devguard

Risks

Risks highlight potential threats or uncertainties that could impact your objectives, helping you proactively address vulnerabilities across your policies, controls, or frameworks.

Overview

The Risks module is the central place for identifying, evaluating, and managing risks across your organization. It integrates Threat Classes, Vulnerability Classes, Treatment Actions, and the Assessment Matrix to provide a complete view of risk posture and treatment.

Risks allow you to connect controls, policies, and roles with structured evaluations of probability, impact, and residual risk. This ensures that your organization can prioritize the most critical risks, track remediation, and demonstrate compliance readiness.

Risks

Risks are the core entity of the module. Each risk represents a potential threat or uncertainty and aggregates related treatment actions, threat classes, vulnerability classes, and linked controls.

Risks are also represented visually in the Assessment Matrix, showing their initial and residual positions.

Risk Fields

FieldDescriptionExample
NameThe name of the risk (required)Rogue Workload in Production
SlugUnique identifier for referencing the risk (required)rogue-workload-in-production
OwnerRole responsible for managing the risk (required)IT Operations
DescriptionDetailed description of the riskUncontrolled workloads in production...
LabelsFree-form tags to group and filter the risk (multiple allowed)PII, GDPR, Q3-initiative
Affected partiesRelated roles potentially affected (multiple allowed)Developers, Business Owners
Threat classRelated threat classUnauthorized access
Vulnerability classRelated vulnerability classAbuse of authorization
Impact descriptionFree-text explanation of possible impactSystem outage or data leakage
Probability ratingLikelihood of occurrence (1–10, or unset)7
Impact ratingPotential impact severity (1–10, or unset)9
ControlsRelated controls (multiple allowed)Access Control Policy, Firewall
Treatment typeStrategy for addressing the riskMitigate, Accept, Avoid, Transfer
Treatment descriptionFree-text treatment explanationApply network segmentation
Treatment actionsLinked treatment actions (multiple allowed)WAF, User Access Reviews
Residual probabilityLikelihood after mitigation (1–10, or unset)4
Residual impactImpact after mitigation (1–10, or unset)6

Labels

Labels are free-form, color-coded tags you manage centrally under Collections → Labels and attach to a risk to capture cross-cutting groupings that the structured fields don't — an initiative, a regulatory driver, a business unit, or a data-sensitivity class. A risk can carry any number of labels, and the risk list offers a Labels filter so you can narrow to everything sharing a tag. The same labels can be applied to assets and vendors, giving you one consistent vocabulary across the product.

Probability, Impact, and Residual Ratings

  • Probability represents how likely the risk is to occur (from rare to certain).
  • Impact represents the potential severity if the risk materializes (from negligible to catastrophic).
  • Residual ratings reflect the remaining probability and impact after treatments are applied.

Best practice is to quantify risks consistently and regularly review ratings to reflect organizational changes.

Import and Export

Risks can be imported/exported in CSV format:

risks.csv
slug,name,ownerId
lack-of-capacity-management,Lack of capacity management,{ownerId}
rogue-workload-in-production-environment,Rogue workload in production environment,{ownerId}
data-leak-via-third-party,Data leak via third-party SaaS provider,{ownerId}
unmonitored-admin-access,Unmonitored administrator access,{ownerId}

Assessment Matrix

Risk Assessment Matrix helps evaluate and prioritize risks by mapping their likelihood and impact—providing a structured, visual tool to support consistent, informed decision-making across your risk and compliance workflows.

Each risk is displayed twice to represent:

  • Initial (before treatments)
  • Residual (remaining exposure after treatments are applied)

Hovering over a risk highlights its placement across these categories, showing the reduction in risk as mitigations are applied.

The matrix also provides statistics on total risks and distribution by severity:

  • High risks (red zone)
  • Medium risks (yellow zone)
  • Low risks (green zone)

Best Practices

  • Risks should ideally be reduced to low wherever possible.
  • Medium and high residual risks should be tied to treatment actions.
  • Regular reviews ensure that ratings remain aligned with reality.

Treatment Actions

Risk Treatment Actions define how identified risks are addressed—whether by mitigating, accepting, transferring, or avoiding them—ensuring clear, trackable responses within your risk and compliance workflows.

Treatment Action Fields

FieldDescriptionExample
NameThe name of the action (required)WAF and DDoS Protection
SlugUnique identifier (required)waf-and-ddos-protection
OwnerRole responsible for the action (required)Security Team
DescriptionDetailed explanationDeploy and configure a WAF
Due dateDeadline for implementation (links to Deadlines)31.12.2025
StatusCurrent status of the actionPlanned, In Progress, Implemented

Import and Export

Treatment actions can be imported/exported in CSV format:

treatment-actions.csv
slug,name,ownerId
waf-and-ddos-protection,WAF and DDoS protection,{ownerId}
formal-user-access-reviews,Formal user access reviews,{ownerId}
encryption-rollout,Encryption rollout across endpoints,{ownerId}

Treatment actions display where they are used across risks, ensuring traceability. If an item is no longer valid, related data must be reviewed before removal.

Deadlines

The due date behavior for treatment actions differs from that of assets, entitlements, and risks: treatment action due dates are intended as manually managed reminders and are not cleared automatically. Once a treatment action is completed, its due date must be reviewed and removed manually, and the status should be updated accordingly.


Threat Classes

Threat Classes categorize types of malicious actions or events, providing a structured way to identify, assess, and mitigate security threats across your assets, controls, or frameworks.

Threat Class Fields

FieldDescriptionExample
NameThe name of the action (required)Unintentional access
SlugUnique identifier (required)unintentional-access
DescriptionDetailed explanationPrevent access to sensitive data

Import and Export

Threat classes can be imported/exported in CSV format:

threat-classes.csv
slug,name
users-fall-to-phishing,Users fall to social engineering or phishing attacks
unintentional-sensitive-data,Unintentional access to sensitive data
unauthorized-software,Unauthorized installation of software
unauthorized-system-access,Unauthorized access to the information system

Vulnerability Classes

Vulnerability Classes group common weaknesses in systems or processes, helping you consistently identify and manage exposure points across your assets, risks, or compliance frameworks.

Vulnerability Class Fields

FieldDescriptionExample
NameThe name of the action (required)Abuse of authorization
SlugUnique identifier (required)abuse-of-authorization
DescriptionDetailed explanationUnauthorized access to the information system

Import and Export

Vulnerability classes can be imported/exported in CSV format:

vulnerability-classes.csv
slug,name
abuse-of-authorization,Abuse of authorization
asset-not-returned,Asset not returned
weak-password-policy,Weak password policy
unencrypted-data-storage,Unencrypted data storage

Reviews

Reviews provide a structured way to periodically assess and validate your risks, controls, or compliance elements. They capture a snapshot in time, ensuring that changes are tracked, validated, and approved while maintaining accountability and alignment with your governance objectives.

Review Management

When starting a review, you define the scope and responsibilities. A review automatically creates review items based on your selected scope (e.g., all risks or only high-priority risks).

FieldDescriptionExample
TitleThe name of the review (required)"Q3 Risk Review"
CoordinatorResponsible role coordinating the review (required, relation to a role)"Customer Success"
PriorityDefines which risks are included (required)"High Risks Only"
DeadlineDue date for completing the review (integrates with Deadlines)"2025-10-04"
NotesOptional context or additional instructions"Focus on operational risks this cycle"

Reviews support full CRUD operations: they can be created, edited, or withdrawn before being finalized. Once a review is closed, it becomes locked and immutable.

Review Process

Each review lists all risks according to the chosen scope. Any changes made during the review are tracked and displayed as diffs, allowing you to compare against the latest version or earlier cycles. A split view can be enabled for easier side-by-side comparison.

Each review item must be explicitly approved. If necessary, items can also be withdrawn. Once all review items are approved, the review can be closed by selecting Finish Review. This locks the review and prevents further modifications.

Reviews also integrate with the Reports feature through Generate Report, allowing you to export finalized review results for audits, compliance evidence, or internal governance tracking.

How is this guide?

On this page