Rows = Impact (bottom to top: Insignificant → Catastrophic).
Columns = Likelihood (left to right: Rare → Almost Certain).
Click any cell to cycle its rating: LOW → MEDIUM → HIGH → EXTREME → LOW.
Edit point scores inline to fine-tune ranking within a band. Amber outline = changed from default.
Move your cursor over any matrix cell to see what that likelihood × impact combination means for your organisation, and what the resulting risk rating requires in terms of management response.
Point scores (pts) rank severity within a band. They do not affect which band a cell belongs to — only the label does. Use pts to distinguish cells that share a band but have different risk levels.
How much credit each survey and control answer receives. Drag a slider to adjust — the explanation updates live on the right.
When someone answers a survey question or rates a control, their answer is multiplied by this weight before it contributes to risk reduction.
A weight of 1.0 = full credit. A weight of 0.5 means the evidence is treated as 50% effective. A weight of 0.0 means no risk reduction at all — treated as if unanswered.
The survey caps (Survey Evidence tab) then limit the total reduction these weights can produce.
Survey answers (Vendor Survey + Internal Survey steps) can reduce inherent risk. These caps prevent survey responses alone from eliminating a risk — only implemented controls should do that.
The survey layer sits between Base risk and Control treatment. It produces the Inherent score shown in the heatmap.
Survey answers are aggregated into a single evidence strength (0–1). If strong evidence is present, the risk score is reduced by up to the cap number of matrix steps in likelihood or impact.
Even if every control is implemented, the total reduction is bounded by these caps. They prevent the model from eliminating risk entirely through controls alone.
Each control is classified by how it reduces risk. Factors (0.0–1.0) scale the credit each type receives. Drag a slider to adjust. A factor of 1.0 = full credit; 0.5 = half credit; 0.0 = no credit for that effect type.
Adjust the starting risk score for each risk. The base score represents how serious this risk is before any survey or control evidence is considered. Apply a strategy % to reflect your organisation's specific risk appetite for that risk type.
The base score is the taxonomy score — a pre-calibrated measure of how inherently risky this AI risk type is, on a 1–10 scale. It feeds directly into the 5×5 matrix lookup to determine the starting risk band.
Override the base score when the default taxonomy score doesn't reflect your system's actual exposure — for example, if your AI system handles only structured data and the hallucination risk (normally scored 9) is less relevant, you might lower it to 6.
Strategy bias (%) adjusts the base score up or down to reflect your organisation's strategic priorities and risk appetite. It amplifies or de-emphasises a risk before survey evidence and controls are applied.
Final = base × (1 + bias / 100) → capped at 10
What each setting does, and when to change it
The Configuration Editor lets you control how the AI Risk Map scores and reduces risk — without changing the risks or controls themselves.
Save your settings as a .JSON config file, then load it into the main AI Risk Map tool (System tab → Load Config) before starting an assessment.
One config file can be reused across many assessments.
.JSON file containing all your settings. The filename includes your config label and the date. Store this alongside your assessment files..JSON file. Do this before completing the assessment — changing config mid-assessment will recalculate all scores."weight" field must be added directly to that control's entry in the risk assessment app — this requires editing the app file.Version journey