Risk Matrix Scoring

Flow's risk matrix scoring system provides configurable risk assessment matrices that adapt to your organization's specific risk appetite and assessment methodology. Customize matrix dimensions, scoring thresholds, and level definitions to align with your governance framework.

Overview

Risk matrix scoring configuration includes:

• Adjustable Matrix Size - Choose from 3x3 up to 10x10 matrices
• Custom Level Cutoffs - Define score thresholds for Low, Medium, High, and Critical
• Likelihood Definitions - Customize likelihood scale descriptions
• Impact Definitions - Tailor impact scale descriptions to your context
• Inherent vs Residual Views - Toggle between pre-treatment and post-treatment scoring

Matrix Size Configuration

Available Sizes

Size	Score Range	Use Case
3x3	1–9	Simplified assessments, executive reporting
4x4	1–16	Balanced detail and simplicity
5x5	1–25	Industry standard, default setting
6x6	1–36	Detailed assessments with fine granularity
Up to 10x10	1–100	Maximum granularity for complex environments

The default configuration uses a 5x5 matrix with scores ranging from 1 to 25.

Changing Matrix Size

Navigate to Settings > Risk Matrix to adjust the matrix dimensions. Changing the matrix size recalculates all risk scores organization-wide to maintain consistency.

Risk Level Cutoffs

Default Thresholds (5x5 Matrix)

Level	Score Range	Color	Description
Low	1–5	Green	Acceptable risk, monitor periodically
Medium	6–12	Yellow	Moderate risk, requires management attention
High	13–20	Orange	Significant risk, requires active mitigation
Critical	21–25	Red	Unacceptable risk, immediate action required

Custom Thresholds

Adjust level cutoffs to match your risk appetite. For example, a more conservative organization might set:

• Low: 1–3
• Medium: 4–8
• High: 9–15
• Critical: 16–25

Likelihood Scale

Default Definitions

Level	Label	Description
1	Rare	Unlikely to occur in the next 10 years
2	Unlikely	May occur in the next 5 years
3	Possible	May occur in the next 2 years
4	Likely	May occur in the next year
5	Almost Certain	Expected to occur multiple times per year

Customize these descriptions to reflect your organization's operational context and historical data.

Impact Scale

Default Definitions

Level	Label	Description
1	Negligible	Minimal impact on operations
2	Minor	Some operational impact, easily managed
3	Moderate	Significant operational impact, requires management attention
4	Major	Severe operational impact, may affect business objectives
5	Catastrophic	Critical impact, threatens business continuity

Score Calculation

Risk scores are calculated as:

Risk Score = Likelihood × Impact

This applies to both inherent and residual assessments:

• Inherent Score - Pre-treatment risk level based on raw likelihood and impact
• Residual Score - Post-treatment risk level after controls and mitigations are applied

Risk Matrix Visualization

The risk matrix report (Reports > Risk Matrix) renders your configured matrix as an interactive heatmap. Each cell shows the count of risks at that likelihood/impact intersection, color-coded by the configured level thresholds.

Display Modes

• Numbers - Show risk counts in each cell
• Circles - Visual dot representation proportional to risk count

View Modes

• Inherent - Display risks by their inherent (pre-treatment) scores
• Residual - Display risks by their residual (post-treatment) scores

Best Practices

• Align with Framework - Match your matrix configuration to your chosen risk framework (ISO 31000, COSO ERM)
• Consistent Definitions - Ensure likelihood and impact definitions are unambiguous and consistently applied
• Periodic Review - Review and recalibrate thresholds annually or when risk appetite changes
• Stakeholder Agreement - Get leadership buy-in on level definitions before rollout