Guides

Get the Most Out of RiskReg

Step-by-step guides for every major capability. Whether you are setting up for the first time or configuring advanced ERM features, start here.

Getting Started

Essential guides for setting up your organization and core workflows.

domain_add

Setting Up Your Organization

Configure your tenant, invite your team, and customize your risk management environment.

  1. 1 Sign in and navigate to Admin > General. Set your organization name, upload your logo, and configure SSO domain claiming if your team uses Google or Microsoft accounts.
  2. 2 Go to Admin > General to define your departments and processes. These appear as filters and grouping options throughout the platform.
  3. 3 Open the User Management page from the sidebar. Click Invite User, enter their email, assign a role (Admin, Editor, or Viewer), and select their department. They will receive an email with an invitation link.
  4. 4 Under Admin > Governance, review the default impact scale and appetite levels. Customize these to match your organization's risk appetite definitions.
  5. 5 If your team handles sensitive data, enable multi-factor authentication for additional account security. Users set up MFA from their profile using Google Authenticator or a compatible TOTP app.
assessment

Managing Your Risk Register

Create, score, and treat risks using the 5x5 scoring matrix with inherent and residual assessments.

  1. 1 Navigate to the Risk Ledger and click Add Risk. Enter the process, what-if scenario, immediate impact, and likely outcome. RiskReg assigns a unique risk code automatically.
  2. 2 Score the inherent risk by selecting likelihood (1-5) and impact (1-5) on the scoring grid. This represents the risk before any controls are in place.
  3. 3 Choose a treatment strategy: Avoid, Reduce, Transfer, or Accept. Add a treatment description explaining the rationale.
  4. 4 After linking controls (see Control Library guide), score the residual risk. The difference between inherent and residual scores shows your control effectiveness.
  5. 5 Use the filters on the Risk Ledger to slice by process, risk level, treatment strategy, category, owner, or department. Click the risk matrix to filter by specific likelihood/impact cells.
library_books

Building Your Control Library

Add controls, map them to compliance frameworks, manage their lifecycle, and link them to risks.

  1. 1 Go to Controls and click Add Control. Enter the control title, description (supports markdown), assign an owner, and select the relevant department.
  2. 2 Map the control to one or more compliance frameworks: ISO 27001/27002, ISO 22301, ISO 27701, ISO 9001, ISO 42001, SOC 2, COSO IC, DORA, or NIS2. Each mapping creates a traceable link for audit evidence.
  3. 3 New controls start as Pending. Submit for review to move to Under Review, where a reviewer evaluates the design. Once approved, the control becomes Active.
  4. 4 Upload evidence files in the Supporting Documentation section: policies, screenshots, configuration exports, or any file that demonstrates the control is in place.
  5. 5 Link the control to the risks it mitigates. This creates full traceability from risk through control to compliance framework. Use the Import feature to bulk-load controls from a CSV.
fact_check

Running Effectiveness Reviews

Assess control design, implementation, and operational effectiveness through structured review workflows.

  1. 1 Navigate to Reviews to see the review dashboard: pending approvals, overdue reviews, and the percentage of controls reviewed. Click New Review to start.
  2. 2 Select the control to review. The review follows three milestones: Initiation (scoping), Assessment (testing), and Validation (sign-off).
  3. 3 Rate the control on three dimensions: Design (is it well-designed?), Implementation (is it properly deployed?), and Operational Effectiveness (does it work in practice?). Each is rated as Effective, Marginal, or Ineffective.
  4. 4 Attach evidence files and add review notes to support your findings. If you use Jira or Linear, create an integration ticket directly from the review to track remediation.
  5. 5 Submit the review for approval. The approver can accept or reject the review. All review activity is captured in the audit trail with timestamps and reviewer identities.

Advanced Features

Guides for enterprise capabilities including predictive analytics, financial quantification, and board reporting.

query_stats

Using Predictive Risk Analysis

Understand risk forecasts, direction of travel, and appetite breach alerts to stay ahead of emerging threats.

  1. 1 Open any risk from the Risk Ledger. The Forecast section shows the current residual score and a projected score 90 days into the future, calculated from historical trend data.
  2. 2 Check the direction of travel indicator: increasing (score rising), decreasing (score falling), or stable (no significant change). This helps prioritize which risks need immediate attention.
  3. 3 If a risk is projected to breach your appetite threshold, the days to breach alert shows how long you have to act. Use this to prioritize control improvements before a risk escalates.
  4. 4 Review the suggested velocity adjustment. This indicates the rate of score change needed to bring the risk back within appetite, informing your treatment planning.
  5. 5 The Trend section shows historical residual score snapshots with direction indicators. Use this to validate whether your treatment actions are actually reducing risk over time.
account_balance

Financial Risk Quantification

Configure ALE-based exposure calculations to express risk in currency terms for executive decision-making.

  1. 1 Go to Admin > Exposure and configure SLE mappings: assign a currency value to each impact level (1-5). For example, impact level 5 might represent a loss of 1,000,000.
  2. 2 Configure ARO mappings: assign an annualized rate of occurrence to each likelihood level. For example, likelihood 3 might represent 0.5 occurrences per year.
  3. 3 RiskReg automatically calculates ALE = ARO x SLE for every risk, showing both inherent exposure (before controls) and residual exposure (after controls). The difference represents your control value.
  4. 4 Override the default SLE on individual risks when you know the specific financial impact. The override takes precedence over the level-based mapping for that risk.
  5. 5 View aggregate exposure in the Portfolio view, which shows residual SLE and ALE per category, objective, or process. Use this data in board presentations to communicate risk in financial terms.
stacked_bar_chart

Board Reporting & Snapshots

Generate executive-ready risk reports with composite scores, heatmaps, and historical trend data.

  1. 1 Open the Board Dashboard from the sidebar. This executive view shows a RAG banner, residual risk heatmap, key numbers (total, high, within/above appetite), control health, and review activity.
  2. 2 Click Export PDF on the board dashboard to generate a board-ready report. The PDF captures the current state with all metrics and visualizations.
  3. 3 Navigate to Snapshots to see historical risk posture records. Snapshots are created automatically on a monthly cycle, or create a manual snapshot at any time for ad-hoc reporting.
  4. 4 Use Compare to select two snapshots and see deltas across all metrics: composite score, risk score, review score, effectiveness, risk counts, and control counts. This shows progress between reporting periods.
  5. 5 Open the Timeline view for an interactive chart tracking composite score, risk score, review score, and effectiveness over time. Add the ALE line to show financial exposure trends alongside qualitative metrics.
group

Team & Access Management

Manage users, roles, SSO, and multi-factor authentication across your organization.

  1. 1 Three roles control access: Admin (full access, tenant configuration), Editor (create and modify risks, controls, reviews), and Viewer (read-only access to all data).
  2. 2 Invite team members from the User Management page. Select their role and department. Invitees receive an email link to create their account and join the organization.
  3. 3 Enable SSO domain claiming under Admin > Security. Once a domain is claimed, all users with that email domain sign in via Google or Microsoft automatically.
  4. 4 Users can enable multi-factor authentication from their profile. MFA uses the TOTP standard, compatible with Google Authenticator, Authy, and other authenticator apps.
  5. 5 Monitor team activity in Admin > Audit. Filter by entity type (Risk, Control, Review), action (Created, Updated), or user. Every change is recorded with before/after values for compliance evidence.

Ready to Get Started?

Contact us for early access and we will help you set up your organization. For more on the risk management process, see How It Works or explore our ERM features.

Contact for Early Access mail