Using Comply's risk register

Defining your Risk Tolerance

Comply lets you set a "Risk Tolerance" level to define the maximum level of risk you're willing to tolerate:


As an example, entering "Very High" means any risk with a Risk Value higher than this value will show up as "Unacceptable." The acceptability is determined by the adjusted risk value (so you can verify that your response sufficiently reduced the risk), unless you haven't yet computed an adjusted risk value. In that case, acceptability is determined by the raw risk value.

Adding a new risk

To add a new risk to your Risk Register, click "Log a New Risk" in the upper-right corner of the risk register. Doing so will open this modal:


The required fields are:

  • Threat Event: Give this risk a name, such as "Employee email credentials are phished."
  • Owner: The individual in your company who bears responsibility for managing this risk.
  • Likelihood: Assign the risk a probability of occurring, from 0% - 100%.
  • Impact: What would the impact on your organization be if this threat were to materialize? (Click on the '?' icon in Comply for more detail on impact levels).

Comply will compute a Risk Value based on the intersection of the assigned Likelihood and Impact, similar to NIST SP-800-30 Table I-2.


What level of detail should I aim for with my risks?

If you are putting together your first risk register, you may want to start broad - for example, list "Phishing" as a risk. Ultimately, risks are only useful insofar as you can appropriately assess their severity and likelihood, and identify the appropriate mitigating action. Over time, you may find that narrowing down your risks is helpful, such as "Employee email password is phished."

Responding to a risk

What do you do once you've identified a risk? You can:

  • Indicate how you're responding to the risk using the "Response" column (Mitigate, Transfer, Avoid, Accept)
  • Map a Control Response (a control from your policy manual that exists to address this risk)
  • Add a Ticket to remediate the risk (e.g., for a one-off project)
  • Compute an "Adjusted Risk Value" to determine the residual risk that remains after taking into consideration your response

Next Up

If you have additional questions, check out our Risk FAQ: