Risk Matrix Examples: 7 Practical Examples Across Cyber, Compliance, and Operations
See practical risk matrix examples across cybersecurity, compliance, vendor, and operational risk. Learn how to score likelihood and impact and how to interpret matrix positions in real situations.
Examples are what make a scoring methodology usable. Most teams understand the formula for a risk matrix. The hard part is applying it consistently.
If you need the full methodology first, read Risk Matrix Explained. If you already have a framework and need calibration material, the examples below are a good starting set.
These examples are illustrative calibration scenarios, not universal scores. Different organizations can reasonably land on different values depending on asset criticality, threat environment, control maturity, and risk appetite.
Example 1: Phishing Leading to Credential Theft
Risk statement: Due to targeted phishing campaigns, an employee could disclose credentials, resulting in unauthorized access to core business systems.
- Inherent likelihood: 5 - Almost Certain
- Inherent impact: 4 - Major
- Inherent score: 20 - High
Why it scores this way:
- Phishing attempts are constant in most organizations
- Compromised credentials often create broad initial access
- Even before a breach is confirmed, response and recovery costs can be significant
Possible controls:
- Security awareness training
- Email filtering
- MFA
- Conditional access
Example residual score:
- Residual likelihood: 3
- Residual impact: 2
- Residual score: 6 - Medium
This is a classic example of strong movement on a risk matrix: controls reduce both frequency and blast radius.
Example 2: Critical Vendor Outage
Risk statement: Due to heavy dependence on a single SaaS provider, a vendor outage could disrupt a business-critical workflow and prevent customer service delivery.
- Inherent likelihood: 3 - Possible
- Inherent impact: 5 - Catastrophic
- Inherent score: 15 - High
Why it scores this way:
- The event may not be frequent
- But if it happens, the operational consequences can be severe
This is a helpful example for teams running third-party risk management because it shows that lower-frequency risks can still sit high on the matrix when impact is large.
Example 3: Failed Access Review Process
Risk statement: Due to inconsistent quarterly access reviews, users could retain inappropriate access rights, resulting in excessive privileges and audit findings.
- Inherent likelihood: 4 - Likely
- Inherent impact: 3 - Moderate
- Inherent score: 12 - Medium
Residual score after controls such as automated review reminders, manager approvals, and system-based revocation might drop to 6 or 8, depending on how consistently the process operates.
This example is useful because it links risk scoring directly to control effectiveness.
Example 4: Regulatory Non-Compliance
Risk statement: Due to incomplete evidence collection and control documentation, the organization could fail a regulatory or audit review, resulting in fines, remediation work, or delayed revenue.
- Inherent likelihood: 3 - Possible
- Inherent impact: 4 - Major
- Inherent score: 12 - Medium
Why people often mis-score it:
- They focus only on fines and ignore sales delays, customer churn, and remediation costs
- They assume "we have policies" means controls are working
This is one of the clearest examples of why teams should compare inherent risk and residual risk instead of using a single score.
Example 5: Manual Spreadsheet Error in Reporting
Risk statement: Due to manual data entry in monthly risk reporting, incorrect information could be presented to leadership, resulting in poor prioritization and delayed treatment decisions.
- Inherent likelihood: 4 - Likely
- Inherent impact: 2 - Minor
- Inherent score: 8 - Medium
This is a good example of a frequent but lower-impact risk. It may not belong in the red zone, but if it happens repeatedly it still deserves structured treatment.
Example 6: Ransomware Affecting Core Operations
Risk statement: Due to gaps in endpoint hardening and privileged access controls, ransomware could encrypt critical systems and interrupt operations for several days.
- Inherent likelihood: 4 - Likely
- Inherent impact: 5 - Catastrophic
- Inherent score: 20 - High
Residual risk might still remain high even after backups, segmentation, and incident response improvements. That is not a failure of the model. It reflects the fact that some risks remain materially significant even with mature controls.
Example 7: Missed Project Dependency
Risk statement: Due to poor planning around a third-party integration, a key project milestone could slip, resulting in launch delays and unexpected cost overruns.
- Inherent likelihood: 3 - Possible
- Inherent impact: 3 - Moderate
- Inherent score: 9 - Medium
This example shows that the matrix is not just for security teams. It can be used for operational and project risk as long as the scoring definitions are clear.
How to Use These Examples in Workshops
Examples are most useful before people score live risks. A simple calibration sequence works well:
- Review three examples together
- Ask participants to score each one independently
- Discuss disagreements and the reasoning behind them
- Update your definitions if confusion keeps recurring
If your team does not yet have a standard scoring sheet, start with our risk matrix template.
What These Examples Teach
Across the examples above, a few patterns repeat:
- High impact can drive a risk into the upper-right even when frequency is moderate
- Frequent low-impact issues often sit in the middle and still deserve action
- Controls should change the score in a defensible way, not just cosmetically
- Calibration matters more than perfect math
The goal of examples is not to produce universal scores. It is to help your organization score similar risks the same way, every time.
Sources and Standards
The scenarios on this page are editorial examples based on common risk-assessment patterns. They are grounded in mainstream risk-management guidance on likelihood, impact, residual risk, and control effectiveness, but the individual scores are illustrative rather than taken from a standard or regulator.
Frequently Asked Questions
- What is a good risk matrix example?
- A good risk matrix example includes a clearly stated risk, an explanation of why the likelihood and impact were chosen, the resulting score, and what action the score should trigger. The best examples also show how controls change the score from inherent to residual risk.
- How many examples should teams review before scoring risks?
- Three to seven examples is usually enough to calibrate a team before an assessment workshop. The goal is not to cover every scenario. It is to align people on what each score means in practice.
- Should examples be generic or based on my industry?
- Start with generic examples if you are building your methodology from scratch, then add industry-specific ones as your program matures. Teams score more consistently when they can compare new risks to examples that look like their own environment.
- Can one example score be reused forever?
- No. Examples should be reviewed periodically because threat frequency, business context, regulatory expectations, and control effectiveness change over time. A score that made sense last year may no longer be appropriate today.
Related Articles
Risk Matrix Explained: How to Build and Use a 5x5 Risk Matrix
A complete guide to risk matrices, including how to build a 5x5 risk matrix, define likelihood and impact scales, set risk level thresholds, and use heat maps for risk visualization. Includes templates and practical examples.
7 min read
Free Risk Matrix Template: A 5x5 Template You Can Adapt in Minutes
Use this free risk matrix template to score likelihood and impact, define risk levels, and standardize risk assessments. Includes a 5x5 template, sample thresholds, and practical setup guidance.
5 min read
Risk Matrix Calculator: Score Likelihood and Impact on a 5x5 Matrix
Use this risk matrix calculator to score likelihood and impact on a 5x5 matrix, understand risk levels, and interpret the results. Includes an interactive matrix and guidance on using the scores consistently.
4 min read