LIKELIHOOD

RISK MATRIX
Rare Unlikely
May only occur in Could occur at some time
(description) exceptional circumstances
Critical failure(s)
preventing core activities
from being performed. The
CONSEQUENCE

Severe impact threatens the HIGH VERY HIGH

survival of the
organisation.

Major Breakdown of key activities HIGH HIGH

leading
Impact onto reduction
the in
organisation
Moderate performance (e.g service LOW MEDIUM
Someresulting
impact inonreduced
business
Minor delays, revenue
performance loss,
such client
as VERY LOW LOW
areas
Minimalin terms
impact of delays,
on non-
Insignificant targets
system not being met.
qualityoperations.
but able to VERY LOW VERY LOW
core business
beThe
delt with at
impact canoperational
be dealt
with by routine operations.
 LIKELIHOOD
Possible Likely Almost Certain
Might occur at some time Will probably occur in most Is expected to occur in
circumstances most circumstances

VERY HIGH EXTREME EXTREME

VERY HIGH VERY HIGH EXTREME

MEDIUM HIGH VERY HIGH
MEDIUM MEDIUM HIGH
LOW MEDIUM MEDIUM
Context - Asset(s) that we are trying to protect

The assests that need to be protected include:

- Confidential customer data

- Proprietary business information
- Financial information
- Intellectual property
- Physical infrastructure & equipment

Risk Inherent Risk Rating Current Risk Rating Target Risk Rating
ID Title Description Sources or Causes of Risk Consequences of Risk Likelihood Consequence Risk Level Existing control Effectiveness of exisitng control measures Likelihood Consequence Risk Level Additional control measures Effectiveness of additional control measures Likelihood Consequence Risk Level
R01 Cyber attack A cyberattack is a deliberate attempt by hackers to gain unauthorised access Organised crime groups, Data theft, system downtime, measures
Firewalls, intrusion Firewalls - Excellent control. Configured, Treat - reduce the likelihood or impact of risk by following Excellent / Good / Moderate / Weak
to a company's computer systems or networks, with the goal of stealing nation-states, or individual reputational damage, and detection systems, maintained & tested properly. Highly effective and these additional control measures: Multi-factor authentication (MFA) - Good
sensitive information, causing damage or disruption, or holding data ransom. hackers financial losses. antivirus software very fit for purpose. It substantially reduces the - Multi-factor authentication (MFA) Control. This would add an extra layer of security
The perceived sources for a cyberattack could include organised crime groups, likelihood and/or consequence of the risk. It is cost - Penetration testing by requiring users to provide additional
nation-states, or individual hackers. effective. - Regular security awareness training authentication factors beyond a password.
Intrusion detection systems - Moderate control. Security Information and Event Management
Configuration needs to be improved. Transfer - We can also transfer this risk to a 3rd party by (SIEM) - Excellent Control. This would enable
Antivirus - Good control. Effective and fit for letting a Managed Security Service Provider made the real-time monitoring of security events and alerts
purpose. Configuration, maintenance and testing organisation's Security Information and Event Management for any suspicious activity, and help with incident
are good enough. (SIEM) tool. response.
Penetration testing - Good Control. This would
simulate a cyberattack to identify vulnerabilities
and weaknesses in the system and help to
Likely Major VERY HIGH Possible Major VERY HIGH improve the existing controls. Unlikely Moderate MEDIUM
Regular security awareness training - Good
Control. This would help to educate employees
about cyber threats and best practices to prevent
them, and reduce the risk of human error or
negligence.

R02 Natural Disaster
A natural disaster is an unpredictable event caused by natural phenomena, Natural phenomena beyond Property damage, loss of life, Emergency response Emergency Response Plans: Good control. The Accept - Acknowledge the risk and choose not to resolve, Regular testing and maintenance: Good Control.
such as earthquakes, cyclones, floods or bushfires, that can cause significant human control disruption of supply chains, and plans, backup power organisation has established plans for responding to transfer or treat. Regularly testing and maintaining emergency
damage to a company's physical assets, disrupt operations, and pose a threat financial losses. generators, and building natural disasters, which reduces the consequence response plans, backup power generators, and
to employee safety. reinforcement of the risk. building reinforcement measures to ensure they
measures. Back up Power generators: Good control. Backup are effective and up-to-date.
power generators can help ensure continuity of
operations during a natural disaster, reducing the
consequence of the risk.
Rare Severe HIGH Building Reinforcement Measures: Excellent Rare Moderate LOW Rare Moderate LOW
control. The organisation has taken steps to
reinforce the building against natural disasters,
reducing the likelihood and consequence of the
risk.

R03 Employee Negligence
Employee negligence arises when employees fail to follow established
security protocols or engage in careless behavior that puts company assets at
risk. This could include employees failing to properly store or dispose of
sensitive information, sharing login credentials, or falling for phishing scams.
Employees who are not aware Data breaches, reputational Security awareness Security Awareness Training: Good control. Regular Treat - reduce the likelihood or impact of risk by following Monitoring and auditing of employee actions:
of the security protocols, don't damage, and financial losses. training, access Control training sessions are carried out to educate these additional control measures: Good Control. Regular monitoring and auditing of
take security seriously, or don't employees about security threats and best - Monitoring and auditing of employee actions employee actions on company systems can help
understand the consequences practices to minimise the risks of employee - Role-based access control identify any suspicious activity or potential risks.
of their actions. negligence. - Incident response plan Role-based access control: Excellent Control.
Access Control: Excellent control. Measures have Implement role-based access control to ensure
been put in place to ensure that employees only employees only have access to the systems and
have access to the data and systems that are data they need to perform their job functions,
necessary for their job function. reducing the risk of accidental or intentional data
breaches.
Incident response plan: Good Control. Develop
Possible Moderate MEDIUM Possible Moderate MEDIUM and implement an incident response plan to Unlikely Minor LOW
provide guidelines on how to respond to security
incidents or data breaches caused by employee
negligence.