Skip to content

Risk Management (Shared Content)🔗

Purpose🔗

In the Configuration section you assign risks to the appropriate categories (e.g. Data, Service Providers, Hardware, Personnel). The domain relevance of a risk determines which modules it is displayed in.

This ensures that risks only appear where they are relevant — for example, only in the ISO 27001 context or across several modules simultaneously.

View Layout🔗

The view is divided into three areas:

  1. Selection of the Category (e.g. Data, Service Providers, Processes).
  2. List of available risks (center).
  3. List of risks assigned to the category (right).

Many standard risks are already predefined. You can adopt them or add your own.

Usage🔗

Assigning Threats🔗

  1. Open the Risk Management → Configuration section.
  2. Select the desired Category on the left (e.g. "Data").
  3. In the center list you can see all available risks.
  4. Drag existing threats via drag & drop to the right to the threats assigned to the category.
  5. Repeat the assignment until all relevant categories are appropriately populated.

This way you assign, for example, the risk "Data loss due to hardware defect" to all data assets.
In the risk analysis this risk will then be displayed for all data resources.

Creating New Threats🔗

If a threat is missing, you can create it directly in the configuration:

  1. Click + Add Risk in the risks area (or use the three-dot menu).
  2. Enter:
  3. Name
  4. Description
  5. optionally domain relevance (e.g. whether the risk should also be used in the ISMS or IT-Grundschutz)
  6. Save the risk.

Newly created risks are immediately available in the configuration and later in the risk analysis.

Mandatory fields

Red exclamation marks indicate mandatory fields. The risk cannot be saved without this information.

Domain Relevance🔗

Using domain relevance you can control which modules a risk is used in (e.g. ISO 27001, IT-Grundschutz, BCM).

Advantages:

  • You maintain risks only once in a central location.
  • The same risk catalog is available in other modules.
  • Evaluations and comparisons across modules become easier.

Notes & Best Practices🔗

  • Keep the number of risk categories manageable so that it remains easy for departments to get started.
  • When introducing new modules, first check whether existing risks can be reused instead of creating new duplicates.

Purpose🔗

In the Risk Analysis you assess the risks for each relevant object (e.g. asset, process, provider) based on likelihood and impact. This determines the risk class, which is used for prioritizing measures.

View Layout🔗

The risk analysis shows you:

  • the selected Scope at the top,
  • a list of your resources (e.g. assets such as "Adobe Creative Cloud"),
  • the assigned risks per resource,
  • the status per risk (e.g. not started, in progress, completed, not relevant).

Status indicators:

  • Hourglass: not started
  • Pencil / "In progress": assessment in progress
  • Checkmark: completed
  • Label "not relevant": risk was deliberately excluded

Usage🔗

Checking Relevance🔗

Before starting a risk analysis you can check whether a risk is relevant for a resource at all:

  1. Select the scope and the resource.
  2. Select the risk.
  3. If the risk does not apply, set it to "not relevant".

This ensures that you only assess risks that are important in the BCM context.

Starting a Risk Analysis🔗

To assess a risk for a resource for the first time:

  1. Select the scope.
  2. Select an object (e.g. asset or process) from the list.
  3. Select the desired risk.
  4. Click "Start new risk analysis".

The detail view for the risk opens.

Assessing Likelihood and Impact🔗

In the detail view you assess:

  • Likelihood (e.g. very low to very high — based on the BSI standard)
  • Impact (e.g. very low to very high)

The system automatically calculates:

  • the initial risk (gross risk before measures),
  • the gross acceptance level.

You can also provide a justification for your assessment, e.g. based on the criticality determined in the BIA on BCM or the existing technical/organizational safeguards.

Defining the Treatment Option🔗

For each risk you determine how it should be handled:

  • Avoid (e.g. change or discontinue a process)
  • Reduce (implement additional measures)
  • Transfer (e.g. insurance, outsourcing)
  • Accept (consciously accepted residual risk)

If you are unsure, the info icon next to the options explains their meaning in detail.

The selection affects how the risk is treated going forward and which measures become necessary.

Updating Risk Assessments🔗

When conditions change (e.g. new infrastructure), you can update an existing risk assessment:

  • Continue the risk assessment (carry on with the Risk Assessment) or
  • archive and restart.

When archiving:

  • the previous assessment is retained,
  • the status is reset to "in progress",
  • the treatment plan is not carried over (it should ideally have been implemented already).

This allows you to compare historical and current assessments in the overview.

Notes & Best Practices🔗

  • Where possible, use agreed assessment criteria (e.g. from policies) so that different departments assess risks in a comparable way.
  • For unusual assessments, briefly document in the comments why the "standard logic" was deliberately deviated from.

Purpose🔗

In the Treatment Plan you define how identified risks are handled. Typical options include accept, mitigate, transfer, or avoid. For mitigated risks, concrete measures with responsible persons and deadlines are defined.

Usage🔗

  1. Open the Treatment Plan section.
  2. Select a risk with an elevated or critical risk class.
  3. Choose a treatment option for each risk
    (e.g. accept, mitigate, transfer, avoid).
  4. For mitigated risks, create one or more measures:
  5. Measure title
  6. Measure description
  7. Responsible person or role
  8. Due date / target date
  9. Link — if available — existing measures from other modules to avoid duplication of effort.

Reusing Measures🔗

Instead of creating new measures for every risk, you can reuse existing measures:

  1. In the treatment plan, click the chain icon or "Link measure".
  2. Select an existing measure from the list.
  3. Link it to the current risk.

This way, generic measures such as "Update backup concept" or "Conduct emergency drill" can be used multiple times without having to duplicate them.

Status Tracking🔗

Each measure has a status, e.g.:

  • Not started
  • In progress
  • To be approved
  • Completed

Additionally:

  • Responsible persons and approvers receive email notifications when deadlines are reached or exceeded.
  • All measures — including those from other modules — are consolidated in the central Findings & Measures section, where they can be filtered and edited.

Connection to Residual Risk🔗

The planned and implemented measures form the basis for assessing the residual risk.
Depending on the effectiveness of the measures, likelihood and impact can be rated lower in the residual risk assessment.

Notes & Best Practices🔗

  • Focus on risks with a high or critical risk class.
  • Plan fewer, clearly formulated measures with realistic deadlines rather than many vague actions without clear responsibility.

Purpose🔗

In the Residual Risk & Completion section you assess, after implementing the measures, what risk remains. This assessment serves as evidence for management, internal audit, or external auditors that risks are consciously accepted or further treated.

Usage🔗

From Initial Risk to Residual Risk🔗

From the risk analysis you know:

  • Initial risk (gross risk before measures)
  • Gross acceptance level

After implementing or planning measures you assess:

  • Residual risk (net risk after measures)
  • Net acceptance level or net net (depending on configuration)

To do this, you adjust — based on the measures — the assessment of likelihood and impact.

Residual Risk Assessment Procedure🔗

  1. Select a risk for which measures have been completed or largely implemented.

  2. Open the Residual Risk section.

  3. Update the assessment (likelihood and impact) taking into account the implemented measures.
  4. The new residual risk class is calculated automatically.
  5. Decide whether the residual risk:
  6. is accepted (including a brief justification), or
  7. requires further measures.
  8. Close the risk treatment once the decision is binding.

Example:

  • Before measures: Likelihood "high", Impact "high" → Initial risk "very high".
  • After measures: Likelihood "very low", Impact "medium" → Residual risk "low".

Completing the Risk Assessment🔗

When you are satisfied with the residual risk assessment:

  1. Click "Complete Risk Assessment" (label may vary).
  2. The assessment is marked as completed.
  3. The results feed into:
  4. the risk matrix,
  5. the risk overview,
  6. reports and audit evaluations.

Should the situation change later (e.g. new infrastructure, different BIA results), you can:

  • Continue the risk assessment to update it, or
  • archive and restart to create a new version with a timestamp.

Historical Comparisons🔗

Archived assessments are displayed in the Risk Overview under Archive section.
There you can, for example, for a specific asset and a specific risk:

  • view all previous assessments,
  • the respective point in time,
  • measures and acceptance decisions

and compare them with each other. This is particularly useful for audits and management reviews.

Notes & Best Practices🔗

  • Keep the justification for risk acceptance brief but comprehensible (e.g.: "Residual risk accepted, as further measures would be disproportionate").
  • Also use this section as preparation for management reports or audits.

Purpose🔗

The Risk Matrix & Overview summarizes your assessments on a matrix. This allows you to see at a glance where risks accumulate in the portfolio and which areas are particularly critical.

Risk Matrix🔗

On the matrix you can see:

  • X-axis: Impact (e.g. low → very high)
  • Y-axis: Likelihood (e.g. very low → very high)

Each cell shows how many risks fall into this combination.
Clicking a cell opens the list of associated risks or resources.

Filter Options🔗

You can typically filter the risk matrix by:

  • Scope (e.g. "Security 2025")
  • Risk (processes, assets, service providers, …)
  • Residual risk assessment (e.g. only completed assessments)
  • other criteria, depending on configuration.

This allows you to focus, for example, on all "very high" risks of a specific scope.

Risk Analysis Overview🔗

In addition to the matrix, there is a tabular Risk Analysis Overview:

  • All risks per resource in list form.
  • With status, initial and residual risk, responsibilities.
  • Sort and filter functions (e.g. by criticality, date of last assessment).

Risk Matrix Configuration🔗

The basic configuration of scales (likelihood, impact, colors, thresholds) is done in the global Risk Matrix Configuration.

By default the scale follows BSI recommendations, but it can be adapted to your organization's requirements (e.g. different levels, different labels).

Notes & Best Practices🔗

  • Use the matrix regularly to identify trends (e.g. increase in critical risks in a specific area).
  • Combined with measure implementation rates, you can effectively visualize risk treatment progress here.