CRMA· IIA
Certification in Risk Management Assurance (IIA)
IIA’s CRMA specialises audit on risk management (ERM, COSO ERM 2017, Three Lines Model). Single 10-week exam path.
Term DefinitionRisk
Risk Matrix
A visual tool crossing likelihood and impact to prioritize risks.
The risk matrix (heat map) graphically represents risks by likelihood (Y-axis) and impact (X-axis). It enables rapid communication of an organization's risk profile to management and the board. Red/orange/green colors indicate urgency and treatment priority levels. 5×5 matrices are most common. A well-designed matrix distinguishes inherent risks (before controls) from residual risks (after controls) to demonstrate control effectiveness.
📌 Key points
- Most common format: 5×5 matrix (likelihood 1–5, impact 1–5)
- Showing both inherent and residual risk demonstrates control effectiveness
- Used for board communication — simple, visual, immediately understandable
- Limitation: oversimplification — two risks with the same score can have very different profiles
- Must be complemented by the risk register for in-depth analysis
Related certifications
These certifications cover the concept of "Risk Matrix" in depth.
CIA· IIA
Certified Internal Auditor (IIA, 3 Parts)
The IIA CIA certification covers this concept in Part 1 (framework, IPPF) and Part 2 (audit practice). 60+ lessons and 1,258 original questions.
🔗 Related concepts
RiskRiskRiskRiskRisk
Risk Register
A centralized document listing all identified risks of an organization.
Inherent Risk
The level of risk before any controls or mitigations are applied.
Residual Risk
The level of risk remaining after controls and mitigations have been applied.
Risk Appetite
The level of risk an organization is prepared to accept in pursuit of its objectives.
Enterprise Risk Management (ERM)
An integrated, holistic approach to identifying and managing all organizational risks.
📖 Related articles
Master this concept and more
Start your GRC certification journey today.