Skip to main content
Risk Scoring Matrix

Residual Risk Scoring Matrix Example

While each firm has its own risks scoring guide, most firms will follow common guidelines, such as suggested by IOSCO on the Risk Identification and Assessment Methodologies for Securities Regulators.

This article includes examples of risk scoring matrices used for Impact (inherent or gross risk – described in our section Risk Register), Likelihood (or probability), and the scoring of respective mitigating Controls, both in terms of design as well as performance of the defined controls.

As discussed in a previous post, visual representation of risks scores is a useful way for risk managers to complement their risk management reports. As part of the identification and assessment of risks in a firm, a risk manager will record entries in a risk register, rating each risk individually in terms of Impact, Likelihood and mitigating Controls. The example below uses a four grade scoring for each of these dimensions (some firms use five as discussed in this article).

Risk Scoring example for Impact and Likelihood (or Probability)

Risk Scoring Example for Impact and Likelihood

Control Scoring Guide for Design and Performance

Control Scoring Example for Design and Performance

Residual Risk Scoring Matrix

Residual Risk Scoring Matrix Example


The assessment of risks assumes that controls which fail to perform or are not in place, therefore leaving the risk unmitigated, introduce the concept of inherent or gross risk. All risks are scored on both impact and likelihood and the combined score determines which area of the residual risk matrix it falls into (see matrix below). Usually firms will follow a rule that explicitly determines that if a risk falls into the very high inherent range, it must have at least one key control that is, as a minimum, strong in design and strong in performance otherwise it falls into the category of requiring improvement and will have an action point logged against it and assigned to an owner.

This process of determining residual risk is based on the control effectiveness and allows for thematic reviews on risks that fall into specific categories. All risks that fall into the very high category and fail to have at least one key mitigating control that is strong both in design and performance will be flagged and communicate by the risk manager on the reporting of risk management information. The VH/H risks can also be flagged using a heat map as explained in article “How to create a Risk Heatmap in Excel – Part 1“.


You may also like:

What Competencies should Risk Managers in Non-Financial Companies really have? Risk management competencies can significantly improve decision making in any profession. The bad news is that these competencies do not come to us na...
Intelligent Risk – PRMIA – October 2016 This issue of Intelligent Risk explores strategic risk and financial institution business models, as well as offers updates on PRMIA initiatives and p...
It’s not about Risk Management This is another excellent post by Norman Marks, renowned author of blog Governance, Risk Management and Audit. Among the several very current and vali...
KPMG 2017 Global Audit Committee Pulse Survey To better understand the key challenges and concerns facing audit committees, boards, and their companies, KPMG's Audit Committee Institute surveyed m...
10 Must Have Skills to be a Successful Risk Manager As regulatory requirements shift and evolve, so must Risk and Compliance professionals keep improving and grow their skills and knowledge. Keeping up ...

Antonio Caldas

Program/Project/Risk manager with 15+ years mix-industry, with a particular emphasis in Banking & Financial Services. Active in risk management, market risk control, front office risk management, product control, change and transformation management, business analysis and business process improvement for global capital markets and investment banking, covering a multiple range of asset classes.

One thought on “Residual Risk Scoring Matrix Example

  1. Thank you Mr. Caldas,

    This is an important and valuable article, but what if we have more than one control mitigating one risk, how can we calculate the effect of both controls, in order to calculate the residual risk, and is there any different between controls, some of them are preventive, others are detective, and others are corrective.

Leave a Reply

Your email address will not be published. Required fields are marked *