Venvera risk register table with category, score, treatment, status and owner
The risk register: every risk with its likelihood-by-impact score, treatment decision, lifecycle status and owner.

Risk Register

The risk register is the main working page for viewing, filtering, and managing all ICT risks.

Filters

FilterOptionsDescription
SearchFree textSearch by risk title or description text.
CategoryCybersecurity, Data Breach, System Failure, Third Party, Change Management, Access Control, Physical Security, Compliance, Operational, OtherFilter risks by their assigned category.
LevelLow, Medium, High, CriticalFilter by the calculated inherent risk level derived from the Likelihood x Impact score.
StatusIdentified, Assessed, Treating, Monitoring, ClosedFilter by the current stage of the risk management lifecycle.
TreatmentMitigate, Accept, Transfer, AvoidFilter by the chosen treatment decision.

Table Columns

ColumnDescription
TitleThe risk title. Click to open the risk detail/edit form.
CategoryThe risk category (e.g., Cybersecurity, Data Breach).
ScoreDisplayed as L x I = Score (e.g., 4 x 5 = 20) with a color-coded level badge (Low/Medium/High/Critical).
TreatmentThe treatment decision: Mitigate, Accept, Transfer, or Avoid.
StatusThe lifecycle status of the risk.
OwnerThe person or role responsible for managing this risk.
Review DateThe next scheduled review date for this risk.

Creating or Editing a Risk

Click New Risk to create a new entry, or click an existing risk title to edit it. The risk form is divided into multiple sections.

Venvera new risk form with likelihood and impact pill selectors
The risk form: inherent and residual assessment with 1 to 5 likelihood and impact pills, treatment, tolerance, linked entities and regulatory references.

Basic Information

FieldTypeDescription
TitleText inputA concise name for the risk. Required
DescriptionTextareaA detailed narrative of the risk scenario, including potential causes and consequences. Optional
Risk CategorySelect dropdownChoose from: Cybersecurity, Data Breach, System Failure, Third Party, Change Management, Access Control, Physical Security, Compliance, Operational, Other. Required
Threat SourceText inputThe origin of the threat (e.g., "External attacker", "Disgruntled employee", "Natural disaster"). Optional
VulnerabilityText inputThe specific weakness that could be exploited (e.g., "Unpatched web server", "No MFA on admin accounts"). Optional

Inherent Risk Assessment

The inherent risk assessment captures the risk level before any controls or treatment measures are applied.

FieldTypeDescription
Likelihood1-5 pill selectorRate the probability of the risk materializing on a scale of 1 (Rare) to 5 (Almost Certain). Click a pill to select.
Impact1-5 pill selectorRate the potential business impact on a scale of 1 (Negligible) to 5 (Catastrophic). Click a pill to select.
ScoreAuto-calculated displayAutomatically calculated as Likelihood x Impact. Displayed with a color-coded level badge (Low 1-4, Medium 5-9, High 10-15, Critical 16-25).

Treatment

FieldTypeDescription
Treatment DecisionRadio buttonsSelect one of four treatment strategies:
Mitigate — Implement controls to reduce likelihood or impact.
Accept — Acknowledge the risk and take no further action (within appetite).
Transfer — Shift the risk to a third party (e.g., insurance, outsourcing).
Avoid — Eliminate the risk by removing the activity or system.
Treatment DescriptionTextareaDetail the specific actions being taken or planned for the chosen treatment strategy. Optional

Residual Risk Assessment

The residual risk assessment captures the risk level after treatment measures and controls have been applied or are planned.

FieldTypeDescription
Residual Likelihood1-5 pill selectorThe expected likelihood after treatment measures are in place.
Residual Impact1-5 pill selectorThe expected impact after treatment measures are in place.
Residual ScoreAuto-calculated displayResidual Likelihood x Residual Impact, displayed with a level badge.

Risk Tolerance

FieldTypeDescription
Risk ToleranceRadio buttonsIndicate whether the residual risk falls within the organization's appetite:
Within Tolerance — Residual risk is acceptable per risk appetite settings.
Above Tolerance — Residual risk exceeds appetite; additional treatment or monitoring needed.
Requires Escalation — Risk exceeds escalation threshold and must be reported to senior management or the board.

Risk Status

FieldTypeDescription
Risk StatusSelect dropdownThe lifecycle stage of the risk:
Identified — Risk has been recognized but not yet assessed.
Assessed — Risk has been scored and categorized.
Treating — Treatment actions are actively being implemented.
Monitoring — Treatment is in place; risk is being monitored for changes.
Closed — Risk has been eliminated or is no longer relevant.

Linked Entities

FieldTypeDescription
Linked AssetsMulti-select checkboxesSelect one or more ICT assets from the asset register that are affected by or related to this risk.
Business FunctionsMulti-select checkboxesSelect the business functions impacted by this risk. Functions marked as critical in the Register of Information display a Critical badge.
ICT ControlsMulti-select checkboxesSelect the controls that mitigate or address this risk. This creates a bidirectional link between risks and controls.

Regulatory References

Map the risk to specific regulatory requirements across the frameworks below. A single risk can be tagged to many frameworks at once — the framework toggles available depend on which frameworks you have enabled in your tenant.

FrameworkTypeDescription
DORA ArticlesToggle buttonsSelect applicable DORA articles from Art. 5 through Art. 16. Each button has a tooltip explaining the article's scope (e.g., Art. 5: ICT Risk Management Framework, Art. 6: ICT Systems and Tools, etc.).
NIS2 ArticlesToggle buttonsSelect applicable NIS2 cybersecurity measures from Art. 21(2)(a) through Art. 21(2)(j), covering areas such as risk analysis, incident handling, business continuity, supply chain security, and cryptography.
ISO 27001 ControlsToggle buttonsSelect applicable ISO 27001:2022 Annex A controls from A.5 (Organizational) through A.8 (Technological).
💡
Regulatory references create traceability between your risk register and compliance obligations. They also feed into gap assessment and board reporting modules.

Review Dates

FieldTypeDescription
Review DateDate pickerThe date this risk was last reviewed. Optional
Next Review DateDate pickerThe scheduled date for the next risk review. When this date passes, the risk will appear in the Overdue Reviews count on the dashboard. Optional
⚠️
DORA requires periodic review of ICT risks. Setting appropriate review dates ensures your risk register remains current and audit-ready. Risks without a next review date will not trigger overdue alerts.