Risk Register

Track, assess, and manage organizational security risks.

Overview

The Risk Register helps you:

• Identify and document risks
• Assess likelihood and impact
• Track risk treatment plans
• Monitor risk over time
• Report on risk posture

Navigate to Risk Register in the sidebar.

Risk Structure

Risk Entry

Each risk includes:

Field	Description
Risk ID	Unique identifier
Title	Risk name
Description	Detailed risk description
Category	Risk category
Likelihood	Probability of occurrence
Impact	Severity if realized
Risk Score	Calculated risk level
Owner	Responsible person
Status	Current risk status
Treatment	Risk response plan

Risk Categories

Organize risks by category:

• Technical: System vulnerabilities, architecture flaws
• Operational: Process failures, human error
• Compliance: Regulatory violations, audit failures
• Third-Party: Vendor risks, supply chain
• Physical: Facility, environmental
• Strategic: Business, market risks

Risk Assessment

Likelihood Scale

Level	Score	Description
Rare	1	Unlikely to occur
Unlikely	2	Could occur occasionally
Possible	3	Might occur sometimes
Likely	4	Will probably occur
Almost Certain	5	Expected to occur

Impact Scale

Level	Score	Description
Negligible	1	Minimal impact
Minor	2	Small impact, easily managed
Moderate	3	Noticeable impact
Major	4	Significant impact
Severe	5	Critical impact to operations

Risk Score Calculation

Risk Score = Likelihood × Impact

Score Range    Risk Level
1-4            Low (Green)
5-9            Medium (Yellow)
10-16          High (Orange)
17-25          Critical (Red)

Risk Matrix

Visual risk assessment matrix:

                    IMPACT
           1    2    3    4    5
         ┌────┬────┬────┬────┬────┐
    5    │  5 │ 10 │ 15 │ 20 │ 25 │
         ├────┼────┼────┼────┼────┤
    4    │  4 │  8 │ 12 │ 16 │ 20 │
L        ├────┼────┼────┼────┼────┤
I   3    │  3 │  6 │  9 │ 12 │ 15 │
K        ├────┼────┼────┼────┼────┤
E   2    │  2 │  4 │  6 │  8 │ 10 │
L        ├────┼────┼────┼────┼────┤
I   1    │  1 │  2 │  3 │  4 │  5 │
H        └────┴────┴────┴────┴────┘
O
O        ■ Low  ■ Medium  ■ High  ■ Critical
D

Creating Risks

Add New Risk

1. Go to Risk Register
2. Click Add Risk
3. Enter risk details:
   • Title
   • Description
   • Category
4. Assess likelihood and impact
5. Assign owner
6. Click Create

Risk from Finding

Create risks from security findings:

1. Open a finding
2. Click Create Risk
3. Risk auto-populates with finding details
4. Review and adjust assessment
5. Click Create

Import Risks

Import risks from spreadsheet:

1. Click Import
2. Download template
3. Fill in risk data
4. Upload file
5. Review and confirm

Risk Treatment

Treatment Options

Treatment	Description	When to Use
Mitigate	Reduce likelihood or impact	Risk can be reduced cost-effectively
Accept	Acknowledge and monitor	Risk within tolerance
Transfer	Shift to third party	Insurance, outsourcing
Avoid	Eliminate the risk source	Risk too high, activity not essential

Treatment Plans

Document treatment plans:

1. Open risk detail
2. Click Treatment tab
3. Select treatment type
4. Add treatment details:
   • Actions required
   • Timeline
   • Resources needed
   • Expected residual risk
5. Click Save

Residual Risk

After treatment, assess residual risk:

Initial Risk: 16 (High)
Treatment: Implement MFA

Residual Risk Assessment:
- Likelihood: 4 → 2 (reduced by control)
- Impact: 4 → 4 (unchanged)
- Residual Score: 8 (Medium)

Risk Status

Status Types

Status	Description
Identified	New risk, not yet assessed
Assessing	Under evaluation
Treating	Treatment in progress
Monitoring	Accepted, being tracked
Closed	Risk eliminated or no longer relevant

Status Workflow

Identified → Assessing → Treating → Monitoring
                            ↓
                         Closed

Risk Monitoring

Risk Reviews

Schedule regular risk reviews:

1. Go to Settings → Risk Management
2. Set review frequency (monthly, quarterly)
3. Assign reviewers
4. System sends reminders

Risk Trends

Track risk score changes over time:

Risk: Unauthorized Data Access

Score History:
Jan:  ████████████████████ 20 (Critical)
Feb:  ████████████████ 16 (High)
Mar:  ████████████ 12 (High)
Apr:  ████████ 8 (Medium)  ← MFA implemented

Key Risk Indicators (KRIs)

Professional Feature

KRI tracking requires Professional or Enterprise plan.

Set up KRIs for important risks:

1. Open risk detail
2. Click KRIs tab
3. Define indicator:
   • Metric to track
   • Threshold values
   • Data source
4. System alerts when thresholds exceeded

Risk Reporting

Risk Summary

View overall risk posture:

Risk Register Summary

Total Risks: 24

By Level:
Critical  ██ 2 (8%)
High      ████ 4 (17%)
Medium    ████████ 8 (33%)
Low       ██████████ 10 (42%)

Top Risks:
1. Ransomware Attack (Score: 20)
2. Data Breach via Third Party (Score: 16)
3. Compliance Violation (Score: 15)

Risk Heat Map

Visual representation of all risks:

1. Go to Reports → Risk Heat Map
2. See risks plotted on matrix
3. Click any cell to see risks at that level
4. Export for presentations

Trend Report

Track risk posture changes:

Period	Critical	High	Medium	Low	Total Score
Q1	3	5	7	8	156
Q2	2	4	8	10	128
Q3	2	4	8	10	124

Executive Report

Generate board-level risk report:

1. Click Reports → Executive Summary
2. Select time period
3. Choose sections to include
4. Generate PDF

Integration with Controls

Risk-Control Mapping

Link risks to mitigating controls:

1. Open risk detail
2. Click Controls tab
3. Click Link Control
4. Select relevant controls
5. Click Link

Control Effectiveness

See how controls reduce risk:

Risk: SQL Injection Attack
Inherent Risk Score: 20

Mitigating Controls:
- Parameterized queries (effectiveness: 80%)
- Input validation (effectiveness: 60%)
- WAF (effectiveness: 40%)

Residual Risk Score: 6

API Access

# List risks
GET /api/v1/risks?status=monitoring

# Get risk details
GET /api/v1/risks/{risk_id}

# Create risk
POST /api/v1/risks
{
  "title": "Data Breach via Phishing",
  "description": "Risk of data breach through phishing attacks",
  "category": "technical",
  "likelihood": 4,
  "impact": 5,
  "owner_id": "user_123"
}

# Update risk
PATCH /api/v1/risks/{risk_id}
{
  "treatment_type": "mitigate",
  "treatment_plan": "Implement email security training",
  "residual_likelihood": 2,
  "residual_impact": 5
}

See API Reference for full documentation.

Best Practices

1. Regular Reviews: Review risks at least quarterly
2. Assign Owners: Every risk needs an owner
3. Document Treatment: Detail how risks are addressed
4. Track Trends: Monitor risk scores over time
5. Link to Controls: Connect risks to mitigating controls
6. Update Promptly: Reassess after changes or incidents
7. Report to Leadership: Keep executives informed