Risks
Risks highlight potential threats or uncertainties that could impact your objectives, helping you proactively address vulnerabilities across your policies, controls, or frameworks.
Overview
The Risks module is the central place for identifying, evaluating, and managing risks across your organization. It integrates Threat Classes, Vulnerability Classes, Treatment Actions, and the Assessment Matrix to provide a complete view of risk posture and treatment.
Risks allow you to connect controls, policies, and roles with structured evaluations of probability, impact, and residual risk. This ensures that your organization can prioritize the most critical risks, track remediation, and demonstrate compliance readiness.
Risks
Risks are the core entity of the module. Each risk represents a potential threat or uncertainty and aggregates related treatment actions, threat classes, vulnerability classes, and linked controls.
Risks are also represented visually in the Assessment Matrix, showing their initial and residual positions.
Risk Fields
| Field | Description | Example |
|---|---|---|
Name | The name of the risk (required) | Rogue Workload in Production |
Slug | Unique identifier for referencing the risk (required) | rogue-workload-in-production |
Owner | Role responsible for managing the risk (required) | IT Operations |
Description | Detailed description of the risk | Uncontrolled workloads in production... |
Labels | Free-form tags to group and filter the risk (multiple allowed) | PII, GDPR, Q3-initiative |
Affected parties | Related roles potentially affected (multiple allowed) | Developers, Business Owners |
Threat class | Related threat class | Unauthorized access |
Vulnerability class | Related vulnerability class | Abuse of authorization |
Impact description | Free-text explanation of possible impact | System outage or data leakage |
Probability rating | Likelihood of occurrence (1–10, or unset) | 7 |
Impact rating | Potential impact severity (1–10, or unset) | 9 |
Controls | Related controls (multiple allowed) | Access Control Policy, Firewall |
Treatment type | Strategy for addressing the risk | Mitigate, Accept, Avoid, Transfer |
Treatment description | Free-text treatment explanation | Apply network segmentation |
Treatment actions | Linked treatment actions (multiple allowed) | WAF, User Access Reviews |
Residual probability | Likelihood after mitigation (1–10, or unset) | 4 |
Residual impact | Impact after mitigation (1–10, or unset) | 6 |
Labels
Labels are free-form, color-coded tags you manage centrally under Collections → Labels and attach to a risk to capture cross-cutting groupings that the structured fields don't — an initiative, a regulatory driver, a business unit, or a data-sensitivity class. A risk can carry any number of labels, and the risk list offers a Labels filter so you can narrow to everything sharing a tag. The same labels can be applied to assets and vendors, giving you one consistent vocabulary across the product.
Probability, Impact, and Residual Ratings
- Probability represents how likely the risk is to occur (from rare to certain).
- Impact represents the potential severity if the risk materializes (from negligible to catastrophic).
- Residual ratings reflect the remaining probability and impact after treatments are applied.
Best practice is to quantify risks consistently and regularly review ratings to reflect organizational changes.
Import and Export
Risks can be imported/exported in CSV format:
slug,name,ownerId
lack-of-capacity-management,Lack of capacity management,{ownerId}
rogue-workload-in-production-environment,Rogue workload in production environment,{ownerId}
data-leak-via-third-party,Data leak via third-party SaaS provider,{ownerId}
unmonitored-admin-access,Unmonitored administrator access,{ownerId}Assessment Matrix
Risk Assessment Matrix helps evaluate and prioritize risks by mapping their likelihood and impact—providing a structured, visual tool to support consistent, informed decision-making across your risk and compliance workflows.
Each risk is displayed twice to represent:
- Initial (before treatments)
- Residual (remaining exposure after treatments are applied)
Hovering over a risk highlights its placement across these categories, showing the reduction in risk as mitigations are applied.
The matrix also provides statistics on total risks and distribution by severity:
- High risks (red zone)
- Medium risks (yellow zone)
- Low risks (green zone)
Best Practices
- Risks should ideally be reduced to low wherever possible.
- Medium and high residual risks should be tied to treatment actions.
- Regular reviews ensure that ratings remain aligned with reality.
Treatment Actions
Risk Treatment Actions define how identified risks are addressed—whether by mitigating, accepting, transferring, or avoiding them—ensuring clear, trackable responses within your risk and compliance workflows.
Treatment Action Fields
| Field | Description | Example |
|---|---|---|
Name | The name of the action (required) | WAF and DDoS Protection |
Slug | Unique identifier (required) | waf-and-ddos-protection |
Owner | Role responsible for the action (required) | Security Team |
Description | Detailed explanation | Deploy and configure a WAF |
Due date | Deadline for implementation (links to Deadlines) | 31.12.2025 |
Status | Current status of the action | Planned, In Progress, Implemented |
Import and Export
Treatment actions can be imported/exported in CSV format:
slug,name,ownerId
waf-and-ddos-protection,WAF and DDoS protection,{ownerId}
formal-user-access-reviews,Formal user access reviews,{ownerId}
encryption-rollout,Encryption rollout across endpoints,{ownerId}Related Data
Treatment actions display where they are used across risks, ensuring traceability. If an item is no longer valid, related data must be reviewed before removal.
Deadlines
The due date behavior for treatment actions differs from that of assets, entitlements, and risks: treatment action due dates are intended as manually managed reminders and are not cleared automatically. Once a treatment action is completed, its due date must be reviewed and removed manually, and the status should be updated accordingly.
Threat Classes
Threat Classes categorize types of malicious actions or events, providing a structured way to identify, assess, and mitigate security threats across your assets, controls, or frameworks.
Threat Class Fields
| Field | Description | Example |
|---|---|---|
Name | The name of the action (required) | Unintentional access |
Slug | Unique identifier (required) | unintentional-access |
Description | Detailed explanation | Prevent access to sensitive data |
Import and Export
Threat classes can be imported/exported in CSV format:
slug,name
users-fall-to-phishing,Users fall to social engineering or phishing attacks
unintentional-sensitive-data,Unintentional access to sensitive data
unauthorized-software,Unauthorized installation of software
unauthorized-system-access,Unauthorized access to the information systemVulnerability Classes
Vulnerability Classes group common weaknesses in systems or processes, helping you consistently identify and manage exposure points across your assets, risks, or compliance frameworks.
Vulnerability Class Fields
| Field | Description | Example |
|---|---|---|
Name | The name of the action (required) | Abuse of authorization |
Slug | Unique identifier (required) | abuse-of-authorization |
Description | Detailed explanation | Unauthorized access to the information system |
Import and Export
Vulnerability classes can be imported/exported in CSV format:
slug,name
abuse-of-authorization,Abuse of authorization
asset-not-returned,Asset not returned
weak-password-policy,Weak password policy
unencrypted-data-storage,Unencrypted data storageReviews
Reviews provide a structured way to periodically assess and validate your risks, controls, or compliance elements. They capture a snapshot in time, ensuring that changes are tracked, validated, and approved while maintaining accountability and alignment with your governance objectives.
Review Management
When starting a review, you define the scope and responsibilities. A review automatically creates review items based on your selected scope (e.g., all risks or only high-priority risks).
| Field | Description | Example |
|---|---|---|
Title | The name of the review (required) | "Q3 Risk Review" |
Coordinator | Responsible role coordinating the review (required, relation to a role) | "Customer Success" |
Priority | Defines which risks are included (required) | "High Risks Only" |
Deadline | Due date for completing the review (integrates with Deadlines) | "2025-10-04" |
Notes | Optional context or additional instructions | "Focus on operational risks this cycle" |
Reviews support full CRUD operations: they can be created, edited, or withdrawn before being finalized. Once a review is closed, it becomes locked and immutable.
Review Process
Each review lists all risks according to the chosen scope. Any changes made during the review are tracked and displayed as diffs, allowing you to compare against the latest version or earlier cycles. A split view can be enabled for easier side-by-side comparison.
Each review item must be explicitly approved. If necessary, items can also be withdrawn. Once all review items are approved, the review can be closed by selecting Finish Review. This locks the review and prevents further modifications.
Reviews also integrate with the Reports feature through Generate Report, allowing you to export finalized review results for audits, compliance evidence, or internal governance tracking.
How is this guide?
Variables
Variables capture important information using a name and a value, allowing you to reuse details consistently across your risks, assets and policies.
Assets
Assets represent valuable resources like data, systems, or processes that need protection, serving as the foundation for risk assessment and control implementation across your organization.