Purpose & Scope
This template provides a structured approach to identifying, analyzing, and prioritizing organizational risks using a likelihood/impact matrix. It supports consistent risk evaluation across departments and facilitates tracking of inherent vs. residual risk, mitigation ownership, and review cycles.
Instructions
Risk owners should complete this template for each identified risk during quarterly risk assessments or when significant changes occur. The completed template should be reviewed by the risk management team and stored in the central risk register. Update likelihood/impact scores and mitigation status whenever risk conditions change.
Risk Assessment Template
| # | Risk ID | Risk Description | Category | Likelihood (1-5) | Impact (1-5) | Inherent Risk Score | Current Controls | Control Effectiveness (1-5) | Residual Risk Score | Mitigation Owner | Mitigation Due Date | Review Date | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | RISK-001 | Phishing attack that could compromise employee credentials | Cybersecurity | 4 | 5 | 20 | Email filtering, MFA, security awareness training | 4 | 5 (20 × (1‑4/5)) | Jane Doe, IT Security Manager | 2026‑07‑31 | 2026‑10‑01 | Open |
| 2 | RISK-002 | Failure of the primary data centre power supply | Operational | 3 | 5 | 15 | Redundant UPS, generator backup, regular load testing | 3 | 6 (15 × (1‑3/5)) | John Smith, Facilities Lead | 2026‑09‑15 | 2026‑12‑01 | In Progress |
| 3 | RISK-003 | Unexpected currency fluctuation affecting profit margins | Financial | 2 | 4 | 8 | Hedging strategy, quarterly financial reviews | 5 | 0 (8 × (1‑5/5)) | Lisa Chen, Finance Director | 2026‑08‑20 | 2026‑11‑15 | Mitigated |
Guidance Notes
- Risk ID: Use a consistent numbering system (e.g., RISK-001, RISK-002) for tracking.
- Likelihood/Impact Scoring: Apply the organization’s defined risk matrix scales (typically 1‑5).
- Inherent Risk Score: Calculate as Likelihood × Impact (range 1‑25).
- Control Effectiveness: Assess how well current controls mitigate the risk (1‑5 scale).
- Residual Risk Score: Calculate as Inherent Risk Score × (1 ‑ Control Effectiveness/5). Represents risk remaining after controls.
- Mitigation Owner: Assign accountability to a specific role or individual.
- Review Date: Schedule regular reviews based on risk rating (e.g., quarterly for high risks, annually for low).
- Status: Track progression through the risk lifecycle.
Key Takeaways
- Standardize identifiers – Consistent Risk IDs make it easier to reference and audit risks over time.
- Quantify early – Use the 1‑5 likelihood and impact scales to produce an Inherent Risk Score that highlights the most pressing threats.
- Measure control strength – Rating control effectiveness forces owners to think critically about how well existing safeguards work.
- Focus on residual risk – The residual score tells you whether additional mitigation is truly needed, helping you allocate resources wisely.
- Own the process – Assign a clear mitigation owner and due date; accountability drives action.
- Review regularly – Set review dates that match the risk’s severity; high‑risk items get more frequent check‑ins.
Conclusion
A well‑filled risk assessment template turns vague concerns into actionable data. By scoring likelihood, impact, and control effectiveness, you can see at a glance which risks demand immediate attention and which are under control. Keep the document living—update scores whenever conditions shift, and stick to the review cadence you’ve defined. Doing so not only satisfies ISO 31000, COSO ERM, and NIST RMF requirements but also builds a culture where risk is managed proactively rather than reactively.
Footer
Version: 1.0 | Review Cycle: Quarterly | Owner: Risk Management Team