comments
Sort by:
Manager, Cybersecurity in Travel and Hospitalitya year ago

You can create a risk heat map and start factoring each risk to assess the likelihood and impact of an occurrence.

Lightbulb on1
Compliance Advisor in Healthcare and Biotecha year ago

Gartner has a good set of tools for building out a risk management framework, which would include the risk assessment matrix (aka 5x5).

In the meantime, some measures that come to mind are:

Financial - dollar loss (could be profit, income, capital, etc depending on your business)

Operational - downtime in hours or days to critical services or operations

Reputational - The duration, severity, sentiment of negative news coverage

Regulatory - Fines, reportable breaches, loss of licence, enforcable undertakings, criminal proceedings can all be mapped to different levels of impact

Strategic- The impact in months or years of a risk event on the company's ability to achieve its strategy (for example, a large remediation program might mean a key strategic project is delayed by 6 months).

You do not want to build the risk assessment tool in isolation. You should consider the risk appetite of the board and top management and define a risk appetite statement while you define the thresholds for each impact level to ensure your risk assessments are fit for purpose and aligned to the expectations of the Board.

Also keep in mind the above is not a definitive list of things to consider for your risk matrix. You should consider the scope and activities of your business and get input from a range of sources when developing your initial risk matrix.

Lightbulb on1

Content you might like

AI-driven threats (deepfakes, automated attacks) 20%

Software supply chain risks 20%

Insider risk (both malicious & accidental) 12%

Regulatory compliance 10%

Cloud misconfigurations 12%

Shadow IT (or shadow AI) 10%

Ransomware 6%

Talent shortage in cybersecurity6%

Something else (comment to explain)4%

View Results

Yes, if the services are in scope45%

Yes, irrespective of scope of agreement27%

May be21%

No4%

Not sure1%

View Results