Skip to main content
Risk Scoring Matrix

Residual Risk Scoring Matrix Example

While each firm has its own risks scoring guide, most firms will follow common guidelines, such as suggested by IOSCO on the Risk Identification and Assessment Methodologies for Securities Regulators.

This article includes examples of risk scoring matrices used for Impact (inherent or gross risk – described in our section Risk Register), Likelihood (or probability), and the scoring of respective mitigating Controls, both in terms of design as well as performance of the defined controls.

As discussed in a previous post, visual representation of risks scores is a useful way for risk managers to complement their risk management reports. As part of the identification and assessment of risks in a firm, a risk manager will record entries in a risk register, rating each risk individually in terms of Impact, Likelihood and mitigating Controls. The example below uses a four grade scoring for each of these dimensions (some firms use five as discussed in this article).

Risk Scoring example for Impact and Likelihood (or Probability)

Risk Scoring Example for Impact and Likelihood

Control Scoring Guide for Design and Performance

Control Scoring Example for Design and Performance

Residual Risk Scoring Matrix

Residual Risk Scoring Matrix Example


The assessment of risks assumes that controls which fail to perform or are not in place, therefore leaving the risk unmitigated, introduce the concept of inherent or gross risk. All risks are scored on both impact and likelihood and the combined score determines which area of the residual risk matrix it falls into (see matrix below). Usually firms will follow a rule that explicitly determines that if a risk falls into the very high inherent range, it must have at least one key control that is, as a minimum, strong in design and strong in performance otherwise it falls into the category of requiring improvement and will have an action point logged against it and assigned to an owner.

This process of determining residual risk is based on the control effectiveness and allows for thematic reviews on risks that fall into specific categories. All risks that fall into the very high category and fail to have at least one key mitigating control that is strong both in design and performance will be flagged and communicate by the risk manager on the reporting of risk management information. The VH/H risks can also be flagged using a heat map as explained in article “How to create a Risk Heatmap in Excel – Part 1“.


You may also like:

10 Top Risks for 2017 The following report from Protiviti, an international Risk & Business Consulting and Internal Audit company, and North Carolina State University’s...
KPMG 2017 Global Audit Committee Pulse Survey To better understand the key challenges and concerns facing audit committees, boards, and their companies, KPMG's Audit Committee Institute surveyed m...
Six Potential Risks for Investors in 2017 Investment Banks analysts anticipate that financial markets will be affected in 2017 by three main events: Donald Trump's performance as US President,...
EBOOK: Investment Fables As investors, you have all been on the receiving end of sales pitches from brokers, friends and investment advisors about stocks that they claim will ...
EBOOK: Reminiscences of a Stock Operator Taking a chance in financial markets implies potential big risks and this is not for everyone. The risk/reward might be high and even if you have ever...

Antonio Caldas

Program/Project/Risk manager with 15+ years mix-industry, with a particular emphasis in Banking & Financial Services. Active in risk management, market risk control, front office risk management, product control, change and transformation management, business analysis and business process improvement for global capital markets and investment banking, covering a multiple range of asset classes.

Leave a Reply

Your email address will not be published. Required fields are marked *