Risk Exposure
Monitor your organization's risk levels and understand your overall risk posture.
Risk Exposure
The Risk Exposure card shows your organization's current risk levels. It aggregates all identified risks by severity, giving you a quick view of your overall risk posture.
What Risk Exposure Shows
The card displays:
- Total risk count - Number of risks in your registry
- Severity breakdown - Risks grouped by Critical, High, Medium, Low
- Color-coded bars - Visual representation of risk distribution
- Trend indicator - Whether risk exposure is increasing or decreasing
Severity Levels
Risks are categorized by severity:
| Severity | Color | Typical Criteria |
|---|---|---|
| Critical | 🔴 Red | Immediate business impact, data breach risk |
| High | 🟠 Amber | Significant impact, needs prompt attention |
| Medium | 🟢 Green | Moderate impact, manageable timeline |
| Low | 🔵 Blue | Minor impact, address when convenient |
Critical and High severity risks should never be ignored. They indicate significant exposure that could affect your business or compliance standing.
How Risk Exposure Is Calculated
Risk exposure comes from your Risk Registry, which contains:
1. AI-Identified Risks
When documents are analyzed, AI identifies potential risks:
- Security vulnerabilities mentioned
- Compliance gaps with risk implications
- Control deficiencies
2. Manually Added Risks
You can add risks directly:
- Third-party vendor risks
- Operational risks
- Business continuity risks
3. Framework-Specific Risks
Certain frameworks have built-in risk categories:
- HIPAA PHI exposure risks
- PCI-DSS cardholder data risks
- GDPR data processing risks
Reading the Risk Exposure Card
Severity Distribution
A healthy risk distribution might look like:
- Critical: 0 risks
- High: 2-3 risks (actively being addressed)
- Medium: 5-10 risks (in remediation)
- Low: 10-20 risks (tracked for awareness)
Warning Signs
Watch for these patterns:
- Multiple criticals - Immediate action needed
- Increasing trend - Risk management isn't keeping up
- All one severity - Classification may need review
Viewing Risk Details
Click the Risk Exposure Card
Opens the Risk Registry with filtering options.
Filter by Severity
Click a severity level to see only those risks.
Click Any Risk
Opens the risk detail view with:
- Full risk description
- Impact analysis
- Mitigation status
- Linked controls and gaps
Access Priority Queue
Switch to the Priority Queue tab to see AI-ranked risks needing attention.
Risk Metrics
Beyond the severity count, consider:
| Metric | What It Tells You |
|---|---|
| Average risk age | How long risks stay open |
| Resolution rate | Risks closed vs. opened |
| Mitigation coverage | Risks with active mitigation |
| Owner assignment | Risks with accountable owners |
Reducing Risk Exposure
Immediate Actions for Critical Risks
- Acknowledge the risk - Don't ignore it
- Assign an owner - Someone accountable
- Document impact - Understand the exposure
- Create remediation plan - Workflow or action items
- Set timeline - When will it be addressed
Systematic Risk Reduction
- Regular risk reviews - Weekly or monthly
- Prioritize by impact - Focus on highest severity
- Track mitigation progress - Monitor workflows
- Reassess after changes - New systems, vendors, processes
Risk Acceptance
Sometimes risks cannot be fully mitigated:
- Document the risk clearly
- Get management approval
- Set a review date
- Mark as "Accepted" in the registry
Accepted risks still count in your exposure metrics. They're tracked separately to ensure ongoing awareness.
Risk Categories
Common risk categories tracked:
| Category | Examples |
|---|---|
| Security | Data breaches, unauthorized access |
| Compliance | Regulatory violations, audit failures |
| Operational | System downtime, process failures |
| Vendor | Third-party breaches, service failures |
| Privacy | Data mishandling, consent violations |
| Financial | Fraud, misreporting |
Risk Trends
The Risk Exposure card shows trends:
- ↓ Decreasing - Good! More risks resolved than created
- → Stable - Consistent risk posture
- ↑ Increasing - Concerning, needs attention
What Causes Increasing Risk
- New document analysis reveals issues
- Vendor or system changes
- Regulatory requirement updates
- Security incidents
Achieving Decreasing Trends
- Complete risk remediation workflows
- Implement controls
- Close out accepted risks after review
- Improve security posture
Risk Exposure Reports
Generate reports for stakeholders:
- Executive Risk Summary - High-level severity counts
- Detailed Risk Register - Full listing with details
- Risk Trend Report - Historical changes over time
- Framework Risk Report - Risks by compliance framework
Common Questions
What's a good risk exposure target?
| Risk Level | Target |
|---|---|
| Critical | 0 (none allowed) |
| High | 0-5 (actively managing) |
| Medium | Reasonable count, no backlog |
| Low | Tracked but not urgent |
Should I delete old risks?
No. Keep closed risks for:
- Audit trail
- Historical analysis
- Pattern recognition
- Lessons learned
Mark them as "Closed" or "Mitigated" instead.
How do risks relate to gaps?
- Gaps are specific compliance deficiencies
- Risks are potential negative outcomes
- A gap can create multiple risks
- Risks can exist without gaps (e.g., vendor risks)
Next Steps
- Risk Registry - Full risk management
- Priority Queue - AI-prioritized risks
- Adding Risks - Create new risk entries