Assessments Module for Risk Assessment Application.

User Guide: Assessments Module for Risk Assessment Application.

Welcome to the Assessments of our Risk Management application! This is the Key feature or heart of the application. Here is the detailed information of Assessments for Risk Assessments module..

In Risk Assessments, assessments refer to systematic evaluations conducted to ensure that an organization adheres to laws, regulations, standards, and internal policies. These assessments are critical for identifying risks, mitigating risks, and maintaining the organization's credibility and operational integrity. Here's an overview:

Risk Assessments Screen – Complete Overview

The Risk Assessments screen is the core working area in the Risk Watch platform where you create and manage assessments for facilities using predefined Risk Templates. It supports the entire risk lifecycle, from identification to mitigation and monitoring through KRIs.

Benefits of Risk Assessments

• Ensures legal and regulatory adherence.
• Reduces financial penalties and reputational damage.
• Strengthens internal controls and operational efficiency.
• Builds trust with stakeholders and customers.
• Prepares the organization for audits and inspections.

Assessments in Risk management are systematic evaluations that organizations undertake to ensure they are meeting legal, regulatory, and internal policy requirements. These assessments are vital for identifying areas of risks, mitigating risks, and fostering a culture of accountability and ethical behaviour within an organization. Here’s a detailed explanation:

Purpose of Risk Assessments

The main purpose of Risk Assessments is to identify, evaluate, and manage risks that could negatively affect an organization’s operations, assets, people, or reputation. In platforms like RiskWatch, Risk Assessments help organizations make informed decisions to reduce or eliminate risks, stay compliant, and improve overall resilience.

Risk Identification: Discover and document potential risks to an organization, facility, or process.

Risk Evaluation : Assess the likelihood and impact of each risk to calculate a risk score

(inherent & residual).

Prioritization of Risks: Rank risks based on severity so that the most critical ones are addressed

first.

Control Assessment: Review current controls in place and determine whether they are sufficient.

Mitigation Planning: Generate recommendations and tasks to reduce or eliminate risks.

Decision Support: Provide leadership with data-driven insights for making risk-related

decisions.

Compliance Mapping: Link risks to compliance standards and detect compliance gaps.

KRI Monitoring: Add Key Risk Indicators to continuously monitor risks after assessment.

Documentation: Maintain a record of the entire risk process for audit, tracking, and

&Evidence improvement.

Full Risk Lifecycle: Enable a closed-loop system from risk identification through treatment to

Management closure and monitoring.

In RiskWatch, the Risk Assessment screen allows you to:

• Perform risk assessments per facility
• Use risk templates to standardize the process
• Assign recommendations and tasks
• Monitor risk via KRIs
• Track residual risk improvements over time

The purpose of Risk Assessments is to ensure that risks are understood, prioritized, treated, and monitored, so the organization can operate securely, remain compliant, and make informed decisions.

1. Purpose of the Screen(Risk Assessment)

The screen is designed to:

• Create assessments for each facility.
• Evaluate risk scenarios grouped in risk templates.
• Offer recommendations and task assignments.
• Track risk mitigation progress and KRI monitoring.
• Cover the full risk lifecycle from assessment to closure.

2. Components of the Risk Assessment Screen

A. Facility Selection

• Choose the facility or asset for which the assessment is being performed.
• Each facility may have one or more assessments based on different templates.

B. Risk Template Association

• Select from a pre-created Risk Template, which groups related risks.
• Templates contain risk categories, risk scenarios, and associated questions.

C. Assessment Overview Section

• Shows assessment status: Not Started, In Progress, Completed.
• Displays the Risk Score and Residual Risk.
• Links to related KRIs, Recommendations, Tasks.

D. Risk Items List

• A breakdown of all risks in the selected template.
• Each risk shows:
  • Inherent Risk Score (before controls).
  • Residual Risk Score (after controls or tasks).
  • Gap Score (if mapped to compliance libraries).
  • Assigned mitigation recommendations.

E. Recommendations and Tasks

• Based on risk scores, the system suggests risk treatment recommendations.
• Recommendations can be:
  • Preventive
  • Detective
  • Corrective
• Tasks can be created to:
  • Implement controls
  • Reduce residual risk
  • Track status (Open / In Progress / Closed)

F. KRI (Key Risk Indicators) Section

• Add KRIs to each risk.
• Monitor thresholds and trigger alerts when crossed.
• Helps in ongoing monitoring post-assessment.
• Supports automatic risk score adjustment based on KRI behaviour.

G. Evidence and Justifications

• Upload supporting documents, evidence, or audit trails.
• Justify the selected risk score or treatment decisions.

3. Lifecycle Stages of Risk in this Screen

4. Interface Tabs

5. Risk Scoring

Each risk typically uses:

• Likelihood × Impact for Inherent Risk.
• Residual score considers:
  • Effectiveness of controls
  • Open tasks
  • KRI trends
  • Compliance gap scores (if mapped)

6. Integration with Other Modules

• Compliance Module Mapping:
  • Risks can be mapped to question categories or library questions.
  • If assessments are completed in compliance, gap scores are used to auto-calculate residual risks.
• Dashboard/Reports:
  • All assessments feed into dashboards.
  • You can generate reports by facility, risk category, or time period.

7. Key Benefits

• Centralized risk assessments for all facilities.
• Risk scores dynamically updated.
• Automated recommendations and mitigation tracking.
• KRI integration enables ongoing monitoring.
• Full visibility of risk lifecycle from start to close.

Example Workflow

1. Create Assessment → Select Facility → Pick Template
2. Score Risks → Likelihood * Impact → Add Controls
3. System suggests Recommendations
4. Assign Tasks → Track Implementation
5. Add KRIs → Monitor ongoing behaviour
6. Update Residual Scores
7. Close Risks when accepted level is reached.

Types of Risk Assessments

Each type serves a different purpose depending on the industry, risk domain, or assessment goal.

Mainly we are creating assessments for 3 types of Risk templates, which are

• 1. Asset, Threat and Vulnerability based Risk Assessments
  2. Confidentiality, Integrity and Availability based Risk Assessments &
  3. Likelihood and Impact based Risk Assessments.

In Our Application, Assessments are mainly categorized as 2 types.

1 is Regular assessments and another one is Audit Assessments.

Let’s go through the Regular assessments in detail.

Regular Assessment

This tab will show you the List of assessments in a grid, by default the grid shows the view details icon, assessment name, start date, end date status and Action column.

From this screen you can create, edit and delete the assessments as you need, make sure that you can’t create audit assessments from the assessments page, you can create them only from Audit registers.

How to create an assessment?

You can create the assessment by providing all required details in assessment creation page.

1. Click on create Assessment button at the Top right of the page.
2. It will open assessment creation page,
3. By default the creation page is set to New Assessment creation.
4. If you want to create clone assessment you have to select Clone from Risk assessment check box.
5. In assessment creation page, we have following fields by default to create the assessment.

• Risk Assessment name
• Start date
• End date
• Facility
• Select Risk Template
• Compliance Assessments
• Scope of Assessments
• Recurring On
• Create assessment and cancel buttons

So fill the mandatory fields from the above list and click on create assessment button, it will save your entries and created an assessment for you.

Here is the detailed information of the assessment creation fields.

Risk Assessment Name: The Assessment Name field in a compliance product typically serves as a label or identifier for a specific Risk assessment. The field allows users to assign a clear, descriptive, and unique name to an assessment. This helps in easily identifying and managing multiple assessments within the Risk management tool.

This is an input field where users can manually input or edit the name during the creation or modification of an assessment.

Finalize one name for assessment and enter in Name field.

This is a mandatory field to create the assessment, we can’t skip it.

Start Date: refers to the date when the assessment process is initiated. It is a critical field that plays an important role in tracking timelines, planning, and managing the lifecycle of the Risk assessment. Here's a detailed description:

Purpose

1. Initiation Tracking: Marks the official commencement of the assessment process.
2. Timeline Management: Helps in calculating durations, aligning milestones, and ensuring timely completion.
3. Reference Point: Serves as a historical record for audits and Risk reporting.

Key Features

1. Manual Entry or Auto-Generated:
   • The start date may be entered manually by the user while creating the assessment.
   • Alternatively, it may be auto-generated to reflect the current date when the assessment is initiated.
2. Editable:
   • Some systems allow users to adjust the start date, but changes are often restricted to maintain audit trails.
3. Validation Rules:
   • Must be in the past or the present (future dates are typically restricted unless scheduling is allowed).
   • Format consistency, e.g., YYYY-MM-DD, for uniformity across records.
4. Mandatory Field:
   • Often a required field to ensure proper tracking and prevent incomplete records.

Use Cases

1. Project Planning:
   • Acts as a baseline for setting due dates and determining critical paths for the assessment process.
2. Reporting and Analytics:
   • Used to generate reports on assessment timelines and identify delays or bottlenecks.
3. Risk assessment Deadlines:
   • Ensures the assessment aligns with regulatory deadlines by tracking from the start date.

This is an input field where you can add the start date of the assessment, in general it will show the current date as start date by default. you can adjust it as you required either for past or future,

If it is set to future, the assessment will not display in the grid until the start date reaches current date.

This is also a mandatory field to create the assessment.

The start date will not allow to enter the date manually, it will show calendar when you click on that field, there you can select any date as you required.

End Date

End date represents the date when the assessment process is completed or officially closed. This field is crucial for tracking progress, ensuring deadlines are met, and maintaining accurate records for compliance purposes.

Helps in evaluating the efficiency of the assessment process by measuring the time between the start and end dates.

This is also an input field where you can select end date of your assessment; it means when can you complete your assessment.

By default it will display the date as exactly 1 month after the current date.

It will not allow you to enter the End date by manually; you can select it from calendar when you click on that field.

This is a mandatory field to create the assessment you cannot skip this.

Make sure that the End date could be anything except the date which is less than start date.

Facility

Facility Selection in the context of assessment creation in a compliance product refers to the process of choosing one or more specific locations, sites, or operational units where the assessment will be conducted. This field is essential for tailoring the scope of the assessment and ensuring accurate compliance evaluation

 Customization: Ensures the assessment aligns with the unique attributes, risks, or compliance requirements of the selected facility.

 Record Keeping: Helps maintain facility-specific Risk records for audits and reporting.

1. Facility Database Integration:
   • Facilities are typically pre-registered in the system, allowing users to select from a dropdown list, search box, or hierarchical tree view.
2. Single or Multi-Selection:
   • Users can often choose a single facility for focused assessments or multiple facilities for broader evaluations.
3. Filter Options:
   • Systems may allow filtering facilities by attributes like location, size, operational type, or compliance category to streamline selection.
4. Mandatory Field:
   • This field is usually required to ensure the assessment is appropriately scoped.
5. Dynamic Content Generation:
   • Selecting a facility can dynamically populate or customize assessment templates, checklists, or requirements based on the facility's attributes.

Facility field is a drop down field here; it will provides you the list of all available facilities in the application if you logged in as admin.

And if you logged in as manager, it will show you only mapped facilities to that user.

You can select any facility from the list, it is a multi selection you can select one or more facilities for an assessment.

At the top of this field it will show you a count to say how many are available (denominator) and how many are assessing (Numerator)

While you select the facility, the numerator value will increase, make sure that if the selected facility already assessed in earlier, it won’t increase the numerator value as the facility license debited already.

You can create new facilities also from assessment creation page by using + icon, it will open add facility page, there you can add all required data and create the facility, it will give you successful message and navigate you back to the 8assessment creation page, now it is showing the new facility as selected in facility drop down to create the assessment.

To assess this facility, it will debit one license so the count will show 1/available licenses.

You can get some information about facility field by mouse over the pop up icon beside the facility field.

And this is a mandatory selection to create the assessment.

Filter the facility

We have another feature in facility selection, which is adding filters to the facilities list and get the required facilities in assessment creation page.

You can filter the data by using following fields.

• Facility(s) not assessed: it will give you the list of facilities which are not assessed till now
• Facility(s) not assessed after date.: with this filter you can get the list of facilities which are not used after the selected date.
• Region of the Facility(s): it will give you the list of facilities which are mapped to this selected region
• Facility type of the facility(s): it will give you the list of facilities which are mapped to this selected facility type
• Reset Filter: it will clear all your applied filters and show you all available facilities.

When you click on filter icon beside the facility field, it will open one pop up called Filter the facility based on given data with the above mentioned filter options with Fetch data and close buttons.

This is multi selection check boxes.

You can select at least one and click on fetch data then the list of facilities will display as per this selection.

You can apply one more filter options at a time to get the required list of facilities in facility drop down.

Select Risk Template

In the RiskWatch Risk Assessment module, selecting a Risk Template is a crucial first step when creating a risk assessment. Here's the purpose and benefits of doing so:

Purpose of Selecting a Risk Template

1. Standardization of Risk Evaluation:
   • A risk template provides a predefined structure for evaluating risks. It ensures assessments across different facilities or departments are consistent.
2. Preloaded with Relevant Risks:
   • Templates contain pre-identified risks (like physical security risks, IT risks, etc.) grouped by category, saving time and ensuring no critical risk is missed.
3. Defines Scoring Criteria:
   • Risk templates include scoring models, such as impact, likelihood, and vulnerability, which guide users in calculating accurate risk scores.
4. Aligns with Regulations or Frameworks:
   • Templates can be built based on industry standards, regulations (e.g., ISO 27001, HIPAA), or internal policies—ensuring compliance is baked into the assessment.
5. Simplifies Task and Recommendation Mapping:
   • Risks in templates are often linked with default controls, tasks, and recommendations, enabling easier mitigation planning.
6. Enables KRI Mapping:
   • Templates support Key Risk Indicator (KRI) mapping for ongoing monitoring of risks during the risk lifecycle.

How It Works

When you create a new Risk Assessment, you select a Risk Template (like Physical Security, HR Risk, etc.), and the system:

• Loads all the risks and categories from that template.
• Applies the defined risk scoring methodology.
• Enables you to evaluate, assign tasks, and track mitigations based on the template’s structure.

Example

If you’re assessing a Data Center, and you choose the IT Security Risk Template, the system might preload risks like:

• Unauthorized Access
• Malware Attacks
• Data Breach
• System Downtime

Each of these risks will have predefined impact, likelihood, recommendations, and KRIs—making your job easier and more consistent.

Select Risk Template field is a drop down, contains predefined templates from the platform. Here we cant create any new templates from the assessment creation we can select only predefined templates.

And which is a multi selection drop down, Ensure that we can create an assessment with all 3 types of templates, even we can select all templates for an assessment.

Compliance Assessments

This feature only available if the instance is dual product instance., In the RiskWatch Risk Assessment module, the Compliance Selection during risk assessment creation is an optional but powerful feature that links compliance assessments with risk assessments.

Purpose of Compliance Selection in Risk Assessment Creation

1. Integrates Compliance with Risk:
   • Selecting a compliance framework (like ISO 27001, HIPAA, or internal policies) allows you to map compliance assessment results to related risks in your risk assessment.
2. Auto-Includes Gap Scores in Risk Calculations:
   • When mapped correctly, gap scores from compliance assessments (e.g., missing controls or policy failures) are used to influence or update the risk score in the risk assessment.
3. Improves Risk Accuracy:
   • This ensures that the risk scores reflect real compliance performance, not just theoretical risk. For example, if a control required by ISO is missing, the associated risk score will increase.
4. Supports Continuous Monitoring:
   • As compliance assessments are updated over time, risk assessments dynamically reflect those changes—making the risk management process more responsive and real-time.

How It Works in RiskWatch

When creating a Risk Assessment, the system may prompt you to select a Compliance Assessment (if configured):

1. Choose from available Compliance Assessments (e.g., “HIPAA Assessment – Facility A”).
2. The system links that compliance assessment to the risk template used.
3. Risk vs Compliance mapping (done at the template level) connects:
   • Risks in the Risk Template
   • To Question Categories or Questions in the Compliance Library
4. Gap scores from those questions are pulled and reflected in the risk calculations.

Example

• Risk: Data Privacy Violation
• Compliance Question: Does the organization have data encryption at rest?
• If the compliance answer shows a gap (e.g., "No"), the system raises the risk score for Data Privacy Violation automatically.

Benefits

• Saves time by reusing compliance work for risk calculations.
• Promotes interconnected GRC (Governance, Risk, and Compliance) management.
• Provides a more accurate risk profile based on actual control effectiveness.

This field is only available if it is dual product instance.

Select compliance assessment field is a drop down, contains all assessments from the compliance module

This is a single selection drop down.

If you seelct any assessment from this drop down and once you create the assessment, the selected compliance assessment will be mapped to this Risk assessment so that gap score will be added to calculate the risk scores of individual risks if the risks are mapped to some questions from that complaince and with facility mapping.

Scope Of Assessment

In the RiskWatch Risk Assessment module, the Scope of Assessment defines the boundaries and focus of the assessment you’re creating. It ensures that all stakeholders are clear about what is being assessed, where, and under what context.

During assessment creation, you enter the scope in a dedicated field or section.

• Ensures consistency and clarity.
• Aids in audit ability and compliance.
• Helps assessors stay focused on relevant risks only.
• Sets a reference for future reviews and re-assessments.

Recurring On

Again this is powerful feature to create the assessments automatically.

While selecting this recurring On feature, child assessments will be created for the mapped assessments.

You can setup How many assessments need to create and in which frequency the assessments has to create.

By default recurring on drop down setup as never., it means No child assessments will be created for this assessments.

And recurring on dropdown will contains Daily, weekly, monthly and Yearly options too

Once you select any one of them, it will display another 3 dropdowns, which are i. How frequently does it Recur?(Frequency: Every 1 Day(s)) ii. Assessment Duration(no. of days) and iii. Frequency count

In duration, by default it set to 30 days, so the assessment life time will be 30 days from its generated date.

And frequency by default it shows 1, you can enter the number whatever you want like 2 or 3. It means for every 2 days or 3 days the assessment will be recur

For example if you enter 2

And Total No. of assessments, it displays as 0 by default, Here you can enter the number based on your requirement for example 2

So Child 1 will automatically generated 2days after this parent assessment and child 2 will be generated 4 days after this parent assessment created.

If you select weekly 1^st child will be created after 2 weeks of the parent assessment.

And these child assessments will not display in assessments page until the start date reaches current date but we can see them in a scheduled calendar in My actions page.

Create Risk Assessment button

After all the above required entries or selection you can finally click on create assessment button, Here you have 3 ways to create the assessment.

1.It will create the assessment directly by clicking create assessment button and gives you success message and opened that created assessment.

• • 1. It will ask you regarding third party licenses if the selected facilities are having third party options.

If you want fetch the third party details then you can select them, it will show you the license information and asks your permission to proceed, if you agree the license details and click on yes, it will create your assessment successfully and opened that assessment.

What is Clone Assessments?

clone assessments typically refer to the practice of duplicating or replicating a Risk assessment or audit framework to be applied in multiple settings, such as across different departments, business units, or geographic locations. The goal of clone assessments is to ensure consistency and efficiency in evaluating compliance with regulations, policies, or standards.

Key Aspects of Clone Assessments in Compliance

1. Replication of Frameworks:
   • The same compliance framework, checklist, or assessment methodology is applied across different entities or locations.
   • Ensures uniformity in evaluating compliance standards.
2. Streamlining Processes:
   • Saves time by reusing a tested and proven assessment approach.
   • Reduces the need to create entirely new assessments for similar requirements.
3. Consistency in Evaluation:
   • Standardizes the interpretation and application of regulations or standards.
   • Helps in comparing compliance status across different areas.
4. Customization as Needed:
   • While the assessment is cloned, it may allow for minor adaptations to address local or situational nuances (e.g., regional regulations).
5. Example Use Cases:
   • Global Operations: A multinational company might clone an internal compliance assessment for its subsidiaries worldwide.
   • IT Security: Applying a cloned cybersecurity compliance assessment to different data centers.
   • Financial Audits: Using the same audit checklist for branch offices.
6. Benefits:
   • Promotes uniform compliance practices.
   • Enhances scalability in monitoring compliance.
   • Reduces redundancy in designing new assessments.

How to create a clone assessments?

This is a straight forward process to create the clone assessment.

• You can click on New Assessment button in assessments page.
• And then select clone from Risk Assessment check box
• It will display Risk assessment drop down field
• This drop down provides you the list of all existing risk assessments.
• Select any one from the list, and enter the name of the assessment, adjust the start date, end date as you required and select the facility and template, and now click on create assessment button.
• It will create the clone assessment and gives successful message and open that assessment and shows you the assessment summary page.

Clone assessment creation page will have the following fields

• Name: assessment Name should be an input text field, you can enter a unique name to identify the assessment easily
• Start date: it will show Predefined current date by default, you can adjust as you required.
• End date: it will show predefined one month duration date from the current date, you can adjust as you required

Risk Assessments: This is main feature to create the clone assessment. this field is a drop down contains all available active existing assessments means not closed assessments. And it is a single selection drop down and a mandatory field, you can’t skip it to create the clone assessment.

• Facility: facilities can be selected multiple from the drop down
• Select Risk Template: same as facility we can choose multiple templates to create an assessment for that facility.
• Compliance assessment: if you want to consider gap score of that facility too to get the accurate risk values, you can map suitable compliance assessments by clicking this field.
• Scope of assessment: you can enter a text as a scope of the assessment
• Clone from Risk Assessment check box & : clone will be created only you select this check box.
• Recurring On : if you want to create multiple Childs for this clone assessment you can set up this recurring feature as we mentioned in Risk assessment creation above.

Audit Assessments

This is the separate tab in assessments screen, here it will display all audit assessments created from audit registers.

Here the assessments will display when the scheduled audit assessments reaches the current date.

We cannot create new assessments from this audit assessments tab or assessments page.

We can only view edit and delete audit assessments from here as regular assessments.

If you did any changes/modifications/updates in this assessments, it will capture in events log.

In Regular or Audit assessments table, it will show all review assessments, means which includes open, in progress, completed and in completed assessments.

If you want to view the closed assessments click on Archived assessments button at the top of the page beside the new assessments button.

It will show you the closed assessments table., for this assessments you can’t do the survey.

If you change the status as except closed or extended the End date more than the current date, then you will get that assessment in review assessments table, there you can perform anything on that assessment.

If you are in Archived assessments page, you will have a button called Review assessments at the top of the page, click on it and it will take you to the Review assessments table.

In archived assessments table it shows both regular and audit assessments in separate tabs which are in closed state.

How to create Risk Assessments in Bulk?

We can create Risk assessments in bulk by adding all assessments in an excel sheet and upload it to the application.

We can get that assessment creation excel sheet by clicking on the download data icon beside the Archived assessments button.

Click on Download data icon, it will generate an excel sheet with all required column names for creating the assessment.

Using this sheet you can add more number of assessments and upload it to application at a time by using upload data icon beside the download data icon.

The excel sheet contains

Assessment Name

Facility

Risk templates

StartDate(yyyy/mm/dd)

EndDate(yyyy/mm/dd)

Scope of assessment

Recurring On

Frequency

Assessment duration &

Frequency count

Fill the al required fields and save the sheet in your system.

Now open the application and go to assessments.

Click on upload data icon. It will show you one pop up to select the excel sheet.

Click on select file button and select the sheet where you saved it.

And then click on upload button.

Assessments will be uploaded into our application in bulk.

Now it will display another pop up with all your added assessments in excel sheet with individual proceed buttons for every assessment and proceed all button to upload all assessments

How to search the specific Risk assessment from the Grid

1. You can get the specific record from the grid by using search field and also from the Filter feature as shown below.

1. We can filter the records by using Name, start Date, End Date, status and options.
2. You can get the data by clicking appropriate options in filters drop down
3. You can get all the assessment details into excel data by clicking export icon at the Top right. And also you can Hide or see the columns by clicking columns button beside the export icon.

Events: Events or logs are the excellent features in applications for tracking and auditing user activities and system operations. They provide a detailed record of actions performed, helping to ensure transparency, traceability, and compliance. Here's an overview:

Purpose of Events

1. Action Tracking: Record user actions such as creating, updating, or deleting records.
2. Audit Trails: Maintain a history of changes for compliance and accountability..
3. Performance Analysis: Log metrics to analyze application performance and usage.
4. Security: Detect unauthorized access or suspicious activities.

User Activities

• • Login/logout events.
  • Data creation, modification, or deletion.
  • Accessing sensitive modules or information.

Benefits of Events/Logs

1. Improved Troubleshooting: Quickly identify issues by analyzing error logs.
2. Compliance Support: Meet regulatory requirements by maintaining detailed audit trails.
3. Enhanced Security: Detect anomalies such as unauthorized access.

How to get the Events in Assessments module?

1. Open Assessments
2. Click on events Dropdown at the Bottom Left of the screen.
3. It will show you the all captured events for the Assessment Module.
4. This feature will show you the Events table along with filters option, search and export options.

Events Table is having the following columns

1. Action Performed
2. Performed By
3. Module
4. Action date
5. Action Info and
6. View details columns

Action Performed: It will describe what action could be performed

Performed By: It will display the user mail Id who performed the action.

Module: The part or section of the application where the action occurred

Action date: It tells about the Timestamp The exact date and time of the event.

Action Info: It tells about the Facility, which facility is effected for the update.

View Details: When you click on this icon, it will display complete information of the action, like create, update and delete with detailed information like what is the before change of the assessments and what is after change of the assessments and which field is effected under that assessment.

You can get the Specific log by search the record or filter the record by using filters and search field.

Filter feature give you the all column options to get the exact record.

You can download the all logs data into excel sheet, there you see, what is the before change and what is the after change.

You have sorting feature also in events, you will get the each column data in sorted order like in ascending order when you use the sorting feature.

.

How To Open/View the Risk Assessments?

You can open the assessment by clicking view details icon in the 1^st column or pen icon in the action column of the table for individual assessments.

You just click on it, it will take you to the assessment summary page.

How To Delete the Risk Assessments?

You can delete the Risk assessment by clicking the Delete icon in the Action column or Delete button in the Assessment details page after opening the assessment.

Make sure that if the deleted assessment having the facility which is never used any other assessments, then you will get your facility license back.

How to Edit/View the Details of Risk Assessment?

Login to the Risk Assessments

Go to Risk Assessments page, it will show you the assessment table.

In that table, click on view details icon in the 1^st column or

Click on edit icon in the Actions column.

It will open the assessment and Navigates you to Risk assessment Summary tab.

Assessment contains 3 sections which are

• Risk Assessment Details
• Risk Assessment Summary
• Third party data.

By Default Assessment summary drill down is expanded and displaying the information.

What are the fields we can update for existing Risk assessments?

We can Update everything like Name, start date, duration, status and Risk information, Facility and recurring features for existing assessments from Assessment details section.

These fields are almost all, we have provided data while creating the assessment.

By default assessment summary will be opened when you open the assessment, so you have to click on Assessment details expander to open the screen

Generally the Assessment details section contains, following fields to update, here’s the detailed information of the individual field what we can update.

Risk Assessment Details

Name: Here it will display name you have given for the assessment, and still this is editable, you can make changes into the name and to save, click on Update RiskAssessment button at the Bottom right.

It will give you successful message and stays back to same page.

And the name change will be applied over all the application like in Risk life cycle, Risk treatment, dashboard, reports, bulk upload, tasks & manage risk controls & in pop-up’s everywhere.

Start date: Start date represents the assessment creation date, you can change the start date s you required at any time

Make sure that if the assessment is having Recurring feature, it will not accept to change the start date, it will alert you as message in top right.

End Date: This is also editable one, you can adjust the End date at any time, so that the assessment still be available as long as you needed.

Based on End date only, Assessment Duration will be updated.

Status: Based on the End date and the current date, and Risk life cycle, Status will be applicable to the assessment automatically. And if you want you can adjust the status any time to the existing assessments manually.

In General we have 5 status options, which are New, In progress, completed, closed and Incomplete.

And general automatic flow will be as follows.

When we create the assessment, initial stage the status will be New(when we haven’t opened the Risks for the facility till before End date.)

And if you opened the Risks for any one facility of the assessment of the any risk template, the status becomes In progress till reaches End date.

And if you completed the Risk life cycle from all templates 100% of all facilities of the assessment, then the status turns into completed.

And if the completed assessments reaches the End date the status will turns to closed, then the assessment moved to Archived list.

If the Assessment End date reaches with out completing the assessment, then the status turns into Incomplete.

And you can change the status to anything at any time

Make sure that if you extend the End date for Incomplete surveys like crosses the Current date the status should automatically turns into In progress.

Recurring On: (Assessment Duration (No.of days), How frequently does it recur and Total No. of Assessments)

If the assessment is already having recurring functionality, you can remove the feature by selecting Never option in this Recurring on field.

So that recurring assessments will not be generated from now if any pending.

If all are already generated, it wont be removed.

And if you want to change the recurring like daily to weekly or monthly or yearly to generate the recurring assessments you can update.

And you can adjust the duration time and how many assessments should be created and how frequently does it recur options.

Risk Templates: Here it will display the selected Risk templates for this assessment along with all available templates, if you want you can map more templates and remove some existing Templates.

As a result entire assessment will be changed, if you add some more, the new template risks will add up to the assessment for each facility, so that assessment status and calculations may vary and if you are removing some categories and we did the analysis for removed templates already, so the assessment information along with tasks for the risk recommendations will be removed from the application and progress, status and calculations of the assessment will be changed.

Facilities; if you are updating the facilities like adding more or removing some, it results, adding new locations to the assessment with same set of data, so you have to do the assessment for new locations and recalculate the risk score as status and risks vary

And if you are removing the facility means the entire facility risk information could be removed

Make sure that you cannot uncheck all the facilities or Risk templates from the existing assessments, these are mandatory fields.

Compliance assessment

This field should be displayed only when the instance is dual product, If the existing Risk assessment is not having any mapping with compliance earlier and now if user want to connect with compliance, they can choose compliance assessment from here, so that gap score for that compliance assessment as facility level will be considered to calculate the risk score of the Risk assessment for the same facility based on risk and question mappings.

And if the Risk assessment is already having some compliance assessment and if user wants remove the mapping if it has negligible gap score or no gap score then we can choose select one option to remove connectivity.

Or if we want to change the assessment selection you can choose from this drop down, so that all previous calculations will be modified based on the new selection.

If you want to create a compliance assessment from this risk assessment platform to map this assessment you can click on + icon beside this compliance field.

This is a powerful feature in risk assessment on connectivity between 2 platforms (compliance & risk assessments)

The compliance assessment name could be a unique auto generated name with current Risk assessment name along with compliance and (some unique number) as shown below

So the compliance assessment should have the same facilities from the risk assessment and the questions which are mapped to this risk assessment risks.

Update Risk assessment, Back, Cancel and Delete buttons: these 3 are the button available in the assessment details page, everything will be updated to the assessment by clicking on the update Risk assessment button.

And when you want to go back from this page, you can click on cancel button at the bottom right or Back button at the Top right And if you want to delete this assessment you can select delete button.

Where we can get the risk response details in assessment level?

We can get each and every risk response count as a facility wise in Assessment summary like below

We have 5 types of predefined risk responses in our application which are

Risk Accept

Risk mitigate

Risk Avoid

Risk Transfer &

Risk review

In the RiskWatch Risk Assessment application there are 5 predefined Risk Responses that help organizations decide how to handle identified risks.

Here’s a detailed explanation of each response type:

1. Risk Accept

• Definition: You recognize the risk and decide to take no action to reduce it.
• When to Use:
  • The risk is low or within the organization's risk tolerance.
  • The cost to mitigate the risk is higher than the potential impact.
• Example: A small office decides to accept the risk of minor power outages rather than investing in a backup generator.

2. Risk Mitigate (also called Risk Reduction)

• Definition: You take steps to reduce the likelihood or impact of the risk.
• When to Use:
  • The risk is unacceptable, and you want to bring it to a manageable level.
  • You can implement controls or recommendations to lower the risk score.
• Example: Installing CCTV cameras to reduce the risk of theft.

3. Risk Avoid

• Definition: You eliminate the risk entirely by choosing not to engage in the activity that causes the risk.
• When to Use:
  • The risk is too high and cannot be controlled to an acceptable level.
  • Avoiding the activity does not significantly affect business objectives.
• Example: A company decides not to expand into a high-conflict region to avoid geopolitical risks.

4. Risk Transfer

• Definition: You shift the responsibility or financial burden of the risk to a third party.
• When to Use:
  • The risk cannot be reduced internally but can be outsourced or insured.
• Example: Purchasing cybersecurity insurance or outsourcing a risky process to a specialized vendor.

5. Risk Review

• Definition: You choose to monitor the risk and review it periodically, without immediate action.
• When to Use:
  • The risk is uncertain, not urgent, or needs more data before deciding.
  • Used often for emerging risks or when controls are under development.
• Example: You identify a potential risk due to upcoming regulations and decide to track updates before acting.

Summary Table:

Risk Assessment summary table contains the following columns

Facility: in this column, it will display the selected facilities one by one with view details icon to open the facility risk information

Risk responses: the following 5 columns are risk responses, initially all are displayed 0 as count means none of the risk is opened and answered.

But once we give the response for any risk in that facility, the response column will be updated with count 1, like below.

In the Risk assessment summary table last column is a Compliance assessment(it should display only when the instance is dual product).

When we click on it, it will open mapping compliance assessment drop down with + icon beside it.

Here in this dropdown, if the assessment is already mapped with any compliance assessment(from this assessment summary level or from assessment details level), it will display here.

Again this is a powerful feature to combine the compliance and Risk assessment, Here if we add any assessment by selecting the compliance assessment, that compliance assessment will be mapped to this particular facility risk assessment not for the entire assessment, so the gap score for each risk in this facility is coming from this specific compliance assessment mapped in summary level.

And we can create new compliance assessment also from here by clicking the + icon beside this compliance assessment field.

So the compliance assessment name will “risk assessment name”+ compliance +some unique number”.

This assessment is created by only this facility and questions which are mapped with this risks.

We can get the specific records from the assessment summary grid by using search option

We can filter the records by using facility name and risk responses as shown in above figure.

You can get all the assessment summary table data into excel data by clicking export icon at the Top right of this section . And also you can Hide or see the columns by clicking columns button beside the export icon.

How to Identify Risks in Assesments?/ where is Risk identification screen in Assessments?

• Login to the Risk assessment
• Navigate to assessments and open it.
• Click on view details icon in Risk assessment summary.
• It will open you the Risk identification screen.
• Here you can get all the available risks of the templates you selected for this risk assessment.

In the Risk Watch Risk Assessment application, the Risk Identification screen is a core feature used to identify, list, and describe risks associated with a specific facility or assessment.

Purpose of the Risk Identification Screen

• To capture all relevant risks that apply to the selected facility, based on the risk template used.
• To allow assessors to customize, evaluate, and update risks specific to the facility’s environment.
• It acts as the starting point in the risk lifecycle before evaluating scores, assigning controls, or mitigating.

Where You See It

• After creating a Risk Assessment, when you click into the facility and start the assessment, you will reach the Risk Identification tab or section.

What Happens After Identification?

Once risks are identified:

1. You proceed to score each risk (based on impact, likelihood, vulnerability, etc.).
2. Then, recommendations, tasks, and risk responses can be assigned.
3. You can also track KRIs (Key Risk Indicators) if configured.

Example Use Case

If your facility is a data center, the risk identification screen might list:

• Unauthorized physical access
• Fire or power outage
• Cyber attack on network
  You can remove risks not relevant (e.g., “hazardous materials”) and add any specific to your site.

Why It's Important

• Ensures tailored risk assessments instead of one-size-fits-all.
• Makes the risk analysis relevant and focused.
• Lays the foundation for accurate scoring and mitigation.

What happens after identifying the Risks?/What we can get once we open the risk templates facility wise?

When we open the Risk identification screen, it will show the list of risks associated with each template we selected for this Risk Assessment.

We have a select Template drop down at the Top left, here we can have all the selected templates.

By default one template data is displaying in this screen as alphabetical picking of risk template names.

All the risks which are under the selected template will be displayed in bottom grid.

You can navigate back to assessment summary screen by clicking back arrow beside the select template drop down.

Which data we can get from the Risk identification grid?

We can get Risk list along with their category, owner information and controls offered, likelihood, impact, gap score, inherent risk and residual risk scores information mainly.

In details we have the following columns data in this risk data table, which are

 Risk Title – A brief heading or label summarizing the risk, it will show you the title of the risk

 Risk Name – The specific name identifying the risk event or scenario., it will display the actual name of the risk

 Descriptive – A detailed explanation of what the risk involves.

 Source of Risk – The origin or cause from where the risk arises.

 Risk Category – A classification grouping the risk under a broader type (e.g., operational, financial)., this column displays the category of the risk

 Risk Owner – The individual responsible for managing and monitoring the risk., it will show the user email id who acts as risk owner

 Recommendations – Suggested actions to mitigate, reduce, or address the risk., it will display the mapped recommendations to that risk, if no controls offered earlier, it will display empty.

 Department & Team Risk Owner – The department and team assigned to handle or monitor the risk., it will display the user mail id who acts as department owner.

 Likelihood – The estimated probability of the risk occurring., here we can get the actual likelihood value of that risk before offering the control

 Impact – The potential severity of consequences if the risk occurs., this will show you the impact number of that risk

 Asset Threat Vulnerability (ATV Template) – A model linking an asset, a threat to that asset, and its vulnerability to determine risk., in these 3 columns, based on the severity we have some pre defined ATV values, those values should be displayed here.

 Confidentiality Integrity Availability (CIA Template) – A framework evaluating how a risk affects data confidentiality, integrity, and availability., in this CIA template, we have some predefined CIA values of this risk, it will display here

 Gap Score – A numeric value showing the deviation between current practices and expected standards. This column shows you the value when the Risk assessment is mapped to compliance and it has some questions and which are answered and having some gap score.

 Inherent Risk Score – The level of risk present before any controls or mitigations are applied., shows you the Inherent risk score based on the formula(likelihood * Impact)

 Residual Risk Score – The level of risk remaining after controls and recommendations are implemented. Shows you the risk score value after offering the control based on the formula (Residual likelihood * residual impact + compliance gap score).

Make sure that residual Likelihood = likelihood*(1-(average of control effectiveness of tasks marked as closed)/5)

You can get the risk score values by mouse over the pop up icons beside that values.

Can we map risks to questions after creating the Risk Assessment?

Yes we can map risks to questions even after creating the Risk assessment by using Map questions feature available in Risk identification screen.

Following steps will guide you how to map risks to questions.

• 1. Login to the Risk Assessment product.
  2. Navigate to the Risk Assessments screen.
  3. Open the assessment and navigate risk identification by clicking view details icon in Risk assessment summary table for individual facility.
  4. Now it will open Risk identification page.
  5. Here click on + icon In risks table action column
  6. It will open one pop up called map risks to multiple questions.
  7. From this pop you can select questions based on library and category selection and click on save.
  8. So the selected questions will be mapped to your risk in Risk assessment.

Here the detailed explanation of how to map questions to a risk:

• Mapping the Risks to questions can be done in 2 ways,
• One is copy the mappings from the existing risks
• Another one is mapping to your risk and questions newly.
  1. Click on + icon in action column, it will open one pop up called Map risk to multiple questions.
  2. And the pop up asking “Do you want to copy data from existing risks?” with Yes and No buttons.
  3. If you click on Yes, it will show you select Risk Drop down.
  4. This drop down contains all risks from all available templates which are already having mappings to compliance questions.
  5. The drop down showing risk name and the template name and it is multi selection option.
  6. You can choose any no .of risks to copy the data to your required risk and even you can select all risks to copy the data.

• 1. And then click on save button, it will give you the success message and closing the pop up.

• 1. Now some questions are mapped to your risk which are copied from another risk mapping.
  2. So when you click on + icon again for the same previous risk, this time it will show you the list of mapped questions which you copied from other risk mappings like below.

• 1. In this pop up, it will show you complete information of questions you mapped to your risk.
  2. Which gives you the content libraries names, question categories and questions drop down and in the table, it is showing the question number, question text, question title and delete option.
  3. Here you can again modify your mapping as you required by clicking the libraries, question categories and questions drop downs.

• 1. You can add or remove some content by selecting or deselecting the records from these drop downs so the table will be updated as per your selection.

• 1. And you can remove particular question mapping to this risk by clicking the Delete icon in the table.

• 1. Now click on save, your changes will be saved for this risk.
  2. Ensure that the modifications you did for this risk is not updated to the previous risks from where you copied this question mappings.
  3. Now, in the first pop up, if you click on No for “Do you want to copy data from existing Risks”? Then it will allow user to select which libraries they want to map and mapped categories of that libraries and belonged questions from the categories to map newly to your risk.

• 1. Select the libraries from the library drop down, so that all question categories under the libraries will be displayed in categories drop down.
  2. Now select the categories what you want, so that all questions which are under the categories will be displayed in Questions drop down.
  3. Now click on save, pop up will be closed and success message will displayed. And when you click on + icon for the same risk again, now it will display the what are mapped questions to this risk in the grid like below.

You can adjust the viewing of risk grid columns by using columns button at the to right.

Based on these mappings, if the Risk assessment is mapped with any compliance assessment and the assessment having these mapped questions and are answered, The gap score will be added to get the Risk score of this individual risk of the facility.

Ensure that not all mapped questions should be there in single compliance assessment.

Gap score will be calculated for the risk by what are the available mapped questions are answered in the compliance assessment.

You can get the specific records from this table by using search icon and filters options available in grid columns like below

And you can export/download this risks data into excel sheet by clicking excel export button.

And you can see/hide the table columns by clicking columns button beside the excel export

Here you can select other template to see the risks information by selecting template from the select drop down field.

Ensure that mapping questions to a risks from the risk identification screen is specific to that assessment not updated to risk level.

How to create or add new risks to the Templates after creation of assessment/from Risk identification screen?

In the RiskWatch Risk Assessment module, after you’ve created an assessment, you can still add or create new risks to the associated risk template from the Risk Identification screen—Here's a detailed explanation of both methods:

Purpose of Adding New Risks After Assessment Creation:

Even after an assessment is created, you might identify additional risks (e.g., through KRI data, new threats, audit findings, etc.). These risks must be added to the risk template so they are included in the assessment and tracked properly.

Adding Risks Manually:

You can manually add new risks using the Risk Identification screen by following these steps:

Step-by-Step Guide:

1. Navigate to Risk Assessments module.
2. Open any assessment and click on view details icon
3. It will open the Risk Identification screen.
4. It will show you the list of risks table, Here we have + icon at the top left to the table.
5. Click on “+ Add New Risk” or “Create New Risk” icon.
6. It will open add risk page.
7. In the top of the page it will clearly display the assessment name, facility name and template name in which we want to add risks with back arrow.
8. When we click on that back arrow, it will navigate you back to the risk identification screen.

Add risk page contains following fields:

• • Risk Number: This is a unique number generated by system, you cant change it
  • Risk Name: you can enter a unique name for your risk it can be anything as it accept alphanumeric values.
  • Source of risk: Here you can add the text information of source of the risk
  • Risk category: This is a dropdown it shows you all available categories in the platform, you can select the appropriate category for your risk and this is a single selection dropdown.
  • Risk owner: Here it will display all available active risk owners from the application, this is also a single selection drop down, you can choose one user to act as owner for this risk.
  • Description: Here you can give detailed information of the risk
  • Status: we have 2 predefined options for risks, which are active and inactive, in risk identification screen only you can create active risks, only active risks will display in assessments.
  • Risk Title: you can give the title of your risk in this text field.
  • Department & Team Risk Owner: you can choose one user as owner of the department & team of your risk.
  • Severity: In severity field, we have 5 predefined options which are catastrophic (5), Major (4), Moderate(3), Minor(2) & Minimal(1).Select any one option from the list to your risk.
  • (If it is a ATV template) Asset: Asset having 10 predefined values in settings, in which enabled options will display in Assets drop down, select one option from the list.
  • Threat: select one value from the 5 pre defined options which are High(5), Medium High(4), medium(3), low(2) & very low(1).
  • Vulnerability: select one value from the 5 pre defined options which are High(5), Medium High(4), medium(3), low(2) & very low(1).
  • Likelihood &: select any one value from the list which are certain (5), likely(4), Possible(3), Unlikely(2), Rare(1).
  • Impact: this will be auto calculated maximum value based on the values we provided manually in the ATV fields or values updated by using questionnaires.
  • (if it is CIA template) confidentiality: select one value from the 5 pre defined options which are High(5), Medium High(4), medium(3), low(2) & very low(1).
  • If the template having questionnaires, it will show + icon to answer the questionnaires beside the confidentiality field and the confidentiality value will update by answering the questionnaires.
  • Integrity: select one value from the 5 pre defined options which are High(5), Medium High(4), medium(3), low(2) & very low(1).
  • If the template having questionnaires, it will show + icon to answer the questionnaires beside the Integrity field and the Integrity value will update by answering the questionnaires.
  • Availability: select one value from the 5 pre defined options which are High(5), Medium High(4), medium(3), low(2) & very low(1).
  • If the template having questionnaires, it will show + icon to answer the questionnaires beside the availability field and the availability value will update by answering the questionnaires.
  • Likelihood: select any one value from the list which are certain (5), likely(4), Possible(3), Unlikely(2), Rare(1).
  • Impact: this will be auto calculated maximum value based on the values we provided manually in the CIA fields or values updated by using questionnaires.
  • mapped custom fields also display here, If the Risk template having custom fields,
  • all available custom fields are file, date, number, currency, text & text area.
  • Answer all these custom fields which are optional not a mandatory
  • save and cancel buttons: now click on save to add the risk to your selected Risk template in opened facility of the Risk assessment., when you want to stop the creation of risk, you can click on cancel button to navigate back to the Risk Identification screen.
  • Make sure that new risk will be mapped to risk level to use in future assessments.
  • And automatically includes it in the assessment for scoring and recommendations.
• Adding new risks does not require recreating the assessment. The system updates the assessment dynamically.
• Always ensure to recalculate the risk scores after adding new risks, to reflect updated risk posture.

Example Use Case

Your physical security team notices an increase in unauthorized access attempts. You go to the Risk Identification screen, and either:

• Manually add a new risk: "Unauthorized Access due to Poor Access Controls"

You accept the risk, assign it to the Security Department, and it becomes part of your assessment and template moving forward.

What is Risk Life Cycle in Risk Assessments?

The Risk Life Cycle in the RiskWatch Risk Assessment module represents the entire journey of a risk, from its identification to its mitigation, monitoring, and review. This structured cycle ensures that risks are properly analyzed, treated, and tracked over time, allowing for better decision-making and control.

What operations or features are included in Risk life cycle?

The Risk Life Cycle represents the end-to-end process of managing risks within an organization. It ensures that risks are identified, analyzed, evaluated, treated, monitored, and reviewed systematically. In RiskWatch, this life cycle is supported by dedicated screens and workflows to enable continuous risk management across facilities and departments.

Risk Life Cycle Overview

The typical steps in the Risk Life Cycle within Risk Watch are:

1. Risk Identification
2. Risk Analysis
3. Risk Evaluation
4. Risk Recommendations
5. Risk Treatment
6. Risk Monitoring (via KRIs, Tasks, etc.)
7. Risk Review / Trend Analysis

Now, let’s break down the key stages/screens you asked about:

1. Risk Identification:

Objective: Detect and register all potential risks that can affect the organization’s operations, assets, people, or reputation.

Process:

• 1. Risks are sourced from assessments, expert inputs, KRIs, audits, incidents, or AI Assist.
  2. Captured with essential metadata:
     1. Risk Title, Description
     2. Source, Risk Category
     3. Department/Team Owner
     4. Template Type (ATV or CIA)

Outcome: Risks are documented in a centralized repository and grouped within a risk template

Risk Analysis screen

Purpose:

To evaluate the inherent nature of each risk based on likelihood, impact, and other relevant factors (like asset value, threat exposure, vulnerability, or CIA factors depending on the template).

Key Elements:

• Inherent Risk Score: Calculated based on default parameters before controls are applied.
• Risk Factors Considered:
  • Likelihood of occurrence
  • Impact severity
  • Asset–Threat–Vulnerability (ATV) or Confidentiality–Integrity–Availability (CIA) weights
• Gap Score (if linked with compliance assessment)
• Residual Risk Score (post control/treatment)
• Objective: Understand the nature, severity, and likelihood of each risk to determine its inherent risk level.
• Process:
  • Evaluate:
    • Likelihood (probability of occurrence)
    • Impact (consequences if it occurs)
    • Additional attributes:
      • ATV: Asset, Threat, Vulnerability weights
      • CIA: Confidentiality, Integrity, Availability impacts
  • Risk scoring models applied automatically by the system.
  • If mapped to compliance content, Gap Score may also be included.
• Outcome: Inherent Risk Score is calculated for each risk.

The analysis helps prioritize which risks need urgent attention and forms the basis for recommending actions.

1. Risk Evaluation:

• Objective: Compare the risk scores against predefined thresholds to determine their significance and priority.
• Process:
  • Risks are evaluated as:
    • Low, Medium, High, or Critical
  • Color-coded risk matrices or scoring charts used for visualization.
  • Helps identify which risks require immediate attention.
• Tool Used: Embedded within the Analysis and Risk Matrix views.
• Outcome: Decision point to trigger risk treatment plans.

Risk Recommendations Screen

Purpose:

To suggest specific mitigation actions (recommendations or controls) to reduce the risk level or impact.

Key Features:

• Shows recommended security measures, policies, technical controls, etc.
• Recommendations are:
  • Pulled from content libraries based on the risk category
  • Can be manually added or selected
• Each recommendation can include:
  • Description
  • Implementation owner
  • Target date
  • Control type (Preventive, Detective, Corrective)
  • Effectiveness rating

 Objective: Propose and assign controls or mitigation measures to reduce the impact or likelihood of risks.

 Process:

• Recommendations can be:
  • Pulled from libraries
  • Manually added by assessors
  • Suggested by the system (based on control mapping)
• Assigned to specific users or departments.
• Control types: Preventive, Detective, Corrective

 Outcome: Defined actions to mitigate or reduce risk.

Once recommendations are applied, the residual risk score gets recalculated based on control effectiveness.

Risk Treatment Activities Screen

Purpose:

To manage the actual implementation of recommendations, track tasks, and update risk scores after treatment actions.

Treatment Options:

There are five predefined risk responses:

1. Mitigate – Apply controls to reduce risk
2. Avoid – Change/remove the risky activity
3. Transfer – Outsource or insure the risk
4. Accept – Tolerate the risk as-is
5. Review – Keep monitoring until a decision is made

Actions You Can Perform:

• Assign treatment tasks to users
• Set target dates
• Track completion status
• Attach evidence
• Rate residual risk score
• Mark risk as treated or closed
• Objective: Choose and apply the most suitable risk response strategy and track progress.
• Response Types:
  1. Mitigate – Reduce risk by implementing controls.
  2. Avoid – Eliminate the activity causing the risk.
  3. Transfer – Shift risk to a third party (e.g., insurance, outsourcing).
  4. Accept – Tolerate risk without further action.
  5. Review – Defer action and monitor until more information is available.
• Process:
  1. Assign treatment tasks
  2. Attach evidence of implementation
  3. Set timelines and owners
  4. Mark tasks complete when actions are taken
• Outcome: Residual Risk Score is calculated based on treatment effectiveness.

Risk treatment ensures accountability and progress on reducing risk exposure.

1. Risk Monitoring:

• Objective: Continuously observe risks to ensure they are under control and do not escalate.
• Process:
  • Monitor through:
    • Key Risk Indicators (KRIs)
    • Automated alerts
    • Periodic reviews
  • KRIs help detect early signs of changes in risk exposure.
• Outcome: Active risk oversight with real-time insights.

Risk Review & Trend Analysis:

Purpose:

To visualize risk performance over time, helping you monitor how each risk's score or status changes across multiple assessments or reviews.

What You Can See:

• Graphical charts (line/bar) showing:
  • Inherent risk trends
  • Residual risk trends
  • Risk movement over time
• Track the effectiveness of mitigation measures
• Identify if a risk is increasing, decreasing, or stable

This screen supports ongoing risk monitoring and enables better strategic planning.

• Objective: Review the effectiveness of controls and track the performance of risks over time.
• Process:
  • Use trend charts and graphs to observe:
    • Inherent vs. Residual risk movement
    • Treatment impact across quarters or assessments
    • Risk re-occurrence or escalation patterns
  • Modify or retire risks based on trend data.
• Outcome: Historical performance analysis for better risk planning.

Final Outcome of the Risk Life Cycle

At the end of the cycle:

• Risks are well documented, mitigated, and monitored.
• Risk scores reflect current treatment status.
• Risk dashboards provide real-time status to management.
• The organization gains assurance that risk exposure is managed proactively.

Additional Notes:

• The Risk Life Cycle is iterative—new risks can be added anytime.
• Each phase feeds into the next, ensuring traceability and completeness.
• Integration with compliance assessments, tasks, and reporting tools enhances transparency.

Summary of Each Screen’s Role

How to open Risks in Risk Assessments? / How to Navigate to Risk Life cycle page?

To open the risk or open the risk life cycle follow the below steps.

• Login to Risk Assessments.
• Open any risk assessment and it will navigate you to risk assessment summary.
• Now click on view details in summary page of any facility.
• It will navigate you to Risk Identification page.
• Now click on View details icon available in 1^st column of each risk in Risk data table.

• It will navigate you to the Risk life cycle page or open Risk page.

How many phases included in Risk Life cycle and what are they?

In RiskWatch Risk Assessment product, we have total 4 phases which are

• • 1. Risk Analysis
    2. Risk Recommendations
    3. Risk Treatment Activities &
    4. Risk Trend.

PHASE A: Risk Analysis detailed Documentation

Overview

The Risk Analysis phase is the first and foundational step in the Risk Life Cycle within the Risk Watch Risk Assessment module. It helps organizations capture and evaluate risks systematically. This phase is divided into five interactive sections, allowing users to update risk details, calculate risk scores, select responses, view risk progression, and track KRI data.

Components of Risk Analysis

1.Risk Information

This section provides the basic metadata of the risk. It contains all the essential identifiers and contextual details.

The page displays as “Risk: the risk name” at the top left of the screen, and then if you want to modify the risk details you can change them by clicking the pen icon at the to p right of Risk Information panel as shown in figure.

Fields Displayed:

Most fields are editable except the Risk Number which is system-locked.

All these modifications are updated to this specific assessment, not to the central registers.

2 Risk Rating

This section calculates the Inherent Risk Score based on the values assigned, which vary depending on the template type., if you want edit them re answer you can click on pen icon, so it can be editable.

Template-based Inputs:

Features:

• Editable sliders/dropdowns for each rating factor.
• A “+” icon is available to re-answer mapped questionnaires, which will automatically update the rating values.
• By re answering questionnaires, likelihood value will be updated
• The Inherent Risk Score is calculated dynamically from these values.

This section is crucial for risk prioritization and further response decisions.

3.Risk Response

This section allows users to define the response strategy for the risk. The selected response affects how the risk will be treated or monitored.

Available Predefined Responses:

Users select one of these and save the chosen response by clicking pen icon in this panel and then click on save.

Based on the response we given, the risk could be considered in the dashboard charts.

4.Inherent Risk Trend Chart

This is a graphical representation of the risk’s position on a risk matrix, based on its likelihood and impact values.

Chart Details:

• X-Axis: Impact
• Y-Axis: Likelihood
• Color Ranges:
  • Green/Blue: Low Risk
  • Yellow/Orange: Moderate Risk
  • Red: High/Critical Risk
• The risk is plotted dynamically according to its inherent score.
• The trend over time is visible when the same risk is assessed repeatedly.

Helps visually assess the severity and priority of the risk.

In the inherent risk chart, the risk located based on the Likelihood * Impact of that risk., it can be updated automatically every time we update the likelihood by manually or through re answering the questionnaires or through KRI monitoring.

5.KRI Values (Key Risk Indicators)

KRIs are used to monitor risk conditions. This section lists all KRIs mapped to the risk.

Features:

• KRI Name: Displayed for each linked indicator
• Updated Value: Shows the most recent measurement
• Risks may have multiple KRIs being monitored.
• So the we can take the average of the KRI value to update the likelihood.
• When a KRI value changes, it may:
  • Automatically update the Likelihood in the Risk Rating section.
  • Recalculate the Inherent Risk Score.
  • Update the Trend Chart accordingly.

This allows real-time, data-driven risk updates without manual intervention.

In the KRI table, we can search the specific record by using search feature and also column filters in the grid.

We can get the KRI data into excel sheet by clicking excel export button at the top right of the table and we can see/hide the columns by selecting them by using columns drop down.

Summary Workflow of Risk Analysis Phase:

1. Fill/edit Risk Information →
2. Set or calculate Risk Ratings →
3. Define Risk Response strategy →
4. Monitor on Trend Chart →
5. Enable continuous updates via KRI values

Frequently Asked Questions (FAQ) ❓

Q1: Can I change the Likelihood and Impact values anytime?

A: Yes, these are editable. You can also use the “+” icon to answer the questionnaire again, which will automatically update these values based on the template you selected.

Q2: What happens if I change a KRI value?

A: When KRI values are updated, the system may adjust the likelihood, leading to a new Inherent Risk Score, and the trend chart will refresh to reflect the change.

Q3: Can I assign multiple responses to a single risk?

A: No, only one predefined response (Avoid, Mitigate, Transfer, Accept, Review) can be assigned per risk, per assessment., you can update them as you required.

Q4: What is the difference between Risk Name and Risk Title?

• Risk Title: Short label, used in summaries and dashboards
• Risk Name: More descriptive and detailed identifier

Q5: Are KRI values editable manually?

A: Yes, authorized users can update KRI values manually, or they may be linked to automated data feeds depending on configuration., we have mainly 2 types of getting KRI value, one is manual update by authorized persons and other one is answering questionnaires configured to the KRI.

Q6: What is the use of the Inherent Risk Trend Chart?

A: It visually tracks the severity of a risk based on Likelihood and Impact, helping in quick decision-making and showing movement over time across assessments.

PHASE B: Risk Recommendation

Risk Recommendations Screen in RiskWatch Risk Assessment Module

Overview

The Risk Recommendations screen is the second phase in the Risk Life Cycle within the RiskWatch Risk Assessment module. This screen enables users to view, add, edit, and manage recommendations associated with risks. Recommendations help reduce risk scores based on their effectiveness and implementation.

Main Features

1. Recommendation Data Table

• Displays all recommendations linked to a specific risk.
• Multiple recommendations can be associated with a single risk.
• Columns include:
  • Recommendation Name
  • Description
  • Control Effectiveness
  • Implemented Date
  • Expiry Date
  • Inherent Risk
  • Residual Risk
  • Action (Edit/Delete icons)

2. Edit Recommendations

• Click the pen icon in the Action column.
• A pop-up appears to edit:
  • Recommendation Name
  • Details
  • Control Effectiveness (Inadequate, Weak, Adequate, Effective, Strong)
  • Recommendation Type (Standard/Temporary)
  • Lifetime (Number + Time Unit: Years/Months/Days)

Adding Recommendations to a Risk

Adding recommendations is a key function on this screen. Users can add new or existing recommendations to mitigate identified risks effectively.

• Click the + icon (top-left of the table) to open the Add Recommendation popup.
• Use the multi-select drop-down to choose from all available recommendations in the application.

• Optionally provide:
  • Recommendation Details
  • Control Effectiveness (select from 5 predefined levels)
  • Recommendation Type (Standard or Temporary)
  • Lifetime Duration (numeric value + Years/Months/Days)
• Click Save to map selected recommendations to the risk.
• This mapping is assessment-specific and does not affect the central register.

Creating New Recommendations

You can create new recommendations directly within the Add Recommendation popup:

• Select the "Create New Recommendation" checkbox.

• Enter:
  • Recommendation Name
  • Category (dropdown)
  • Description
  • Control Effectiveness
  • Recommendation Type
  • Lifetime Duration (number + unit)
• Click Save to add the recommendation to both the current risk and the global register for future use.

AI-Suggested Recommendations

This is one of the most powerful and intelligent tools in the RiskWatch system.

• Click the AI Recommendation + icon next to the standard Add icon.

• A popup displays 5 AI-generated recommendations based on the current risk or its context.

• Each suggestion includes:
  • Recommendation Name
  • Category
  • Effectiveness
  • Description
  • Selection Checkbox
• You can:
  • Select one or more recommendations
  • Click Save to add selected recommendations to your risk
  • Repeat the process to view more sets of 5 AI suggestions
• This feature helps save time and ensures that recommended controls are contextually aligned with the identified risk.
• You can select the specific recommendation by searching the record with search option and column filters at the grid.

Benefits of AI Recommendations

• Reduces manual effort in identifying suitable mitigations.
• Ensures consistency and relevance in control application.
• Accelerates the risk mitigation planning process.

Additional Functionalities

• Delete Recommendation: Click the delete icon. If a task is linked to the recommendation, it will also be deleted.
• Ensure that deleting the recommendation is specific to assessment not effected to central registers.

• Residual Risk Heatmap: Displays the post-recommendation risk position using color-coded zones.

Residual Risk Trend Chart and Score Panel

• The right side of the screen shows a dynamic Residual Risk Heatmap.
• Color ranges indicate the severity of residual risk after applying selected controls.
• Below the heatmap is a Residual Risk Score Panel, showing:
  • Residual Impact
  • Residual Likelihood
  • Residual Risk Score
• Each score includes an info icon. Hover over it to see calculation logic:
  • Residual Likelihood = Likelihood × (1 - Average Control Effectiveness of Closed Tasks / 5)
  • Residual Risk Score = Residual Likelihood × Residual Impact + Compliance Gap Score

• Directional arrows next to Residual Risk Score show whether the score has increased or decreased compared to the Inherent Risk Score:
  • Up Arrow: Residual Risk is higher than Inherent Risk
  • Down Arrow: Residual Risk is lower than Inherent Risk
• Helps in visualizing the effectiveness of applied controls over time
• Implemented & Expiry Dates:
  • Initially blank
  • Automatically updated when the linked task is closed

• Export: Download table data as an Excel file
• Search/Filter: Use the search bar and column filters
• Column Visibility: Customize visible columns using the Columns button.

FAQs and Common Questions

Q1: Can I add multiple recommendations to a single risk?
A: Yes, you can map multiple recommendations to one risk.

Q2: What is "Control Effectiveness"?
A: A dropdown field with 5 levels: Inadequate, Weak, Adequate, Effective, Strong. It affects the risk score.

Q3: What is the difference between Standard and Temporary recommendations?
A: These are types to classify how long a recommendation is expected to remain effective.

Q4: Can I create my own recommendation instead of selecting from the list?
A: Yes, use the "Create New Recommendation" checkbox in the Add Recommendation pop-up.

Q5: Are recommendations assessment-specific or global?
A: Recommendations added through this screen are assessment-specific.

Q6: What happens when I delete a recommendation?
A: If the recommendation has tasks, those tasks are also deleted.

Q7: How does the AI Recommendation feature work?
A: It uses your risk context to suggest 5 suitable recommendations. You can select any or all of them to add.

Q8: How are the Residual Risk Scores calculated?
A:

• Residual Likelihood = Likelihood × (1 - Average Control Effectiveness of Closed Tasks / 5)
• Residual Risk Score = Residual Likelihood × Residual Impact + Compliance Gap Score

Q9: When do Implemented Date and Expiry Date appear?
A: After the related task is marked as closed.

Q10: Can I export the recommendation list?
A: Yes, click the Excel Export button on the top-right of the table.

PHASE C: Risk Treatment Activities

Phase 3: Risk Treatment Activities Screen

Once recommendations are mapped to a risk, they must be operationalized through tasks. This

screen facilitates creating, assigning, and managing those tasks.

Key Features

1. Task Creation for Each Recommendation

• Each row in the data table has a Create Task link.

• Clicking it opens a Create Task popup, where you can enter:
  • Status
  • Assigned By (auto-filled with your login email)
  • Assigned To (dropdown with all system users)
  • Cost
  • Priority (High / Medium / Low)
  • Created Date (auto-populated)
  • Due Date (selectable)
  • Facility, Assessment, Recommendation (auto-filled)
  • Subject & Description (auto-filled from recommendation)
• Option to upload attachments using Upload Attachment button

• Click Save to finalize the task
• A confirmation message appears, and email notification is sent to the Assigned To user

2. Task Link Update

• Once created, Create Task link becomes a Task Number link

• Clicking the Task Number lets you view/edit the task (until marked closed)

3. Task Data Table

• Displays:
  • Recommendation Name
  • Task Number (clickable)
  • Task Status
  • Task Due Date
  • Assigned By
  • Assigned To
• Features:
  • Search and filter options
  • Show/hide columns
  • Excel export option

4. Supporting Documents Table

• Located on the right side of the page
• Displays documents uploaded during task creation or updates
• Columns:
  • Task Number
  • File Name
  • Actions (Download icon)
• Features:
  • Search, filter, customize columns
  • Excel export for tracking documentation

5. Additional Capabilities

• Edit Existing Tasks: Click the Task Number link to edit any task (unless it is closed)
• Add More Recommendations: Use the + icon to map new recommendations from this screen as well

FAQs and Common Questions

Q1: Can I assign tasks to other users?
A: Yes, the "Assigned To" field lets you select any user from the system user list.

Q2: What is auto-filled during task creation?
A: Assigned By, Created Date, Facility, Assessment, Recommendation, Subject, and Description fields are auto-filled.

Q3: Can I attach files to tasks?
A: Yes, use the Upload Attachment button before saving the task.

Q4: Can I edit tasks later?
A: Yes, tasks can be edited anytime until they are marked as "Closed."

Q5: Where can I see uploaded documents?
A: In the Supporting Documents table on the right side of the screen.

Q6: What happens after task creation?
A: You’ll get a confirmation message, and the assigned user will receive an email.

Q7: Can I create new recommendations from this screen?
A: Yes, use the + icon at the top left of the data table to add new recommendations to the risk.

Q8: Can I download task data?
A: Yes, both the task data table and supporting documents table can be exported to Excel.

This guide provides a detailed overview of both the Risk Recommendation and Risk Treatment Activities screens. It highlights not only how to map and manage recommendations but also how to operationalize them through task assignment, progress monitoring, and documentation—all within the RiskWatch Risk Assessment module.

PHASE D: Risk Trend Chart (Risk Journey Visualization)

This phase provides a visual representation of how the risk score has changed over time, showing the effectiveness of your mitigation efforts.

Key Features of the Risk Trend Chart

• Chart Type: Line chart showing progression of risk scores.
• X-Axis: Represents the duration/time (e.g., assessment periods).
• Y-Axis: Represents the risk score values.
• Color-Coded Lines:
  • Red Line = Inherent Risk (before applying recommendations)
  • Green Line = Residual Risk (after applying recommendations)
• Mouse Hover Tooltip:
  • Shows risk type (Inherent or Residual)
  • Assessment name
  • Exact risk score (e.g., 25)
  • Risk label (e.g., Very High, Negligible)
• This chart helps organizations visualize their risk reduction path clearly and determine if applied treatments are effective over time.

Benefits

• Enhances understanding of mitigation success
• Supports better decision-making in future assessments
• Makes it easy to compare performance across periods

FAQs and Common Questions

Q1: What does the red line represent in the trend chart?
A: The red line represents the Inherent Risk score—before any recommendations are applied.

Q2: What does the green line show?
A: The green line indicates the Residual Risk score—after applying mitigation recommendations.

Q3: What details appear when hovering over a chart point?
A: It shows the risk type, risk score, assessment name, and score label (e.g., High, Medium).

Q4: How can the trend chart help in decision-making?
A: It clearly shows whether risk scores are decreasing over time, indicating treatment effectiveness.

Q5: Can I view this trend for each risk individually?
A: Yes, each risk’s trend chart reflects its individual progress across assessments.

Third Party Data

We can calculate the Facility Risk score by using Third party options such as Cap index, security gauge and world aware as we have in our application.

Here is the detailed information of third party data in assessments.

Login to the application.

Go to assessments.

Open the assessment and expand the Third party data tab.

It provides you the third party information specific to facility in a table format.

And the table contains following columns.

Facility: it will display the name of the facility, in which we are fetched/fetching the third party data.

License Debited(date): it shows the information about when the third party data fetched and license debited for this facility recently

It will show Facility: NA(if not fetched), date(if fetched) cap index : NA(if not fetched), date(if fetched) Security gauge : NA(if not fetched), date(if fetched) World aware.

Address: it shows you the provided address of this facility from facility screen.

Cap index data retrieved: Here it will shows you the status of the cap index data fetching.

If we fetched the data recently, it will show fetched, and if you are not fetched yet, it shows as Not fetched, and if the facility not having cap index option then it will display as not selected. And if the fetch failed, it will shows as fetching failed.

Cap index data capture

This field provides you an option o fetch the data from here by selecting the Retry data capture check box.

Security gauge data retrieved: Here it will shows you the status of the Security gauge data fetching.

If we fetched the data recently, it will show fetched, and if you are not fetched yet, it shows as Not fetched, and if the facility not having security gauge option then it will display as not selected. And if the fetch failed, it will shows as fetching failed.

Security gauge data captured: This field provides you an option o fetch the data from here by selecting the Retry data capture check box.

Make sure that if you are trying fetch the data out of U S, it will not accept and fetch the data. It shows you alert message as out of the U S A we are not supply the security gauge data so that you can use cap index data as an alternative.

World aware data retrieved: Here it will shows you the status of the World aware data fetching.

If we fetched the data recently, it will show fetched, and if you are not fetched yet, it shows as Not fetched, and if the facility not having world aware option then it will display as not selected. And if the fetch failed, it will shows as fetching failed.

World aware data captured: This field provides you an option o fetch the data from here by selecting the Retry data capture check box.

If you are selecting the third party data but licenses are not there to fetch, so it will show you a pop up to say please contact sales purchase credits for Third party data with yes or no buttons.

If we click on No, it will just close the pop up.

If we say yes,, it will navigate you to the mail section to contact sales.

Or you can directly click on contact sales button at the bottom right to contact the sales time regarding licenses.

After selecting all these required check box, you can click on fetch Data button, it will show you Credits information pop up, with cap index, security gauge and world aware available and required data counts.

If the required data exceeds the number of available, it will show you the message still how many required to perform the fetch with contact sales and No buttons along with facility link.

If you want you can contact sales and purchase the licenses.

If not click on No the pop up will be closed.

Now click on Go to Facility(S) now link to open that specific facility and navigates to the required third party data tab and there you get the reports if you already fetched with same facility.

After purchase the required licenses you can click on proceed button, so that you will get the third party data for selected facility from the select facility drop down.

When you select the facility from the drop down, you will get another tabs of third party data which are available or mapped to that facility.

And when you open that Tab, there we can get the report link to download and get the data.

Manager also can perform all operations on assessments as admin can do but on his mapped specific facilities and content of risk templates.

Risk Assessor cannot create/delete the assessment but he can perform the all operations within the assessment based on the limitations he has on the specific facilities and mapped templates.

Risk Owner and user do not have Risk Assessment module, Risk owner can have Risk treatment.