3rdRisk Help Center
3rdRisk.com
3rdRisk Help Center
3rdRisk.com
Getting startedVideos
Technical Setup
Configuration
Third Parties
Assessments
Compliance
Risks
Risk registerRisk Management FunctionalitiesRisk management
Platform
Issues and action plans
Tomorrow and beyond
Integrations
Troubleshooting

Risk register

Turning 'what ifs' into 'what nows'.

The risk register allows you to view and manage your potential risks in one centralised place. It enables aggregations across your internal organisation and all third parties. The risk register includes all information about each identified risk, such as the nature of that risk, level of risk, who owns it and the mitigation measures in place to respond to it.

Overview

This overview will walk you through the risk register from the top to the bottom of the page.

  • At the top of the page, you can register a new risk by clicking + Add risk.
    Learn more about adding risks here: Add a risk
  • You will also find a quick link to this article about the risk register using the button Docs: Risk register.
  • The cogwheel icon redirects to the risk matrix settings.
     

Risk Matrix

This risk matrix offers a visual summary of the risk landscape, by visualising all registered risks based on their likelihood and impact.

  • Y-axis (Impact): Measures how severe the consequences would be if the risk occurs, ranging from Very Low to Very High (by default).
  • X-axis (Likelihood): Indicates how likely it is that the risk will occur, also from Very Low to Very High (by default).

Each colored cell in the risk matrix represents a risk level category. The risk levels (by default) are:

🟩   Green – Low risk
🟨   Yellow – Moderate risk
🟥   Red – High risk
🟫   Dark Red – Critical risk

  • The number inside each cell indicates how many risks fall into that category.
  • You can switch the view between inherent risk or residual risk.
    Learn more about the inherent and residual risk here: Measures TO DO
  • You can change the matrix to a 4x4 view by navigating to the risk matrix settings (cogwheel).
  • You can export the matrix as a PNG by clicking the top-right Export button.
  • The matrix's risk level thresholds and colours are customisable.
    Learn more about the risk matrix settings here: Risk configuration

Risk register table

The risk register table gives you a detailed overview of all registered risks.

Search, filter, and export

Above the table, you will find options to search, filter, and export. From left to right:

  • Search: You can search by title and ID.
  • Clear search: Quickly clear your search field and stop searching using this button.
  • Filters: Apply filters using this button. If any filters are active, the text will change to Filters applied.
  • Saved filters ( down arrow): You will find your saved filter sets here, as well as a button to save your current set of filters.
  • Clear filters (strikethrough funnel): This will clear all filters, including any text in the search field.
  • Export: Export the risk register to an Excel file.
    • All results: This exports the entire risk register.
    • Applied filter: This exports all risks that have been found using the filters you have enabled.
    • Selected rows: This exports all risks you have selected in the table.
  • Number of rows per page: Choose the amount of rows you want displayed per page in the table.

Interacting with the table

  • Select: Check the box in the leftmost column to select a row. You can select all visible risks by checking the box in the header of the table. If you want to select all results, including ones on other pages, make sure to click Select all rows
  • Sort: Click on a column name to sort by that column. Note: sorting is not possible on some columns.
  • Details: Hover or click on a data field to get more details.

Actions

  • Edit risk: View and edit a risk.
    Learn more about risks: Risks
  • Link issue: Quickly link an issue to a risk.
    Learn more about issues: Issues

Risk process

Register risks to capture potential threats or uncertainties that could impact your organisation’s objectives. Each risk entry allows you to document its nature, assess its likelihood and impact, assign ownership, and define mitigation measures. This helps create a structured, transparent, and proactive approach to risk management across your organisation and third-party network.

Risks on the 3rdRisk platform follow a structured progress flow, guiding you from initial (1) identification and (2) assessment, to (3) treatment and (4) monitoring. The goal of this approach is to effectively address risks within your organisation by assigning clear ownership, supporting strategic decision-making and enabling appropriate follow-up.

Add a risk

To register a new risk (identification):

  1. Click the + Add risk
  2. The identification step will open where you can enter relevant basic information about the risk.
    Fill in at least the required fields to register the new risk. You may also provide additional information now or at a later stage.
  3. Click Next or Save. The risk is now registered and new tabs appear.

To assess a risk (assessment):

  1. Edit a risk by clicking on the ••• button in the Actions column on the right-hand side of the table.
  2. Click on the assessment progress step.
  3. Determine the risk by assessing the likelihood and impact of the (unmitigated) risk. The inherent risk level is calculated based on your input, using the formula: Likelihood × Impact.
    Likelihood refers to the probability that a risk event will occur. Impact refers to the potential consequences or severity of outcomes if the risk were to occur.
    Learn more about risk levels: Risk levels TO DO
  4. Click on Next or Save and close. The risk assessment is saved.

To implement measures against a risk (treatment):

  1. Edit a risk by clicking on the ••• button in the Actions column on the right-hand side of the table.
  2. Click on the treatment progress step.
  3. Decide what strategy you want to apply to the risk. The available treatment strategies include: 
    • Accept: Acknowledge the risk and choose not to mitigate, transfer or avoid with measures.
    • Mitigate: Reduce the likelihood or impact of the risk by implementing measures.
    • Transfer: Assign or move the risk to a third party (by implementing measures).
    • Avoid: Eliminate or forego the risk (by implementing measures).
    • Review: Leave the risk treatment strategy open for review.
  4. The residual risk is calculated by subtracting the scores of the measures from the inherent risk (inherent risk - measures = residual risk). Optionally, you can initiate a risk acceptance flow to review the residual risk. The risk acceptor will receive a request via email to confirm whether the residual risk is acceptable.

 

1. Identification

Risk identification is the process of determining risks that could potentially prevent your organisation from achieving its objectives.

To manage risks effectively, you must know your organisation's potential risks. The risk identification process should cover all risks, regardless of whether or not such risks are within the organisation's direct control or lie within your ecosystem. An ongoing risk identification process should include mechanisms to identify new and emerging risks timeously. Within the 3rdRisk platform, different modules can provide input for identifying new risks. For example:

  • Assessment module (e.g. A third party responded in one of your assessments that they faced some serious financial issues in the past)
  • Incident management module (e.g. A competitor had a significant incident, which could also happen in one of your factories)
  • Compliance requirements module (e.g. You expect an upcoming stricter compliance requirement update - which may have an impact on your internal organisation and/or third-party landscape)

But there are also different other instruments to identify new risks:

  • Risk workshops and interviews
  • Periodic relationship updates with your third-parties
  • News bulletins
  • Scenario analysis
  • External risk monitoring sources
  • Etc.

In the 3rdRisk platform, you can quickly and securely document your identified risks.

Risk name and description

Give the risk a name and provide some contextual information about the risk.

Risk statement
A good quality risk statement is that it can answer the following questions:

  • What could happen?
  • Why could it happen?
  • Why do we care?

It is essential to have a foundational understanding of risk components and their interrelationships. Understanding key risk-related terms and their definitions and the business and its objectives will result in more impactful risk articulation.

Example of a good risk statement:

[Event that affects objectives] caused by [cause/s]. This may result in [consequence/s].
Source: ISACA

Risk category

Risk categories within the platform group risk under a common area. Available categories in the platform are:

  • Information security
  • Privacy
  • Quality
  • Compliance
  • Environmental
  • Safety
  • Environmental
  • Continuity
  • Political
  • Financial
  • Operational
  • HR
  • Reputation
  • Other

You do not have to use all these categories; the advice is only to use the relevant ones for your type of business, risk landscape and reporting needs.

Stakeholders

Per risk, you can define the following stakeholders:

  • Risk owner *
  • Involved third-party (if applicable)
  • Other external parties (e.g. regulators, society, accountants), including their expectations
  • Internal stakeholders, including their expectations

* Only the risk owner is a required field.

Risk scope

The organisation model defines the scope of the risk within your organisation.

2. Assessment

Risk assessment
Risk assessment is the process of assessing identified risks on their potential severity of impact and the probability of occurrence. The assessment process is an essential step as it will prioritise your risk treatment. Within the platform, you score risks by:

  • Likelihood (The chance that the risk will manifest)
  • Impact (The potential losses associated when the risk will manifest)

You can score both the likelihood and impact from 1-5:

  • Very low
  • Low
  • Medium
  • High
  • Very high

As the segmentation of these levels differs per organisation and industry, we advise you to define your risk level criteria per level:

Example of likelihood criteria

Likelihood scoreYour organisation-specific criteria
1. Very low
(Rare)		E.g. Once in 100 years or less.
2. Low
(Unlikely)		E.g. Once in 50 years up to once in 100 years.
3. Medium
(Possible)		E.g. Once in 25 years up to once in 50 years.
4. High
(Likely)		E.g. Once in 2 years up to once in 25 years.
5. Very high (Frequent)E.g. Up to once in 2 years or more.

Example of impact criteria

Impact scoreYour criteria
1. Very low
(Incidental)		E.g. potential financial impact < €100.000
2. Low
(Minor)		E.g. €100.000 - €249.999
3. Medium
(Moderate)		E.g. €250.000 - €499.999
4. High
(Major)		E.g. €500.000 - €999.999
5. Very high
(Extreme)		E.g. > €.1.000.000

Risk score

Within 3rdRisk, you will get a calculated risk score based on impact x likelihood.

Loss experience

To support the assessment of the identified risk, it is good to list similar historical incidents and events.

3. Treatment

Risk treatment involves selecting and implementing the treatment. This involves balancing the potential benefits of introducing further risk treatment (controls) against the associated cost, effort or disadvantages.

Treatment options

You select the following risk treatment options within the platform:

TreatmentDescription
ReviewCurrently assessing the risk treatment strategy.
AcceptAcknowledge the risk and choose not to resolve, transfer or mitigate.
MitigateReduce the likelihood or impact of the risk
TransferAssign or move the risk to a 3rd party
AvoidEliminate or forego the risk

Residual risk

The residual risk score is the amount of risk remaining after implementing the risk treatment. This score cannot be higher than the risk score.

4. Monitor

This process ensures that the risk treatment activities and evolvement of the risk are monitored. In the platform, you can record the procedure(s) for:

  • Treatment activities - Are activities timely and correctly performed
  • Risk evolvement - A risk can be influenced by different factors, which can result in an increased or decreased risk exposure over time

Add a risk

To add a new risk to your risk register:

  1. Navigate to: Left side menu: Risks
  2. Click on [+ Add risk]
  3. Provide the risk details:
PhaseFieldExplanation
1. IdentificationRisk Title *The title of the risk
 Risk description *Risk description

Please refer to the concept section of this page for a reasonable risk statement.
 Risk category *Select the most relevant category of this risk. Risk categories within the platform group risks under a common area.
 Risk owner *Every risk needs to have an internal owner that is responsible for managing and monitoring this risk.

You can select all users that are registered on the platform.
 Risk officer *The risk officer that is associated with this risk.

Only platform users with risk officer or risk manager roles can be selected.
 External stakeholdersIn this section, you can select an involved third-party (if applicable), including the relevant scope where the third party is active.

You also have the option to list any other external parties related to the identified risk, including their expectations and requirements.
 Location within the organisation *Your organisation model defines the scope of the risk within your organisation.
 Internal stakeholdersList all the internal stakeholders (e.g. Legal, HR, Procurement), including their expectations and requirements.

Use the tab key on your keyboard to add multiple internal stakeholders.
2. AssessmentLoss experienceList the experience of any incidents or events related and/or similar to this risk.
 Likelihood *

What is the probability that this risk occurring?

Likelihood

Please refer to the concept section of this page for an explanation of the likelihood and the scoring mechanism.

 Reasoning on the likelihood scoreDefine the reasoning behind the defined score
 Impact *

What is the impact when these risks manifest?

Impact

Please refer to the concept section of this page for an explanation of impact and the scoring mechanism.

 Reasoning on the impact scoreDefine the reasoning behind the defined score
3. TreatmentTreatment decision *

Select your treatment strategy:

  • Review
  • Accept
  • Mitigate
  • Transfer
  • Avoid

Treatment strategies

Please refer to the concept section of this page for an explanation of the different treatment strategies.

 Reasoning on the treatment decisionDefine the reasoning behind the defined score
 Risk scoreAuto-calculated field, the result of likelihood score x impact score
 Residual risk *

The residual risk score is the amount of risk remaining after implementing the risk treatment.

This score cannot be higher than the risk score.

 Reasoning on the treatment decisionDefine the reasoning behind the defined score
4. MonitorProcedure for monitoring risk evolvement and treatment activitiesFree-format text field to define the procedures for monitoring the risk evolvement and treatment activities.
 TagsYou can use the tags-functionality to assign your own specific/internal labels to a risk record. You can search, filter, and create specific reports based on these tags. E.g. if you want to register all business continuity-related risks, you can add a tag named “BCM” to these records. At a later stage, you can effortlessly search and export these risks.

Use the tab key on your keyboard to add multiple tags.

Required field *

4. Click on the green coloured 'Save icon', and the risk is added to your risk register.

Update a risk

To update a risk in your risk register:

  1. Navigate to: Left side menu: Risks
  2. Search for the applicable risk you would like to update
  3. Click on the sub-menu in the 'Actions column' and click 'Edit risk'
  4. Update the risk and click on the green coloured 'Save icon'

Close a risk

If you do not have any risk exposure (e.g. an event that contained specific risks is passed), you want to close these risks.

To close a risk in your risk register:

  1. Navigate to: Left side menu: Risks
  2. Search for the applicable risk you would like to close
  3. Click on the sub-menu in the 'Actions column' and click 'Edit risk'
  4. Navigate to 4. Monitoring and set the 'Risk status'-field to closed
  5. Click on the green coloured 'Save icon'

Remove a risk

To remove a risk in your risk register:

  1. Navigate to: Left side menu: Risks
  2. Search for the applicable risk you would like to remove
  3. Click on the sub-menu in the 'Actions column' and click 'Edit risk'
  4. Click on the red coloured 'Recycle bin'

View audit log

Data integrity is critical for your risk register; that is why the risk management module comes with a protected audit log that registers all mutations in your risk register. It records:

  • Timestamp
  • Data adjustment (old value and new value)
  • The user account that was used for this update

 

Example: Screenshot of the protected audit log

None of the platform roles (including the platform administrator) can delete or make mutations to this audit log.

To view the audit log of a risk in your risk register:

  1. Navigate to: Left side menu: Risks
  2. Search for the applicable risk
  3. Click on the sub-menu in the 'Actions column' and click 'View audit log'

Known module limitations

Known limitations of the risk management module

  • Currently, the module only supports a qualitative pre-defined risk assessment methodology.
  • Please contact Support@3rdRisk.com to discuss options for mass upload of your current risk register.

Was this article helpful?

English
Powered by Product Fruits