FAQ
How 5×5 risk scoring works
Likelihood × Impact, inherent vs. residual, and risk appetite.
Each risk has two numeric dimensions: Likelihood (1–5) and Impact (1–5). The inherent score is Likelihood × Impact (1–25) — your raw exposure before any controls.
Once you link controls to the risk, enter a residual likelihood and residual impact to capture the risk after controls. The residual score should ideally sit at or below your stated risk appetite.
The relationship with controls. Controls don't automatically reduce residual scores; you record them yourself. The workflow: open a risk, link each control that mitigates it, then make a judgement call on the residual scores. The control↔risk links are the narrative you present when asked "why is this risk at a residual 6 instead of its inherent 16?".
The Dashboard heatmap colours cells by inherent score band:
- 20–25 — red (critical)
- 15–19 — orange (high)
- 10–14 — yellow (medium)
- 5–9 — lime (low)
- 1–4 — green (very low)
Use the treatment plan field to record whether you're accepting, mitigating, transferring, or avoiding the risk.
Related: each risk can also be linked from assets (what it affects), policies (what addresses it), and incidents (what materialised it).