Risk Report
Real-time quantification of your organisation's risk exposure
What the Risk Report Shows
The risk report provides a real-time view of your organisation's cyber risk exposure. It aggregates all active issues, calculates the financial exposure each one represents, and compares the total against your defined risk appetite. The result is a single, actionable dashboard showing whether your risk is within budget or exceeding it.
Risk Appetite
The risk appetite is the total risk budget your organisation is willing to accept, expressed as a monetary value. The default is 1,000,000 (one million in your workspace currency). This value is configurable by superadmins via the risk settings page.
Think of the risk appetite as a ceiling: as long as your total risk exposure stays below the appetite, you are operating within acceptable bounds.
How Risk Exposure is Calculated
For each active issue (those that are Open, Investigating, in Remediation, or Accepted), Anzen calculates an exposure amount. The exposure for each issue is calculated by multiplying the financial value of the affected business process by a severity multiplier. Specifically:
- Anzen looks at the issue's linked control.
- From that control, it finds the highest-value business process (by financial value).
- It then multiplies that financial value by the severity multiplier (a percentage based on the issue's severity level).
The total risk exposure is the sum of all individual issue exposures. Issues not linked to a control, or whose control has no linked business processes, contribute zero exposure.
Severity Multipliers
Each severity level has a configurable percentage multiplier that determines how much of the business process value is counted as exposure. The defaults are:
| Severity | Default multiplier | Example (on a 500,000 process) |
|---|---|---|
| Critical | 100% | 500,000 |
| High | 75% | 375,000 |
| Medium | 50% | 250,000 |
| Low | 25% | 125,000 |
These multipliers are configurable per workspace, so you can tune them to match your organisation's risk methodology.
Risk Appetite Utilisation
The headline metric on the risk report is utilisation — the percentage of your risk appetite that is currently consumed. It is calculated by dividing the total exposure by the risk appetite.
This is visualised as a gauge. When utilisation is low, the gauge is green — your risk is well within budget. As utilisation approaches and exceeds 100%, the gauge turns red, indicating that your organisation's risk exposure has exceeded its appetite.
Active Risk Items
Below the gauge, the report shows a table of every issue contributing to exposure. Each row displays the issue number, title, severity, status, the severity multiplier applied, the business process value used, and the calculated exposure amount. Items are sorted by exposure in descending order, so the biggest risks appear first.
The report also provides a breakdown by severity, showing the count and total exposure for each severity level.
Risk Settings
Superadmins can configure the risk appetite and severity multipliers from the risk settings page. Changes take effect immediately — the report recalculates on every request using the current configuration. Non-superadmin users can view the report but cannot modify the settings.