Risk Report

    Three perspectives on your organisation's risk posture - proactive, reactive, and structural

    Three Views of Risk

    The Risk Report brings together three complementary perspectives, each available as a tab:

    Risk Register - a proactive view of all identified risks across your applications. See how risks are distributed by category, status, and treatment strategy. The side-by-side inherent and residual heatmaps show whether your controls are actually reducing risk. Upcoming review dates are highlighted so nothing goes stale.

    Risk Exposure - a reactive view that calculates the financial impact of active issues. Each open issue is mapped to a business process value and a severity multiplier to produce a monetary exposure figure. The gauge shows how much of your risk appetite is consumed.

    Business Impact - a structural view of your organisation's resilience. It analyses control coverage, identifies single points of failure, and ranks departments and processes by composite risk score.

    Risk Exposure: What It Shows

    The Risk Exposure tab provides a real-time view of your organisation's cyber risk exposure. It aggregates all active issues, calculates the financial exposure each one represents, and compares the total against your defined risk appetite. The result is a single, actionable dashboard showing whether your risk is within budget or exceeding it.

    Risk Appetite

    The risk appetite is the total risk budget your organisation is willing to accept, expressed as a monetary value. The default is 1,000,000 (one million in your workspace currency). This value is configurable by superadmins via the risk settings page.

    Think of the risk appetite as a ceiling: as long as your total risk exposure stays below the appetite, you are operating within acceptable bounds.

    How Risk Exposure is Calculated

    For each active issue (those that are Open, Investigating, in Remediation, or Accepted), Anzen calculates an exposure amount. The exposure for each issue is calculated by multiplying the financial value of the affected business process by a severity multiplier. Specifically:

    1. Anzen looks at the issue's linked control.
    2. From that control, it finds the highest-value business process (by financial value).
    3. It then multiplies that financial value by the severity multiplier (a percentage based on the issue's severity level).

    The total risk exposure is the sum of all individual issue exposures. Issues not linked to a control, or whose control has no linked business processes, contribute zero exposure.

    Severity Multipliers

    Each severity level has a configurable percentage multiplier that determines how much of the business process value is counted as exposure. The defaults are:

    SeverityDefault multiplierExample (on a 500,000 process)
    Critical100%500,000
    High75%375,000
    Medium50%250,000
    Low25%125,000

    These multipliers are configurable per workspace, so you can tune them to match your organisation's risk methodology.

    Risk Appetite Utilisation

    The headline metric on the risk report is utilisation - the percentage of your risk appetite that is currently consumed. It is calculated by dividing the total exposure by the risk appetite.

    This is visualised as a gauge. When utilisation is low, the gauge is green - your risk is well within budget. As utilisation approaches and exceeds 100%, the gauge turns red, indicating that your organisation's risk exposure has exceeded its appetite.

    Active Risk Items

    Below the gauge, the report shows a table of every issue contributing to exposure. Each row displays the issue number, title, severity, status, the severity multiplier applied, the business process value used, and the calculated exposure amount. Items are sorted by exposure in descending order, so the biggest risks appear first.

    The report also provides a breakdown by severity, showing the count and total exposure for each severity level.

    Business Impact Dashboard

    The Business Impact tab provides an organisation-wide view of where your business is most exposed. Unlike the Risk Exposure tab (which focuses on active issues), the Business Impact dashboard analyses your entire business process landscape - its CIA classification, asset dependencies, control coverage, and open issues - to produce a composite risk picture.

    CIA Classification Scoring

    Every business process can be rated on three dimensions using a 1–5 scale:

    Confidentiality (C) - How sensitive is the data this process handles? A rating of 5 means a breach would cause severe damage (e.g. customer financial data). A rating of 1 means the data is public or non-sensitive.

    Integrity (I) - How critical is it that data processed by this workflow remains accurate and unaltered? Financial reporting (5) versus an internal wiki (1).

    Availability (A) - How disruptive is downtime? An e-commerce checkout flow that earns revenue every minute (5) versus a quarterly report (1).

    The CIA total is the sum of all three values (max 15). Processes with a CIA total of 12 or higher are considered critical - the dashboard flags these if they lack control coverage.

    Risk by Department

    The entity heatmap ranks each department (entity) by a composite risk score. The score is calculated as:

    risk_score = (avg_CIA × 3) + ((100 − coverage%) × 0.5) + (open_issues × 10)

    Where:

    • avg_CIA - the average CIA total across all business processes owned by this entity. Higher CIA means the department handles more critical workflows.
    • coverage% - the percentage of the entity's configuration items that are covered by at least one control. Low coverage increases the score.
    • open_issues - the number of active issues linked to controls that protect this entity's processes. Each open issue adds 10 points.

    The result is a score where higher = more risk. Departments with critical processes, poor control coverage, and active issues float to the top.

    Most Exposed Processes

    This table ranks every business process by its exposure score, calculated as:

    exposure = (CIA_total × 5) + ((1 − coverage_ratio) × 30) + (open_issues × 15)

    Where:

    • CIA_total - C + I + A (max 15). A process rated 5/5/5 contributes 75 points from CIA alone.
    • coverage_ratio - the fraction of the process's CIs that are covered by at least one control (0.0 to 1.0). A fully unprotected process adds 30 points.
    • open_issues - active issues on controls linked to this process. Each adds 15 points.

    Each row shows the individual C, I, and A ratings (colour-coded: red for 4–5, yellow for 3, grey for 1–2), asset count, control count, and open issues - giving you a complete picture of why a process ranks where it does.

    Single Points of Failure

    A Single Point of Failure (SPOF) is a configuration item that is linked to two or more business processes. If that asset fails, multiple business outcomes are impacted simultaneously.

    SPOFs are ranked by two criteria: the number of affected processes (more = worse), and the combined CIA total across all affected processes (higher = more critical). A database server supporting both financial reporting (CIA 12) and customer authentication (CIA 15) is more critical than a print server supporting two low-value workflows.

    The dashboard shows each SPOF's hostname, the number of affected processes, the combined CIA score, and the names of all dependent processes.

    Control Coverage Summary

    Four headline metrics give you a quick health check:

    • Business Processes - total count of active processes in your workspace.
    • With Controls - processes covered by at least one control. The goal is 100% for critical processes.
    • Critical Unprotected - processes with a CIA total ≥ 12 that have zero controls. These are your highest-priority gaps - critical workflows with no governance.
    • Overdue Tests - control tests that have passed their due date without being completed. Overdue tests indicate controls that may no longer be effective.

    How Asset Dependencies Are Resolved

    The dashboard resolves all configuration items linked to a business process by following three paths:

    • Direct link - CIs directly linked to the business process (useful for infrastructure that doesn't belong to a specific application).
    • Via business steps - CIs linked to individual steps within the process workflow (from the Process Modeler).
    • Via applications - CIs linked to applications that are linked to the process. This is the most common path: a server (CI) runs an application, and that application supports a business process.

    All three paths are traversed consistently across the entity heatmap, exposed processes, and SPOF detection. This means no dependency is missed regardless of how your CMDB is structured - whether you link CIs directly, through workflow steps, or through the application layer.

    Risk Settings

    Superadmins can configure the risk appetite and severity multipliers from the risk settings page. Changes take effect immediately - the report recalculates on every request using the current configuration. Non-superadmin users can view the report but cannot modify the settings.