Identify, assess and address risks with control
Systematic risk work takes more than a list. Securapilot's risk management module follows every risk from identified to treated — on a visual 5×5 matrix and with traceability at every step.
Risk work that connects
Identifying risks is only the beginning. Securapilot's risk management module follows ISO 31000's risk management process applied to information security (ISO 27005) and gathers risk register, assessments, treatments and mitigation tasks in one place — with automatic scoring and every change logged.
The result: risk work that is traceable and measurable over time.
All risk work in one module
The risk management module covers the entire risk lifecycle in six connected areas.
Risk register
A list of the organization's identified risks, with the risk level before and after treatment, owner and status.
Risk matrix
A visual 5×5 heatmap that color-codes every risk by likelihood and consequence.
Risk assessments
Containers that group risks for joint evaluation within a defined scope.
Risk treatment
Treatment strategies — accept, reduce, transfer or avoid — with justification and a target level.
Mitigation tasks
Concrete tasks that break the treatments down and are ticked off on a task board.
Risk appetite
A questionnaire that establishes how much risk the organization is willing to accept.
How the module supports your risk work
Eight capabilities that take a risk from identified to closed — matrix, scoring, treatments and AI assistance.
Visual 5×5 risk matrix
Risks appear as clickable points on a color-coded matrix where the x-axis is likelihood and the y-axis is consequence. Several color themes to choose from.
Risk before and after treatment
Assess the risk both before you do anything about it (the "clean" risk) and after the treatments are in place — and see how much the treatments lower the risk in percent.
Automatic risk score and level
Likelihood × consequence automatically gives a risk score and a risk level, from very low to very high.
Guided workflow for assessments
A guided flow takes the assessment from draft to completed, shows how far along you are in percent and flags risks at a high level.
Four ways to handle a risk
Choose between accepting, reducing, transferring or avoiding the risk — and document cost vs. benefit, target level and approval for every choice.
Treatments as tasks to tick off
Break risk treatments into concrete tasks and handle them on a task board where each task moves between "To do", "In progress" and "Done".
Collaborate on assessments
Several people work together with roles and invitations — including external guests via a secure link with a limited validity.
AI support
AI suggests risks, scores them, justifies treatments and can pull gaps from the GAP analysis straight in as risks.
The risk lifecycle — from identified to closed
Every risk follows a clear status chain that mirrors the phases of risk work.
Identified
The risk is entered into the risk register with title, category and a responsible owner.
Assessed
Likelihood and consequence are scored and the risk is placed in the risk matrix.
Treated
A treatment strategy is chosen and the mitigation tasks are carried out.
Monitored
The residual risk is followed up and the treatment's progress is reviewed continuously.
Closed
The risk is closed once it has been handled — the whole course of events is in the timeline.
Frequently asked questions about the risk management module
What risk methodology is the module based on?
The module follows ISO 31000's risk management process applied to information security (ISO 27005), with a visual 5×5 matrix where likelihood and consequence are each rated on a scale of 1–5. Their product gives a risk score and a risk level — from very low to very high — calculated automatically.
What is the difference between inherent and residual risk?
Inherent risk is the risk level before treatment, residual risk is the level that remains after the treatment has been carried out. The module calculates both and shows the risk reduction as a percentage, making the effect of the treatment measurable.
Can several people work on the same risk assessment?
Yes. An assessment can be carried out by several people together with the roles owner, member and guest. Internal users are added directly, external ones are invited via a secure token link valid for 48 hours, and invitations are validated against the tenant's allowed domains.
How is risk management connected to the other modules?
Risks can be linked to information assets, gaps from the gap analysis, vendors and audit findings. This gives traceability between risk work and the rest of the platform — and gaps can be converted directly into risks with AI support.
What is the difference between ISO 31000 and ISO 27005?
ISO 31000 is the overarching framework for risk management — principles and a standard process (identify, analyse, evaluate, treat, monitor) that applies to all types of risk: financial, operational, security. ISO 27005 is the same methodology applied specifically to information security risk. Securapilot's risk management module follows both, so information security risks are handled with the same structure as the rest of your risk management.
Bring structure to all your risk work
Book a demo and we'll show you how the risk management module makes your risk work structured, measurable and traceable.
Related modules
Build a complete management system by combining modules that work together.