Articles on: Risks

Risk Management

🛡 Risk Management

"Your essential tool for safeguarding organizational assets."
Configure flexible methodologies, assess risks, and monitor evolution over time.


The Risk Management module in Brainframe lets you fully configure risk types, methodologies, and measures — from evaluating suppliers and stakeholders to classic Confidentiality, Integrity, and Availability (CIA) risks aligned with ISO 27005.




1️⃣ Creating a Risk


A risk is a dedicated document that describes a scenario in detail:


  • Scenario description
  • Risk owner
  • Likelihood and impact
  • Risk level
  • Existing controls
  • Planned mitigations



You can create a risk using the pre-defined type: Confidentiality, Integrity, or Availability Risk (CIA).


Risk Document Properties



Each risk document comes pre-configured with:


  1. Unique identifier – Default is R-00x , but you can customize your risk types.
  2. Title – The name of the risk.
  3. Linked items – Connect risks to assets, policies, suppliers, etc. Links are bi-directional.
  4. Properties:
  • Risk type: Threat / Opportunity
  • Risk action: Treat, Terminate, Tolerate, Transfer
  • Risk origin: Internal / External
  • Owner: Linked to Employee, Consultant, or Role & Responsibility
  1. Description template – Brainframe-provides a built-in template, but you can fully customize it.
  2. Checklist integration – Optionally add the risk to a Workbench checklist.
  3. Create the risk


This is what a risk will look like once created:

Example of a risk


📌 Example: R-001 - Missing protection against distributed denial of service DDoS attacks.

  1. The document itself.
  2. Linked to 29 other documents (suppliers, assets, servers, systems) bidirectionally.
  3. Related tasks visible in Task Management.
  4. Risk template pre-filled with your assessment.
  5. Each document shows risk evolution in its own tab.



2️⃣ Doing Risk Readings


Risks only appear in the Risk Matrix once a reading is done.



From the document menu, select Risk Reading.


  • Once you picked the risk type, you will be presented with the following screen:




  1. Risk type switcher – Easily switch risk types.
  2. Risk summary – Count of total, critical, open, and mitigated risks.
  3. Risk score – Calculated sum across all risks.
  4. Filter – Filter by graph click or search input.


Risk Tab




  1. The risk tab available on every document
  2. Risk evolution timeline for this type of risk for this document.
  3. Remaining work colors show progress.
  4. Add new reading to the document.


Adding a New Risk Reading


When you select "Add new reading" above, you will be presented with this view:


  1. Show the risk methodology.
  2. Enter measures (impact/probability).
  3. System automatically calculates risk level (e.g. 9 on a 5x5 matrix).
  4. Remaining work tracking = risk × multiplier (5 → 0). When the risk is open/not assessed the multiplier is 5, when all identified mitigation work has been done or the remaining risk is accepted, the risk is multiplied by 0, effectively eliminating the risk.




  1. Define your target risk level. This will show the options (6) and (7).
  2. These are the target risk measures you are aiming for with your mitigations.
  3. Similar to the normal measures, this calculates your target risk.
  4. This is a free text field in which you can justify your risk evaluation change, including inserting evidence like pictures or files.
  5. Risk types can be configured to require specific document properties to be collected.
  6. Once you click on Add risk reading, it will be shown on the risk evolution tab


📌 Risks scoring 0 are marked as Closed (button changes to Close Risk).


Each risk reading creates a new document that represents the reading and evidences in the same folder as where the document of the risk is residing. This also allows you to "archive" or modify the details of a wrong risk readings.


3️⃣ Risk Evolution


Each risk keeps a history of readings.



  1. Open the risk tab.
  2. Select risk type from dropdown.
  3. Add readings over time.
  4. This is the timeline (X: time, Y: level between 0 and 25 of risk) which is divided into the vertical green, yellow, red and black risk areas to quickly see their importance in line with your risk appetite. Notice the different dots and their colors. This indicates the remaining work explained in the beginning of this document. By hovering over the dots you'll see more details on the specific reading.
  5. Details about individual risk readings, with the most recent one on top.
  6. Using the configuration button, you can specify which columns need to be shown in the readings table. By clicking the Excel icon you can export the table into an Excel file.



4️⃣ Risk Overview


The risk feature applies qualitative assessments for speed and consistency.


Once you select a risk type from the list above, you will be presented with the following view:


Risk Matrix



  1. Y-axis – Likelihood, defined during your risk assessment.
  2. X-axis – Impact, defined during your risk assessment.
  3. Colors – Green, Yellow, Red, Black based on appetite. 25 is the maximum level of risk in the example above, but you can customize this as well as the colors.
  4. In this square, you see that individual risk do not always show in the same color. The color actually corresponds to the remaining work that is planned for that risk. You can hover over each risk for more information on it.



📌 Underlined risks = no mitigation deadline.


Hovering over a risk will show information such as its initial, current, and target levels, and the name.



📌 If you want to see only risks relating to documents of a certain folder, you can just navigate to that folder and open the risk view from there. This will automatically filter for the risks contained in the folder.



5️⃣ Reporting & Evolution


Above the Matrix you can see a risk overview with severity, remaining work, and mitigation status.



Below that, you'll find a list of readings with filters, exportable to Excel.


  1. Select if you only want to see the latest reading in the list, or all readings
  2. Quickly filter the list and matrix on the unique identifier, title 
  3. Load the document properties linked to each risk, e.g.:

  1. This is the list of all risks based on the applied filters
  2. By selecting on the configuration icon, you can indicate which columns should be shown in the risk list. By clicking the Excel icon, you can export the different columns and data shown in the list



📌 Bottom of page: Risk evolution graph shows:

  1. 🔵 New risks (first readings).
  2. 🟠 Residual risk sums (actual × remaining work).
  3. 🟢 Planned mitigations (future deadlines).

By hovering over any of the dots on the graph, you will see relevant information about the risks that changed on that date


6️⃣ Risks on the Workbench


Risks can be added to Workbench Checklists (e.g. Risk Register).



  1. View risk details, owners, and deadlines.
  2. Each risk card can be moved through stages that represent your workflow, from initial identification to resolution.



7️⃣ Best Practices


  • 📊 Perform regular readings — at least quarterly, or after incidents.
  • 📌 Always link risks to assets, suppliers, or controls for traceability.
  • 🛡 Use target risk values to track mitigation effectiveness.
  • 🔄 Close risks explicitly when residual risk is accepted.
  • 📈 Leverage the evolution graph to show auditors long-term improvement.



🎯 Visual Checklist


  • [x] Risk documents created with properties and owners
  • [x] First risk readings added and visible in matrix
  • [ ] Target risks configured where applicable
  • [ ] Risks linked to assets, controls, and suppliers
  • [ ] Evolution graphs exported for audit reporting


Updated on: 11/09/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!