Operational risk management

Easily identify, measure, control and monitor the operational risks of your organization→


security risks

Ensures the confidentiality, integrity and availability of your information assets →



Keep track of all regulations and regulations that your organization must comply with →


Anti-Money Laundering

Easily identify, establish controls, and monitor AML risks→



Improve your internal audit processes, support regulatory compliance, and generate value for your organization through continuous improvement →

What will you learn? Learn with our experts about critical topics on Risk Management that will be useful in your daily work.


How to assess risk with a control matrix

written by Juan Pablo Calle, On December 04, 2019

How to assess risk with a control matrix

We have already explained how to identify and rate risks according to the established scales. Now we will show you how to assess them using a control matrix.

1. We have said that in order to design a control matrix components are arranged in rows and threats in columns. The former indicate the resources to be protected and the latter are the negative events that affect them. In risk management, it is important to bear in mind that both components and threats must first be prioritized in the rating process.

If there is a repeated score, the same value is assigned to two different cells in order to establish priorities that will then mark the zones according to the risk they generate, as high, medium or low. Following the example explained here, the matrix should look like this:

Example of how the matrix should look like.

2. A matrix of threats, components and controls is then prepared, which is one of the most common methods for assessing risk. The latter are listed and added on the intersection that controls the threat affecting a component.

At this point, it is imperative to determine which is the most sensitive cell, which in the case of the control matrix will always be located in the upper left corner. It must also be defined whether the controls applied are sufficient for each cell, particularly those at high risk. If they are not sufficient, new controls should be proposed. This way, the least sensitive cell is established and a review is conducted to know whether or not the controls applied are excessive.

3. After this, an analysis will be conducted according to the greater or lesser number of controls and it will be established whether they are sufficient or excessive, taking into account the need to control the threat and protect the component at all times.

4. The components are as follows, considering the sufficiency and effectiveness of the controls applied.

5. Finally, the threats are examined to determine whether or not they are properly controlled. The matrix of threats, components and controls should look like this:

The matrix of threats, components and controls should look like this

Money Laundering and Terrorism Financing Prevention Manual

Try Pirani For FREE NOW
Download a free Excel Risk Matrix Template
Free e-book Prevention & Correction of Human Error For Risk Management

Leave us your comments