How to Do a Cybersecurity Risk Assessment

Before scoring anything, decide why the assessment exists. A board risk update, SOC 2 readiness review, vendor review, privacy program, incident follow-up, AI approval, and budget request all need different levels of detail. If the purpose is unclear, the register will collect risks without helping anyone decide what to do next.

A strong starting question is: what decision should be easier after this assessment? That may be whether to fund remediation, accept a vendor, delay a launch, change an architecture decision, assign a new control owner, or brief the board on a material cyber exposure.

Write that decision at the top of the assessment. It keeps the work practical and prevents the team from turning every possible issue into the same level of urgency.

Impact is where many risk assessments become vague. If one person thinks impact means financial loss, another thinks customer trust, and another thinks regulatory exposure, the scores will not be comparable. Define impact levels before scoring the register.

A practical impact scale can include financial exposure, customer effect, operational downtime, privacy harm, compliance consequences, legal exposure, reputational visibility, staff impact, and safety considerations. Not every organization needs every dimension, but the team should agree what a 1, 3, and 5 mean.

The Cyber Risk Matrix Builder includes a default 1-to-5 impact scale that you can use as a starting point, then adapt for your organization.

The register should start from real inputs: recent incidents, audit findings, customer diligence, vendor dependencies, architecture reviews, cloud and identity controls, data flows, privacy obligations, AI use cases, business continuity assumptions, and known control gaps.

Do not ask a tool to invent your risks and then treat the output as truth. That may be useful for brainstorming, but it is not a risk assessment. A real assessment needs owners who recognize the issue, evidence that explains current control strength, and enough context to decide treatment.

For vendor-driven risks, start with GreenHat's Vendor Security Assessment Questionnaire Template. For AI-driven risks, use the AI Risk Questionnaire before adding AI risks to the register.

Likelihood should describe how plausible the event is in the assessment period, not how nervous the team feels about it. A five-year window can work for strategic risks, while a one-year or two-year window may work better for operational reviews. Pick the window and use it consistently.

Then score likelihood and impact separately. A risk can be unlikely but catastrophic, common but low impact, or both likely and severe. Mixing those judgments together too early makes the matrix less useful.

When the score is uncertain, record the uncertainty. That may become a data collection task: review logs, interview owners, inspect evidence, test a control, ask a vendor for proof, or confirm whether a legal obligation applies.

A 5x5 cyber risk matrix is a conversation tool. It helps show which risks need immediate attention, which can be tracked, and which need executive acceptance. It does not prove the exact mathematical value of a risk.

The most useful matrix is connected to the register. If the visual shows a critical risk but no owner, treatment decision, target date, or current control note, the organization has not finished the assessment. It has only created a picture.

Open the Cyber Risk Matrix Builder when you are ready to enter the risks, see the matrix, and export the register.

The assessment should not die in a slide deck. Once risks are scored, leadership needs treatment decisions: mitigate, transfer, avoid, or accept. Each risk needs an owner, status, target date, and review cadence.

For startups, this often becomes the security roadmap. For larger teams, it can become a quarterly risk review, a board reporting input, a SOC 2 readiness input, or a way to connect security work to budget and product decisions.

If the assessment identifies Canadian privacy, cybersecurity, sector, or customer-driven obligations, use GreenHat's Cybersecurity and Privacy Requirements for Your Organization tool to map those requirements before finalizing treatment.

The most common mistake is treating the matrix as the deliverable. The matrix is useful, but the register, owners, treatment decisions, control notes, and follow-up rhythm are what make the assessment operational.

Another mistake is scoring everything in isolation. A vendor issue may also be a privacy issue. A SOC 2 control gap may also be a customer renewal risk. An AI approval issue may also be an identity and data retention risk. Keep the relationships visible.