Cyber Risk Matrix Builder
Build a simple cyber risk register and custom 5x5 risk matrix from the risks your team already knows about. Add likelihood, impact, owners, treatment decisions, status, target dates, and current controls, then export the register as CSV or print the matrix for a leadership discussion.
This tool does not generate risks for you. That is intentional. A useful cyber risk matrix should reflect your business context, systems, vendors, obligations, incidents, and leadership decisions.
What you can export
- Risk ID and title
- Category and affected asset or process
- Likelihood, impact, and rating
- Owner, treatment, status, and target date
- Existing controls or next notes
A lightweight matrix for real security conversations.
The goal is not mathematical perfection. The goal is to make risk visible enough that executives, security owners, privacy, IT, legal, and product teams can decide what needs action and what is being accepted.
You need a board-ready view of cyber risk without buying a full GRC platform.
You are turning a workshop, audit finding, customer request, or vendor concern into a practical register.
You want owners, treatment decisions, and target dates beside the 5x5 matrix instead of a standalone heat map.
You need a simple exportable CSV that can move into Jira, a spreadsheet, a board packet, or a remediation plan.
Create the register, then use the matrix to prioritize.
Add known risks one by one. The tool places each risk in the matrix based on likelihood and impact, then keeps the risk register below the matrix so owners and treatment decisions do not get separated from the visual.
Step 1
Make your matrix first
Start with the default Custom 5x5 risk matrix, then customize the ratings if your leadership, regulator, insurer, or board uses a different risk appetite. Changes update the summary cards, register ratings, and CSV export.
Step 2
Add risks to your register
GreenHat does not guess your risks for you. Add the risks your team already knows about, score likelihood and impact, then use the matrix to make prioritization visible.
Risk register template
Use the table as a lightweight working register. Export it when you need to brief leadership, hand work to owners, or turn the assessment into a remediation plan.
| ID | Risk | Rating | Owner | Treatment | Status | Target | Controls | Action |
|---|---|---|---|---|---|---|---|---|
| Add your first risk to populate the register and matrix. | ||||||||
Very Low
<$4,999, limited internal awareness, no impact on continued compliance
Low
$5,000-$24,999, most staff know, potential for non-compliance
Moderate
$25,000-$99,999, some external awareness, non-compliance is likely
High
$100,000-$499,999, media or customer attention, potential penalties
Critical
>$500,000, regulator or customer impact, lawsuits or serious penalties
Use the matrix with the rest of the security workflow.
A risk matrix is most useful when it connects to requirements, vendors, AI decisions, and a clear assessment method. These GreenHat resources help fill in those inputs.
How to Do a Cybersecurity Risk Assessment
Use the guide before the tool if you need help defining scope, impact, likelihood, scoring, and follow-through.
Vendor Security Assessment Questionnaire
Use this when third-party risks need evidence before they enter the register.
Cybersecurity and Privacy Requirements Tool
Map Canadian cybersecurity and privacy requirements before scoring obligation-driven risks.
AI Risk Questionnaire
Review AI vendors and implementations before adding AI risks to the matrix.