Risk Posture
Risk & AssuranceRisk Posture is your organization’s centralized risk registry — the single source of truth where risks are registered, scored, owned, treated, and tracked over time. It provides structured risk assessments with configurable scoring, AI-powered risk extraction, treatment planning with four strategy options, and a risk library for organizational knowledge. Risk Posture transforms fragmented risk tracking into a unified, auditable process.
Risk Posture connects to Risk Signals (risk identification and scoring configuration), Exceptions & Gaps (issues raised from risks), Security Direction (strategic risk alignment), and the shared workflow engine used for risk review processes.
Risk assessments
A risk assessment is a structured evaluation that identifies and scores risks within a defined scope. Assessments serve as the primary entry point for discovering risks before they are promoted to the registry.
Navigate to Risk Posture → Assessments to view all assessments. Each assessment captures the following:
| Field | Description |
|---|---|
| Title | Name of the assessment |
| Scope | What is being assessed (systems, processes, business units) |
| Context | Organizational context and environmental factors |
| Criteria | Risk evaluation criteria and acceptance thresholds |
| Status | Current assessment state |
| Start / End Date | Assessment timeframe |
| Classification | Risk classification category |
| Owner | User responsible for conducting the assessment |
| Assessors | Team members performing the evaluation |
| Participants | Additional stakeholders involved in the process |
| Workflow Template | Assigned review workflow for the assessment |
Assessments can be starred for quick access and support soft deletion for audit trail preservation.
Creating an assessment
Define the assessment
Navigate to Risk Posture → Assessments and click New Assessment. Enter a title, scope, context, and evaluation criteria. Set the start and end dates for the assessment period.
Assign participants
Select the assessment owner, add assessors who will evaluate risks, and include any participants who should have visibility.
Identify risks
Add risks to the assessment either manually or by using the AI risk extraction feature (see AI-assisted risk extraction below). Score each risk based on impact and likelihood.
Promote to registry
Once risks are evaluated and scored, promote them to the risk registry as Registered Risks for ongoing management. The link back to the source assessment is preserved for traceability.
The risk registry
The registry provides a single view of all registered risks across your organization. Navigate to Risk Posture → Risks to access the registry dashboard, which shows current scores, owners, treatment status, and lifecycle state at a glance.
How risks enter the registry
Risks can enter the registry in two ways: promoted from a risk assessment (which preserves the link back to the original evaluation for traceability), or created directly via Risk Posture → Risks → Add Risk for risks identified outside a formal assessment process.
Each registered risk is assigned a human-readable identifier (e.g., REG-RISK-2025-001) for easy reference across reports and communications. Risks also support drag-and-drop ordering for priority visualization within the registry view.
Registered risk fields
Every registered risk captures the following information:
| Field | Required | Description |
|---|---|---|
| Title | Yes | Clear, descriptive risk statement |
| Impact Level | Yes | Numerical rating of potential impact |
| Impact Rationale | No | Explanation of the assigned impact level |
| Likelihood Level | Yes | Numerical rating of probability |
| Likelihood Rationale | No | Explanation of the assigned likelihood level |
| Risk Score | Auto | Calculated as impact x likelihood |
| Risk Level | Auto | Derived category based on configurable thresholds |
| Priority Level | No | Priority for addressing the risk |
| Mitigation Strategy | No | High-level plan for reducing or managing the risk |
| Owner | No | Person accountable for managing the risk |
| Reviewers | No | Team members who review risk decisions |
| Project | No | Associated remediation project |
| Timeline | No | Expected timeline for resolution |
| Origin | No | Source of the risk (e.g., AppSec scanning) |
Risk scoring
Risk scores are calculated automatically as impact x likelihood. The resulting score is then mapped to a risk level (e.g., Critical, High, Medium, Low) using configurable thresholds.
Risk level options and their thresholds are fully customizable per tenant. Each level option defines a name, display color, and one or more score thresholds with minimum and maximum score ranges. This means you can define exactly which score ranges correspond to which severity labels.
Risk type options can also be customized with a name, value, and color to categorize risks by type (e.g., Strategic, Operational, Compliance, Technical).
Risk scoring configuration — thresholds, levels, labels, and colors — is managed in Risk Signals → Configuration. Changes there affect how scores are displayed throughout the registry.
Treatment plans
For each risk that requires active management, define a treatment plan that specifies how the risk will be addressed. Treatment plans are attached to individual registered risks and track progress from initiation through completion.
Treatment options
Each treatment entry specifies one of four strategy options:
| Option | Description |
|---|---|
| Accept | Acknowledge the risk with documented justification. No active mitigation is taken. |
| Avoid | Eliminate the activity or condition that creates the risk. |
| Control | Reduce likelihood or impact through controls and mitigations. |
| Transfer | Shift the risk to a third party (e.g., through insurance or outsourcing). |
Treatment fields
Each treatment option record captures:
| Field | Description |
|---|---|
| Proposed Treatment Action | Specific action to be taken |
| Control Reference | Reference to the control that addresses this risk |
| Timescale | Expected duration for treatment completion |
| Cost | Estimated cost of the treatment |
| Progress | Current progress description |
| Status | Not Started, In Progress, Completed, or Rejected |
Treatment status progresses through Not Started → In Progress → Completed, with Rejected available for treatments that are abandoned or superseded.
Review history
Registered risks maintain a complete review history that records every formal review. Each review entry captures the reviewer (linked to a user), the review date, and a record of what changed during the review. This provides a full audit trail of how risk assessments have evolved over time.
Risk activities are also tracked separately, recording all significant actions taken on a risk — creation, updates, status changes, and workflow events — with timestamps and user attribution.
AI-assisted risk extraction
SecureHive’s AI engine can analyze assessment context and automatically suggest risks. The AI risk extraction pipeline works as follows:
Initiate extraction
From within a risk assessment, trigger the AI extraction process. Provide a prompt describing the areas of concern or the scope you want analyzed.
AI processing
The system processes your prompt against the assessment context. The extraction tracks its status through Pending → Processing → Completed (or Failed if an error occurs), with processing metadata recorded for transparency.
Review suggestions
The AI returns a list of risk suggestions, each containing a risk summary, detailed description, category, confidence score, and a suggested risk type. Each suggestion starts in Draft status.
Accept or dismiss
Review each suggestion and either accept it (changing its status to Added and creating a linked risk in the assessment) or dismiss it. Accepted suggestions maintain a link back to the original AI extraction for provenance tracking.
Risk library
The risk library is an organizational knowledge base of previously identified risks. Each library item stores a risk category, summary, and description, along with a reference to the source extraction that originally identified it. The library allows you to build up institutional memory and reuse common risk definitions across future assessments rather than starting from scratch each time.
Cross-module integration
Registered risks connect to several other SecureHive modules to provide a comprehensive risk picture:
Incidents — Risks can be linked to security incidents, establishing a direct connection between risk anticipation and actual events.
Threats — Risks can be associated with threat records from Threat Hunting, connecting risk assessments to threat intelligence.
Threat Hunt Findings — Findings from threat hunting activities can be linked to registered risks, providing evidence-based risk validation.
Security Risk Scenarios — Risks can reference security risk scenarios for contextual analysis.
Projects — Each risk can be linked to a remediation project for structured mitigation tracking.
Workflows — Risk review processes can be automated through configurable workflow templates, routing reviews to the appropriate stakeholders.
Issues — Risks can generate issues in Exceptions & Gaps for tracking remediation actions.
Getting started
Configure risk scoring
Set up your risk level options, score thresholds, and risk types in Risk Signals → Configuration to match your organization’s risk appetite and taxonomy.
Create your first assessment
Navigate to Risk Posture → Assessments and create a new assessment. Define the scope, assign assessors, and begin identifying risks — either manually or using AI extraction.
Promote risks to the registry
Review scored risks and promote them to the registry. Assign an owner to each risk and set a priority level.
Define treatment plans
For risks that require active management, create treatment plans specifying the strategy (Accept, Avoid, Control, or Transfer), actions, timescales, and costs.
Set up review workflows
Assign a workflow template to risks that need periodic review, ensuring risks are reassessed on a regular cadence with proper stakeholder sign-off.
Permissions
Managing risk assessments and registered risks requires the risk-assessment:manage permission. Users with this permission can create assessments, register risks, define treatment plans, and manage the risk lifecycle. Users without this permission can view risk information in read-only mode.