Risks

Introduction

Risks form the foundation of risk management in CERRIX. They provide a structured way to capture events, their causes, and their effects within your organisation.

Controls mitigate these risks and help keep the organisation in control. Together with Testing and Measures of Improvement (MoIs), they form a complete cycle:

Risk → Control → Testing → Improvement (MoI)

This training explains how to create, link, and maintain risks in CERRIX.

Accessing the Risk Workspace

Navigate to the Risk workspace from the main menu. This workspace gives you:

A complete list of all risks at the detail level
Central control over data quality
The ability to create and save custom views with filters and sorting
Export functionality to Excel or other formats

The Risk workspace is where you'll spend most of your time managing risk data. You can see all risks that belong to organisations you have access to, along with their current scores, owners, and linked controls.

Filtering and Sorting

CERRIX workspaces offer powerful filtering and sorting capabilities to help you find exactly what you need.

Applying Filters

Click Advanced configuration to open the filter panel. Every column in the workspace can be filtered individually, allowing you to narrow down your view to specific organisations, risk types, scores, or owners.

Customising the Table

Click Table configuration to adjust which columns are visible. This helps you focus on the information most relevant to your current task.

Applying Your Configuration

After setting filters and table preferences, click Apply configuration to refresh the workspace with your selected settings.

Saving Presets

Use Preset management to save your filter configurations:

Give your preset a descriptive name
Click + to add the preset
Select a preset and click X to remove it
Set a default preset by selecting it under Default preset and clicking *****

When you set a default preset, CERRIX will automatically load that view every time you open the workspace.

Creating a New Risk

How to Get There

Open the Risk workspace and click Add new risk in the top right corner.

Required Information

Start by selecting the organisation responsible for the new risk. This determines who has access to view and edit the risk.

Next, select the appropriate risk catalogue entry. Risk catalogues provide standardised risk definitions that ensure consistency across your organisation. If subtypes are available, select the most specific option that matches your risk.

Risk Details

Give the risk a concise name. In many cases, this will be pre-filled when you select a risk catalogue entry, but you can customise it as needed.

Write a clear description that explains what the risk is. A good risk description follows the event-cause-effect structure:

What event could occur?
What would cause this event?
What would be the effect on the organisation?

The cause and effect fields are optional. Many organisations include this information directly in the risk description rather than separating it into distinct fields.

Dimensions and Categories

Business Dimensions link the risk to specific processes, projects, or objectives. This makes it easier to generate targeted reports and understand which parts of your business are exposed to which risks.

Risk Area and Event category are typically populated automatically based on your risk catalogue selection. These provide additional categorisation for reporting purposes.

Ownership and Treatment

The Risk Owner is the person who assesses and monitors this risk. Choose someone with direct knowledge of the risk area and the authority to make decisions about risk treatment.

Risk treatment indicates your intended approach to managing the risk:

Avoid – eliminate the activity that creates the risk
Transfer – move the risk to a third party (e.g., through insurance)
Reduce – implement controls to lower the likelihood or impact
Accept – acknowledge the risk and take no further action

Click Save to create the risk.

Scoring Risks

Accessing Risk Scoring

After creating a risk, navigate to the Risk scoring tab to assess its severity.

Gross Risk Assessment

Gross impact and gross likelihood represent the risk before any controls are applied. This is your baseline assessment:

Impact measures the potential consequences if the risk materialises (e.g., financial loss, reputational damage, regulatory penalties)
Likelihood measures how probable the risk event is to occur

Use your organisation's risk matrix to determine appropriate scores. Most organisations use a scale of 1-5 or similar.

Net Risk Assessment

Once you've identified and implemented controls for this risk, you can assess the net likelihood and net impact. These scores reflect the reduced risk level after controls are working.

The difference between gross and net risk shows the effectiveness of your control environment.

Overall Risk Assessment

Use the Overall risk assessment field to indicate whether you accept the remaining (residual) risk or require further action. This is particularly important for risks that remain high even after controls are applied.

Click Save to record your risk scoring.

Linking Controls to Risks

Accessing Linked Controls

Navigate to the Linked controls tab within the risk. This is where you connect controls that mitigate the risk.

Important: Controls can only be linked if they belong to the same organisation as the risk. Cross-organisation linking is not supported.

Adding Controls

Click Link panel to open the control selection interface. You can browse available controls and drag them into the linked controls area.

Choose controls that directly address the causes or reduce the impact of the risk. Not every control needs to be linked to every risk – focus on the controls that genuinely mitigate this specific risk.

When you've selected the appropriate controls, click Save to establish the link.

Why Link Controls?

Linking controls to risks creates traceability in your GRC programme. It allows you to:

See which risks are covered by which controls
Identify gaps where risks lack adequate controls
Generate reports showing the relationship between risks and controls
Understand the impact when a control fails or needs changes

Best Practices

The quality of risk and control data in CERRIX determines how useful your analyses, reports, and audits will be. Follow these practices to ensure your information is clear, consistent, and actionable.

Use Event-Cause-Effect Structure

Every risk description should follow this structure so that everyone interprets the risk the same way:

Event: What could happen?
Cause: What would make it happen?
Effect: What would the consequences be?

This structure ensures clarity and prevents misunderstandings.

Consistent Naming Conventions

Keep risk titles short and powerful, but ensure descriptions are complete. Follow the naming conventions agreed within your organisation. Consistency makes it easier to find risks, generate meaningful reports, and communicate with stakeholders.

Avoid Duplication

Before creating a new risk, check whether it already exists in the risk catalogue. Duplicate risks create noise in reports and make it difficult to understand your true risk profile.

Choose the Right Control Type

When you create controls, use the correct classification:

Key control – critical for risk management, must be tested
Monitoring – requires active oversight
Execution – describes how the control is performed (manual, automated)
Shared – used across multiple processes or organisations

This classification affects how controls appear in reports and testing programmes.

Link to Processes and Owners

Risks and controls only become truly useful when they're connected to processes, business dimensions, and owners. These connections provide clarity and accountability across your organisation.

Follow Frameworks and Conventions

Where possible, align with existing frameworks such as ISO, DORA, BIO, or internal standards. This makes audits simpler and reports more consistent with external requirements.

Exercises

Exercise 1: Create a New Risk

Create a new risk in CERRIX with a complete description following the event-cause-effect structure.

Exercise 2: Score the Risk

Provide both gross and net risk scores (impact and likelihood) for your risk.

Exercise 3: Link a Control

Find and link an existing control to your risk that addresses one of its causes or reduces its impact.

Exercise 4: Export Risks

Export a filtered list of risks to Excel for a specific framework dimension in your organisation.

PreviousUser Training NextControls

Last updated 22 days ago

hashtagRisks

hashtagIntroduction

hashtagAccessing the Risk Workspace

hashtagFiltering and Sorting

hashtagApplying Filters

hashtagCustomising the Table

hashtagApplying Your Configuration

hashtagSaving Presets

hashtagCreating a New Risk

hashtagHow to Get There

hashtagRequired Information

hashtagRisk Details

hashtagDimensions and Categories

hashtagOwnership and Treatment

hashtagScoring Risks

hashtagAccessing Risk Scoring

hashtagGross Risk Assessment

hashtagNet Risk Assessment

hashtagOverall Risk Assessment

hashtagLinking Controls to Risks

hashtagAccessing Linked Controls

hashtagAdding Controls

hashtagWhy Link Controls?

hashtagBest Practices

hashtagUse Event-Cause-Effect Structure

hashtagConsistent Naming Conventions

hashtagAvoid Duplication

hashtagChoose the Right Control Type

hashtagLink to Processes and Owners

hashtagFollow Frameworks and Conventions

hashtagExercises

hashtagExercise 1: Create a New Risk

hashtagExercise 2: Score the Risk

hashtagExercise 3: Link a Control

hashtagExercise 4: Export Risks