Louis An option could be risk metric (using simplistic calculation below)

Adding a custom value to increase / decrease the risk calculation
requiring several values

You already use basic calculation for Risk rating e.g.

• IMPACT i.e. (Insignificant, Minor, Moderate, Major, Extreme) [1-5]
• Likelihood (Rare, Unlikely, Possible, Likely, Almost Certain) [1-5]
  --> INHERENT risk (low-Critical {1-25})

Residual risk: Consider strength of control
Strength of control = is the controls working as intended?
Strength of controls: Initial Ad-Hoc [1] | Informal Repeatable [1]| Defined [0.4] | Managed [0.6]
--> reduces residual: Impact x Likelihood x Strength of control
--> Residual risk remains the same or reduced

Executive view
Appetite = Subjective- the business owner is not willingness to live with this risk (i.e. impact is too significant for them) - how long to remedy
Velocity = Subjective- How fast do we think this risk may realize based on current remediation strategy
Trend = Subjective- Are we doing enough is the risk profile changing (long time since risk opened, an incident occured,,, remediation progress, did the technolgoy / controls changes)

Tolerance in this case is not calculated - just provided as guidance
i.e. traffic light to demonstrate if increased need for executive oversight is required
Appetite: In Appetite [1]| In Appetite More to do [2]|Out of appetite [3]
Appetite: Residual Risk * Appetite : [<25-White | <50-Amber | <75-Red]

Velocity: Slow (>2years) [1]| Medium (<2 years) [2]| Fast (<6months) [3]
Velocity: residual Risk * Velocity [<25-White | <50-Amber | <75-Red]

Trend: Decreasing [1] | Stable [2] | Increasing [3]
Trend: Residual Risk * Trend : [<25-White | <50-Amber | <75-Red]

This allows the Risk owner to assess if they will continue to tolerate the risk position and require change of the remediation strategy/time