Risk Assessments
Risk assessments are structured evaluations that define the scope, context, and criteria for identifying risks. Each assessment can contain multiple risks that are later registered in the risk registry for ongoing tracking.
Creating an assessment
Navigate to Risk Management
Go to Risk Management → Assessments and click Create Assessment.
Fill in assessment details
| Field | Required | Description |
|---|---|---|
| Title | Yes | Clear, descriptive name for the assessment |
| Scope | No | Boundaries and extent of coverage |
| Context | No | Background information and circumstances |
| Criteria | No | Standards or benchmarks for evaluation |
| Description | No | Detailed purpose and objectives |
| Start Date | Yes | When the assessment begins |
| End Date | No | Expected completion date |
| Classification | No | Risk classification category |
| Priority | No | Priority level |
Assign the team
Set an Owner (primary person responsible), Assessors (team members conducting the assessment), and Participants (additional contributors).
Save the assessment
Click Create Assessment. The assessment appears in your list with status Active.
Assessment statuses
Assessments move through four statuses: Active (currently being conducted), Completed (all risks identified and documented), On Hold (temporarily paused), and Cancelled.
Adding risks to an assessment
Within an active assessment, document each risk with its likelihood, impact, risk score, and treatment options. For each risk you add, you’ll provide a title, impact level, likelihood level, and optionally a mitigation strategy, owner, and priority.
When a risk warrants ongoing tracking, register it in the risk registry — this creates an independent record that persists after the assessment closes.
You can also create risks directly in the risk registry without going through an assessment. However, linking risks to assessments provides traceability and audit context.
IAM risk assessment
SecureHive includes a specialized IAM (Identity and Access Management) risk assessment capability. This pre-configured assessment type focuses specifically on identity-related risks such as excessive privileges, orphaned accounts, weak authentication, and access review gaps. It uses IAM-specific risk criteria and integrates with identity control data when available.
Best practices
Define clear scope and context before starting an assessment — vague boundaries lead to inconsistent results. Document risks thoroughly with rationale for both impact and likelihood ratings. Assign clear ownership so every risk has someone accountable. Link risks to their source assessment for traceability, and register all significant risks that need ongoing tracking.