Help center

Risks

A risk is a potential event that could harm your business. The risk register makes them visible, ranks them, and forces a decision on each one.

The risk equation

Each risk is scored on two dimensions: the probability of occurrence and the impact if it does. The score is just their product.

Probability × Impact = Score

Scales 1-5, score from 1 (negligible) to 25 (existential).

Inherent vs residual

You score every risk twice:

Inherent (naked)

Probability × impact IF you had no controls in place. Your baseline exposure, without your defences.

Residual (with controls)

What's left once your controls are deployed. The risk you actually carry today.

If residual is not lower than inherent, your controls aren't doing their job — or aren't being applied. That's exactly what auditors check.

The probability × impact heatmap

Visualise your risks on a 5×5 grid. Red zones (score ≥ 12) demand immediate treatment; green (score ≤ 4) can be accepted.

1-4 negligible 5-8 moderate 9-14 high 15-25 critical

The 4 treatment strategies

Mitigate — Deploy controls to reduce probability or impact. The default for most risks.

E.g. roll out MFA to mitigate phishing.

Accept — Live with the risk. Justified when treatment costs more than expected impact, or risk is intrinsically low.

E.g. accept a 5% AWS price increase.

Transfer — Pass the risk to a third party. Typically via insurance, subcontracting, or contract clause.

E.g. cyber insurance to transfer ransom cost.

Avoid — Stop the activity that generates the risk. Drastic but sometimes the right call.

E.g. stop storing sensitive data you don't need.

Best practices

Aim for 10-20 major risks, not 200 micro-risks.
Link every risk to at least one control (otherwise, why is it in the register?).
Document the rationale when you accept or transfer — that's what auditors read.
Re-assess cyber risks every quarter: they move fast.