Click any tile to view and edit its details. Amber outline = modified from default.
Select a question on the left to see which risks it drives. Click any tile on the map to connect or disconnect it.
Select a question on the left to start mapping risks.
Select a question on the left to see which risks it is tied to. Click any tile on the map to connect or disconnect it.
Select a question on the left to start mapping risks.
Select a question on the left to see which risks it is tied to. Click any tile on the map to connect or disconnect it.
Select a question on the left to start mapping risks.
Click a control to expand and edit. The risk map highlights connected risks. Click any risk tile to filter controls related to it.
Select a control on the left to highlight connected risks, or click a risk tile to filter controls.
Click a cell to cycle its band (LOW → MEDIUM → HIGH → EXTREME). Edit point scores inline. Hover for management guidance. Bands sourced from Excel Config sheet.
scoring.tpraAffects config key).scoring block) and applied by the Risk Assessor. Defaults match legacy behaviour.scoring.detectiveAffects).scoring.unevidencedYes).Move your cursor over any cell to see what that likelihood × impact combination means and the management response required.
Write or paste the prompt you want your assessor application to send to an AI system when processing the risk assessment output. This prompt will instruct the AI on how to interpret, summarise, or act on the assessment data.
This tool lets you build a custom risk configuration file for your organisation. The configuration is saved as a JSON file and used by the Risk Assessor application to evaluate security risks for any system or project.
You do not need to be a security expert to use this tool. Everything has sensible defaults. You only need to change what is relevant to your organisation.
The configurator ships with a library of 77 pre-built risks organised across:
| 11 Risk Families | 7 Lifecycle Periods |
|---|---|
| CNP — Confidentiality & Privacy INT — Integrity AVR — Availability & Resilience IAM — Identity & Access Management OPC — Operational Control LGC — Legal, Governance & Compliance TPS — Third-Party & Supply Chain PSE — People & Social Engineering AIQ — AI Quality AIA — AI Assurance IOT — IoT & Operational Technology | P1 — Foundational P2 — Design P3 — Build P4 — Integration P5 — Testing P6 — Go-Live P7 — Operate |
The configurator and the risk assessor work together. Think of this tool as the setup phase — you define the rules once, then the assessor applies them every time a system is evaluated.
When you save a configuration, the JSON file contains two things:
resolved.*. Do not re-apply defaults — the configurator has already merged them for you.Work through the steps in order. You can save at any point and continue later — the ↓ Save Config button is always in the top bar.
In the top bar, enter a Configuration label (e.g. "ACME Corp — ERP Platform v1") and an optional description. Give it a meaningful name — this becomes part of the saved filename and appears in the risk assessor.
Review the pre-built risk library. Click any tile to open and edit that risk — adjust the name, description, base score, strategy adjustment, or risk appetite. Use the ⛔ Deactivate button in the editor footer to exclude a risk entirely from all assessments, surveys, and controls. Deactivated tiles turn grey across every tab instantly. You can also rename families and periods by double-clicking any column or row header. The register supports up to 11 families and 7 periods.
Review the yes/no questions that determine which risks apply to a given system. Toggle off questions that will never be relevant, and check that each question's risk suppression list is correct. Add new questions if your environment needs them.
Review the vendor security questions. Adjust answer weights (Yes / Partial / No / N/A) to reflect how your organisation weighs each control area. Deactivate questions that do not apply and add organisation-specific questions where needed.
Same process as the Vendor Survey but focused on your organisation's internal security posture. Set weights that reflect your internal control priorities and deactivate questions that are not applicable to your systems.
Review the governance and technical controls mapped to each risk. Set answer weights, deactivate irrelevant controls, and verify that each control is linked to the correct risks. Control scores feed into the overall risk picture in the assessor.
Adjust the 5×5 impact/likelihood matrix, score band thresholds, and likelihood/impact descriptors to match your organisation's risk framework. If you use a third-party risk rating tool (BitSight, Panorays, UpGuard, or manual), enter the score in the TPRM panel and verify the multiplier. Use the built-in calculator to test risk scenarios before saving.
If your risk assessor will generate AI-assisted reports using ChatGPT Enterprise, Claude Enterprise, Microsoft Copilot, or Gemini Enterprise, customise the system prompt here. The default template instructs the model to act as a structured cyber risk analyst. Tailor the tone, output format, and focus areas for your audience.
Click ↓ Save Config in the top bar at any time. The browser downloads a JSON file named risk-register-<label>-<date>.json. This file can be loaded back into the configurator or passed directly to the risk assessor.
Click ↑ Open Config and pick a JSON file you previously saved. All your customisations are restored across every tab — even tabs you haven't visited yet will be updated in the background.
Click ↺ Reset to clear all changes and return to the shipped defaults. You'll be asked to confirm first.
The Risk Register shows all 77 risks as a colour-coded grid. Columns are risk families; rows are lifecycle periods. Each cell is one risk.
Tiles with an amber outline have been modified from the default values.
Some risks in the library may not be relevant to your organisation at all (e.g. IoT risks if you only assess business applications). Rather than leaving them in the register with a low score, you can deactivate them entirely.
active flag in the JSON and skips inactive risks regardless of any existing links.Double-click any column header (family) or row header (period) to rename it. Useful if your organisation uses different terminology.
Scoping questions let the assessor narrow down which risks apply to a specific system. Each question has a list of risks it can switch off when the assessor answers No (meaning that feature or context doesn't apply).
Example: "Does the system include any AI functionality?" — If No, all AI-related risks (AIQ, AIA families) are suppressed for that assessment.
The right-hand panel shows which risks are affected by each question. Greyed-out risks are currently suppressed by an inactive question.
The Vendor Survey is a set of questions about the supplier's security practices. The assessor fills in answers (Yes / No / Partial / N/A), and each answer contributes a weighted score to the linked risks.
The Internal Survey assesses your own organisation's security maturity — controls in place, processes followed, and capabilities available. It works exactly the same as the Vendor Survey but focuses inward rather than at a third party.
All editing is the same: question text, weights, per-answer scores, and active/inactive toggle.
Controls are security measures linked to specific risks. When an assessor rates a control as implemented (Yes / Partial), it reduces the effective risk score for its linked risks. When a control is absent (No), it may increase the risk score.
Click any control to see which risks it is linked to. Click a risk in the map panel to highlight the controls that cover it. This helps you identify gaps — risks with no active controls need extra attention.
The Risk Matrix tab controls how a likelihood score and an impact score are combined into a risk rating. It has four sections.
If you have an independent security rating for your vendor, enter it here. The rating is converted to a multiplier between ×0.80 and ×1.20 that scales the final risk score up or down:
| Multiplier range | Meaning | Effect |
|---|---|---|
| ×0.80 – ×0.93 | Strong vendor posture | Reduces risk scores |
| ×0.94 – ×1.07 | Average / neutral | No significant change |
| ×1.08 – ×1.20 | Weak vendor posture | Increases risk scores |
Supported rating sources: BitSight (scale 250–900), Panorays (0–100), UpGuard (0–950), Manual (1–10 score you assign yourself). Select No use to disable TPRA (multiplier = ×1.00).
The grid maps a likelihood band (column) against an impact band (row) to produce a risk score (1–100). Click any cell to edit its score directly. The risk score calculator below updates live as you make changes.
Defines the cut-off points for LOW / MEDIUM / HIGH / EXTREME ratings. Edit the From value of any band; the To value is calculated automatically. Tighten the bands to be more sensitive (more risks rate HIGH), or widen them to be more forgiving.
The five bands for likelihood (Rare → Almost Certain) and impact (Insignificant → Catastrophic). Edit the From value to adjust where each band starts. Band names can also be changed to match your organisation's risk language.
Enter any likelihood and impact value (1–100) to instantly see which bands they map to and what risk rating results. Use this to validate your matrix configuration.
The risk assessor can send completed assessment data to an AI model for analysis, summary, or recommendations. The text you write here becomes the system prompt — the set of instructions given to the AI before it sees the assessment data.
A good AI prompt tells the model: who it is, what format to respond in, what tone to use, and what to look for in the data.
aiPrompt field from the JSON and pass it as the system message in your AI API call. Pass the serialised assessment results as the user message.The saved JSON file uses schema version 1.4. It has two layers: raw delta overrides (for round-trip reloading into this configurator) and a fully resolved resolved block ready for the assessor to consume.
resolved.* only. Never re-apply defaults yourself — the configurator has already done that.| Field | Type | Description |
|---|---|---|
type | string | Always "risk-register-config". Validate this before loading. |
version | string | Schema version, currently "1.4". |
savedAt | ISO date | Timestamp of when the config was last saved. |
label | string | Human-readable configuration name. |
narrative | string | Description / purpose of this configuration. |
scoring | object | {unansweredAs: 'excluded'|'zero', surveyMaxReduction: 0–1, controlMaxReduction: 0–1, tpraAffects: 'impact'|'likelihood', detectiveAffects: 'likelihood'|'impact', unevidencedYes: 'full'|'partial'}. Controls how the assessor treats unanswered questions, caps survey/control risk reduction, selects which axis the TPRA multiplier scales, whether Detective controls reduce residual likelihood (legacy) or impact, and whether a control "Yes" without an evidence reference earns full (legacy) or only Partial credit. Absent = legacy defaults (excluded / 0.60 / 0.80 / impact / likelihood / full). Present at top level and in resolved. |
risks[].baseLikelihood | number? | Optional 1–10. When set, assessor starts likelihood from this value instead of deriving it from the impact score. Absent = legacy behaviour. |
controls[].refs | string? | Optional framework cross-references (e.g. ISO27001:A.8.15; NIST CSF:DE.CM; E8:Regular-Backups; NIST AI RMF:MEASURE). Shown in assessor exports. |
tpraMethod | string | notset | nouse | bitsight | panorays | upguard | manual |
tpraScore | number|null | Raw score entered for the selected TPRA method. Null if not set. |
tpraMultiplier | number | Pre-computed multiplier (0.80–1.20). Apply directly: adjustedScore = matrixPts × tpraMultiplier |
aiPrompt | string | System prompt for the AI model. Pass as the system message in your API call. |
resolved | object | Fully resolved data — see sections below. |
| Field | Description |
|---|---|
id | Unique risk ID, e.g. CNP-P1. Format: <family_abbr>-<period>. |
family | Full family name, e.g. "Confidentiality & Privacy". |
period | Period code: P1–P7. |
name | Risk title shown to assessors. |
meaning | Plain-English explanation of what this risk means. |
mitigation | Recommended steps to address the risk. |
baseScore | Inherent severity score (1–10). |
strategyPct | Organisation-specific uplift (0–100%). Context amplification. |
fullScore | Computed score: baseScore × (1 + strategyPct/100). Use this for risk band classification. |
appetite | Risk appetite (1–9). Flag risks where assessed score exceeds this threshold. |
drivenBy | Comma-separated scoping question IDs that determine this risk's relevance. |
vendorSurvey | Comma-separated vendor survey question IDs linked to this risk. |
internalSurvey | Comma-separated internal survey question IDs linked to this risk. |
controls | Comma-separated control IDs that mitigate this risk. |
| Field | Description |
|---|---|
id | Question ID, e.g. Q-01. |
text | Question text shown to the assessor. |
active | true = show to assessor. false = question is hidden; linked risks stay in scope. |
ifNo | Array of risk IDs to exclude when the assessor answers No to this question. |
| Field | Description |
|---|---|
id | VS-XX (vendor) or IS-XX (internal). |
text | Question text. |
explanation | Guidance for the assessor on what this question is evaluating. |
weight | Overall question importance (1–10). |
answerYes / No / Partial / NA | Score awarded per answer type. |
active | Whether this question is included in scoring. |
risks | Array of risk IDs this question's score feeds into. |
| Field | Description |
|---|---|
id | Control ID, e.g. CT-01. |
name | Control name. |
explanation | What this control does and why it matters. |
type | Design | Technical | Process | Governance |
effect | Preventive | Detective | Corrective | Governance |
weight / answerYes/No/Partial/NA | Same scoring model as survey questions. |
active | Whether this control is included in scoring. |
risks | Array of risk IDs this control mitigates. |
A 5×5 nested array. matrix[impactIndex][likelihoodIndex] where index 0 = lowest band, 4 = highest. Each cell: { pts: number } — the risk points (1–100) for that combination.
| Field | Description |
|---|---|
band | Band label: LOW, MED, HIGH, EXT (score bands); or name like Rare, Possible etc. |
score / from | Lower boundary of this band (inclusive). |
to | Upper boundary (inclusive). Always = next band's from − 1. |
Each risk has a Base Score (inherent severity) and a Strategy Adjustment (context amplification):
Example: Base 7.0, Strategy 25% → 7.0 × 1.25 = 8.75
The assessor enters a Likelihood score (1–100) and an Impact score (1–100) for each risk. These are mapped to one of five bands each, and the 5×5 matrix cell at that intersection gives the risk points.
If TPRA is set to No use or Not set, the multiplier is 1.00 and the score is unchanged.
The adjusted score is mapped against resolved.scoreBands to produce the final rating: LOW MEDIUM HIGH EXTREME
Compare the final score (or band ordinal) against the risk's appetite value. Flag the risk if it exceeds the threshold. Surface these as priority items in the report.
Vendor survey, internal survey, and control scores are collected per risk through their linked IDs. For each risk, sum the weighted scores from linked active questions/controls to produce a coverage score. This can be used to adjust the likelihood or impact score before the matrix lookup — for example: high vendor survey score → lower likelihood, strong controls → lower impact.
adjustedLikelihood = rawLikelihood × (1 - vendorScore / maxVendorScore × 0.3)Version history