Risk Scoring
The 5x5 Risk Matrix
Clarion uses a standard 5x5 matrix to score risks. This is the industry standard used across ISO 27001, SOC 2, and NIST frameworks. Every risk is scored on two dimensions: how likely it is and how much damage it would cause.
Likelihood Scale
| Score | Label | What It Means |
|---|---|---|
| 1 | Rare | Highly unlikely to happen (less than 5% chance) |
| 2 | Unlikely | Could happen but not expected (5–25% chance) |
| 3 | Possible | Reasonable chance of happening (25–50% chance) |
| 4 | Likely | Will probably happen (50–80% chance) |
| 5 | Almost Certain | Expected to happen (more than 80% chance) |
Impact Scale
| Score | Label | What It Means |
|---|---|---|
| 1 | Negligible | No meaningful business impact |
| 2 | Low | Minor operational disruption, no data loss |
| 3 | Medium | Moderate disruption, limited data exposure, minor regulatory attention |
| 4 | High | Significant disruption, data breach, regulatory investigation |
| 5 | Catastrophic | Business-critical failure, major data breach, regulatory penalties, reputational damage |
How the Score Is Calculated
Your risk score is simply Likelihood x Impact, giving a range from 1 to 25.
Risk Levels
| Score Range | Level | Color | What You Should Do |
|---|---|---|---|
| 1–4 | Low | Green | Monitor the risk. Accept it if it's within your appetite |
| 5–9 | Medium | Yellow | Create a treatment plan |
| 10–16 | High | Orange | Treatment plan required — escalate to management |
| 17–25 | Critical | Red | Take immediate action — this needs board-level visibility |
Inherent vs Residual Risk
Every risk in Clarion has two scores. Understanding the difference is key to managing risk effectively.
Inherent Risk
This is your risk level before any controls are in place — the "raw" exposure.
- You set this manually when you assess the risk
- It's based on the threat's likelihood and potential business impact
- It doesn't change when controls pass or fail
- Think of it as your baseline for measuring how well your controls are working
Residual Risk
This is your risk level after your controls are factored in. It's calculated automatically.
- Updates in real time as your compliance controls pass or fail
- Reflects your actual current exposure
- Used for dashboard KPIs, the heatmap, and comparing against your risk appetite
How Residual Scores Are Calculated
Clarion uses a weighted model. When you link a compliance control to a risk, you specify how much that control reduces the likelihood and impact.
Step by Step
- Link controls to a risk — Each risk can be linked to one or more compliance controls. Library risks come with controls pre-linked; for custom risks, the system recommends relevant controls based on the category
- Set reduction weights — For each link, you specify:
- Likelihood reduction (0–4): How much this control reduces the chance of the risk occurring
- Impact reduction (0–4): How much this control reduces the damage if it does occur
- Control effectiveness is checked automatically — A control counts as "effective" only when it's passing across all assigned systems (the strictest interpretation)
- Residual score is calculated:
Residual Likelihood = Inherent Likelihood minus the sum of likelihood reductions from all passing controls (minimum of 1)
Residual Impact = Inherent Impact minus the sum of impact reductions from all passing controls (minimum of 1)
Residual Score = Residual Likelihood x Residual Impact
Example
Say you have a risk with an inherent score of Critical (20) — likelihood 4, impact 5.
You've linked five compliance controls, each reducing likelihood by 1 and impact by 1:
| Control | Status | Effective? |
|---|---|---|
| Access Control Policy | Not Tested | No |
| Access Control System | Not Tested | No |
| MFA for Admin Access | Failing | No |
| Privileged Access Restricted | Failing | No |
| Least Privilege | Passing | Yes |
Only one control is passing, so the calculation is:
- Residual Likelihood = 4 - 1 = 3
- Residual Impact = 5 - 1 = 4
- Residual Score = 3 x 4 = 12 (High)
The risk dropped from Critical (20) to High (12) thanks to one effective control. As more controls start passing, the score will continue to drop.
Scores Update Automatically
Your residual scores update every time you view the page. When a control's status changes — for example, after a compliance check passes — the residual score reflects it immediately on the next page load. No manual recalculation needed.
Why Can't Residual Risk Reach Zero?
Both residual likelihood and impact have a minimum of 1. Even with all controls passing, a risk never reaches zero. This follows ISO 27005 guidance: there's always some level of residual exposure, no matter how good your controls are.
Risk Appetite
Setting Your Threshold
Your organization can set a risk appetite threshold — the residual score above which a risk needs attention. The default is 10.
To change it, go to the Risk Settings page on your dashboard.
Any risk with a residual score above this threshold shows up in the "Exceeding Appetite" count on your dashboard, making it easy to see what needs action.
Using Risk Appetite in Practice
- Below appetite: Monitor the risk and review it periodically
- At or above appetite: Active treatment is required — management should have visibility
- The dashboard KPI makes it clear at a glance how many risks need attention
Score Trends
Clarion records a snapshot of each risk's scores whenever the risk is created or updated. The trend chart on your dashboard shows monthly averages, so you can track whether your overall risk posture is improving over time.
- Improving: Average residual score is trending down — your controls are working
- Degrading: Average residual score is trending up — controls may be failing or new risks have been added
- Stable: Scores are flat — you're in maintenance mode