← Back to dashboards

Dashboards · GRC Live · v1.0

Control Effectiveness & Residual Risk

Add the risks. Add the controls. Slide each control's effectiveness and watch residual risk fall — for one risk, or for the whole framework.

Portfolio inherent

0

Sum of likelihood × impact across every risk.

Portfolio residual

0

What's left after every control is applied.

Reduction

0%

How much of the inherent risk your controls remove.

Inherent vs residual, by risk

Inherent and residual risk by risk
RiskInherentResidualReduction

Risks & controls

How this calculator thinks about risk.

The math, in one paragraph

Each risk is scored on the standard 5×5 ERM heat map: likelihood (1–5) × impact (1–5) gives an inherent score from 1 to 25. Each control on that risk has an effectiveness percentage (0–100%). Residual risk is computed multiplicatively — that is, each control acts independently on what's left after the previous control:

residual = inherent × ∏ (1 − effectivenessi / 100)

Three controls at 60% effectiveness each leave 0.4 × 0.4 × 0.4 = 6.4% of the original risk — not zero, even though the percentages would naively add to 180%. That's the practitioner's default and the conservative read.

What the effectiveness label means

The slider also surfaces a qualitative tier so a non-technical reader doesn't have to translate percentages in their head:

  • Ineffective (0–33%) — the control is absent, broken, or not meaningfully reducing risk.
  • Partially Effective (34–66%) — the control exists and works, but has gaps — coverage holes, inconsistent execution, or known workarounds.
  • Effective (67–100%) — the control functions as designed and is exercised consistently. Not a guarantee, but the level you can defend in an audit.

These are the same three bands used in most ERM/audit frameworks (COSO, COBIT, ISO 31000 in spirit). They're a translation layer, not a replacement for the percentage — the math underneath always uses the precise value.

Where the model is honest, and where it isn't

  • Honest: defense-in-depth almost never zeroes risk out. Multiplicative residual reflects that.
  • Simplification: controls are assumed to act independently. In reality they often correlate (two controls run by the same team that loses budget at the same time, for instance). Real GRC platforms handle this with control families and dependency mapping; this calculator does not.
  • Simplification: a control here belongs to one risk. In practice a single control (say MFA) reduces several risks. That's a many-to-many model — possible, but a much bigger lift. v1 keeps controls owned by their parent risk.

What the export gives you

Export PNG writes the chart exactly as drawn, on the dark surface, suitable for slides or a status report. Export CSV writes the underlying rows — risk name, inherent, residual, reduction — for analysis in Excel, Sheets, or a real GRC system.

Security & privacy note

Everything you type stays in your browser tab. Nothing is sent to a server, written to disk, or saved across reloads. Refresh the page and you're back to the three example risks. If you want persistence, that's a deliberate next step — not a silent default.