Skip to main content

Risk Register

The Risk Register is your single, team-wide ledger of security and business risk. It's where you record a risk once, score it, assign an owner, plan how you'll deal with it, and track it through to closure. Risks can be created by hand, or minted automatically from your scan findings and compliance gaps — so the register stays current without manual data entry.

Enhanced Risk Management dashboard with risk register, treatment plans, and heat map

What it does

  • Two ways to score risk. Use a business 5×5 matrix (likelihood × impact) for executive-friendly risk, or a 0–100 magnitude scale for technical/system risk. Each risk gets a level — Very Low, Low, Medium, High, or Critical.
  • Treatment plans with SLAs. Decide how to handle each risk — Mitigate, Accept, Transfer, Avoid, or Share — with an owner, a target completion date, an expected residual-risk target, and optional cost/benefit. Overdue plans are flagged and escalated automatically.
  • Auto-minted risks. High-impact findings and failing compliance controls are turned into risk entries for you, deduplicated so you get one risk per issue rather than one per occurrence.
  • Live dashboard. See total risks, treatment-plan progress, pending approvals, a 90-day risk trend, and an inherent-vs-residual exposure view at a glance.
  • Key Risk Indicators (KRIs) and a heat map to monitor risk over time and spot concentrations.

The register works alongside the other Compliance & Risk tools: findings flow in from Vulnerability Management, remediation deadlines are governed by SLA Management, and business context comes from Business Impact Analysis.

How to use it

Open Risk Management from the left navigation (under Compliance & Risk). The page is organized into tabs: Dashboard, Risk Register, Import from Findings, Treatment Plans, Controls, and Heat Map.

1. Create a risk

  1. Go to the Risk Register tab and select Add Risk (or Create Risk).
  2. Enter the basics: title, category, description, and an owner.
  3. Choose an assessment type and score it (see below).
  4. Optionally add an action plan — expected actions, an action owner, a schedule, and progress — then save.

New risks start in an identified state. Every change is tracked, so you keep a full history of how a risk's score and status evolved over time.

2. Score it — business 5×5 or 0–100 system

Business Risk (1–5 matrix). Rate Likelihood and Impact each from 1 to 5. The score is likelihood × impact (1–25), which maps to a level:

ScoreLevel
16–25Critical
10–15High
6–9Medium
3–5Low
1–2Very Low

System Risk (0–100 magnitude). Capture an initial magnitude and a current magnitude (0–100). The register tracks the risk-reduction percentage between them, and the current magnitude maps to a level:

MagnitudeLevel
80–100Critical
60–79High
40–59Medium
20–39Low
0–19Very Low

:::tip Which one should I use? Use Business Risk for risks you'll discuss with leadership (likelihood vs. impact is intuitive on a heat map). Use System Risk for technical risk where you want to show measurable reduction as you apply controls. :::

3. Add a treatment plan

From a risk, open Treatment Plans and create a plan that records how you intend to handle the risk:

StrategyUse it when…
MitigateYou'll reduce the risk with controls or remediation.
AcceptThe risk is within tolerance and you'll knowingly retain it.
TransferYou'll shift the risk (e.g. to insurance or a third party).
AvoidYou'll stop the activity that creates the risk.
ShareYou'll split the risk with another party.

Set a treatment owner, a target completion date, an expected residual risk (the score you expect once the plan is done), and — optionally — estimated cost and benefit. Plans can be submitted for approval and approved or rejected, giving you a clear governance trail. The dashboard's inherent-vs-residual view uses your residual targets to show how much exposure your plans are removing.

:::note Treatment SLAs and escalation Treatment plans are monitored against priority-based deadlines (by default P1 = 7 days, P2 = 30 days, P3 = 90 days, P4 = 180 days). The platform checks for overdue plans regularly; when a plan breaches its SLA it's flagged and escalated, so plans don't quietly sit "approved" and forgotten. See SLA Management for how deadlines are configured. :::

4. Let findings and compliance gaps mint risks for you

You don't have to create every risk by hand. Use the Import from Findings tab to promote scan results into the register, and the platform also mints risks automatically:

  • From findings. Critical/High vulnerabilities and cloud misconfigurations (also anything with a CVSS ≥ 7.0, or an issue seen many times) are turned into risks. These are deduplicated by issue, so ten instances of "SSH open to the world" become a single risk with an occurrence count and the list of affected assets — not ten separate entries.
  • From compliance gaps. When a compliance control has been failing (failed, not implemented, or partially implemented) for more than about a day, it's minted as a risk so it gets an owner and shows up on the dashboard. When the underlying control is fixed, the minted risk is closed automatically.

Auto-minted risks are linked back to their source finding or control, and may be flagged for review so your team can confirm the score and assign an owner.

5. Monitor on the Dashboard, KRIs, and Heat Map

  • Dashboard — headline counts (total risks, treatment plans, pending approvals, KRI health score), a 90-day risk trend, and inherent vs. residual exposure.
  • Key Risk Indicators (KRIs) — track metrics over time against four thresholds (Green, Amber, Red, Critical) and get alerted when a measurement crosses into a worse band.
  • Heat Map — visualize where your risks cluster across likelihood and impact.

Tips & prerequisites

:::tip Set an owner on every risk Risks (and treatment plans) without an owner are easy to lose track of. Assigning an owner is what makes SLAs, escalation, and accountability work. :::

:::note Everything is team-scoped Risks belong to your active team. Switch teams from the account menu in the top-right before reviewing or editing the register, so you're looking at the right environment. :::

:::warning Auto-minted risks still need a human Machine-minted risks give you a fast, deduplicated starting point — but confirm the score, owner, and treatment approach. The platform decides what becomes a risk; you decide how to treat it. :::