Risk Coverage
Control & DirectionRisk Coverage connects your security technology portfolio to the risk scenarios that matter most. Instead of asking “what tools do we have?”, Risk Coverage asks “are our tools actually covering the threats we care about?”. Each risk scenario gets a coverage assessment with a strength rating, a gap narrative, suggested actions, and links to the technologies that contribute to mitigation.
Risk Coverage integrates with Technology Register (technology assignment), Risk Register (risk linkage), CISO Goals (goal-linked coverage), Issues (gap-driven issues), and Portfolio Dashboard (coverage summary and gap signals).
Understanding risk scenarios
A risk scenario describes a specific threat situation that your security portfolio should address. Scenarios are distinct from entries in the Risk Register; they focus on the technology coverage dimension rather than likelihood and impact scoring. Each scenario has a title, description, and an optional sort order for organizing the list.
Risk scenarios can be linked to entries in the Risk Register or to Registered Risks to create traceability between your risk management process and your technology coverage analysis. Scenarios can also be created from templates to accelerate initial setup.
Creating a risk scenario
Open the Risk Coverage page
Navigate to Stack & Coverage > Risk Coverage to view all risk scenarios and their coverage assessments.
Create a new scenario
Click New Scenario to open the creation form. Fill in the following fields:
| Field | Description | Required |
|---|---|---|
| Title | A concise name for the scenario (e.g., “Ransomware encrypts production data”) | Yes |
| Description | Detailed context about the threat, attack path, or business impact | No |
| Linked Risk | An optional link to a Risk Register entry | No |
| Linked Registered Risk | An optional link to a Registered Risk record | No |
| Sort Order | A numeric value controlling the display sequence | No |
Save the scenario
Click Save to create the scenario. It will appear in the list with coverage strength set to Not Assessed until you complete an assessment.
Coverage assessment
Each risk scenario has a one-to-one coverage assessment that evaluates how well your technology portfolio addresses that scenario. The assessment captures four key pieces of information:
Coverage strength
Assign a strength rating that reflects the overall coverage posture for the scenario:
| Strength | Description |
|---|---|
| Strong | The scenario is well-covered by one or more technologies with verified configurations |
| Medium | Partial coverage exists but there are known limitations or configuration gaps |
| Weak | Minimal coverage is in place; significant gaps exist |
| Not Assessed | The scenario has not yet been evaluated for coverage |
Gap summary
The gap summary is a free-text field where you document what is missing. Describe the specific weaknesses, uncovered attack paths, or configuration gaps that prevent the scenario from reaching a Strong rating. This narrative is surfaced in the Portfolio Dashboard gap signals.
Suggested action
The suggested action field captures the recommended next step to improve coverage. This might be deploying a new tool, reconfiguring an existing one, or creating a compensating control. Suggested actions can drive issue creation and CISO Goal planning.
Assessor and timestamp
The assessment records who performed the evaluation and when, providing an audit trail for coverage reviews.
Assigning technologies
Each coverage assessment can link to one or more technologies from the Technology Register that contribute to mitigating the scenario. For each technology assignment, specify a contribution level:
| Contribution | Description |
|---|---|
| Primary | This technology is the main line of defense for the scenario |
| Supporting | This technology provides supplementary or layered defense |
Technology assignments feed into the Portfolio Dashboard coverage summary and help answer the question “which tools are protecting us against this specific threat?”.
Linking to CISO Goals
When a coverage gap requires strategic investment, link the coverage assessment to a CISO Goal. This creates a traceable thread from a specific risk scenario, through the identified gap, to the strategic objective that addresses it. The linked goal appears on both the Risk Coverage page and the CISO Goals detail page.
Linking to Issues
For gaps that need tactical resolution, link the coverage assessment to one or more Issues in the Execution Tracking module. Each linked issue ID is stored on the assessment, and the connection is visible from both the Risk Coverage page and the Issue detail page. This ensures that identified gaps are tracked through to closure.
AI-suggested scenarios
The Risk Coverage page supports AI-suggested scenarios that analyze your technology register, capability mappings, and existing risk data to recommend scenarios you may not have considered. Suggestions are based on industry threat patterns and gaps detected in your current coverage. Review each suggestion and add it as a scenario if it is relevant to your risk landscape.
Permissions
Managing Risk Coverage requires the securityPortfolio:manage permission. Users with this permission can create and edit risk scenarios, perform coverage assessments, assign technologies, and manage goal and issue links. Users with securityPortfolio:read can view scenarios and their assessments but cannot make changes.