Product — Risk Register
Risk scores that update themselves
ISO 27005 risk assessment, connected to your compliance ledger. Inherent risk in, passing controls applied, residual risk out. Every scan recalculates.
5×5 risk matrix
Likelihood × Impact = Score
Both axes range from 1 to 5. The product determines risk level. Controls reduce the inputs, not the output — so residual scores stay grounded in reality.
1–4
Low
5–9
Medium
10–15
High
16–25
Critical
Treatment strategies
Four ways to handle risk
Each treatment strategy has a different effect on residual risk. The calculation is deterministic — no subjective "residual likelihood" guessing.
Mitigate
Each passing control reduces likelihood and impact by 1. Two passing policies on a 4×5 inherent risk produce a 2×3 residual. The math is automatic.
L4×I5 → 2 controls → L2×I3 = 6
Transfer
Shift impact to a third party. Each passing control reduces impact by 2. Insurance, outsourcing, or contractual liability transfer — the residual reflects it.
L4×I5 → 1 control → L4×I3 = 12
Avoid
Eliminate the risk entirely. Residual drops to 1×1. Used when you stop the activity that creates the risk — discontinue the product, kill the feature.
L4×I5 → avoided → L1×I1 = 1
Accept
Acknowledge the risk without action. Residual equals inherent. Requires a risk owner and a conscious decision — not a forgotten checkbox.
L4×I5 → accepted → L4×I5 = 20
How it works
A risk register connected to reality
Most risk registers are static documents reviewed quarterly. Sudory's risk register is a live computation over your compliance data.
Policy-linked risks
Every risk references the policies that mitigate it. When a policy fails, the linked risk's residual score recalculates automatically. No manual reassessment.
Planned controls
Track controls you intend to implement with target dates. Sudory shows the gap between current and target posture — and flags overdue treatment plans.
Risk appetite enforcement
Define your acceptable risk threshold. The assessment tells you exactly how many risks exceed appetite and which controls would bring them back in bounds.
Three risk categories
Classify risks by what they threaten: confidentiality, integrity, or availability. The CIA triad, built into the data model.
Continuous reassessment
Risk scores update as scan results change. Every new scan, every new finding, every remediation shifts residual risk in real time.
Gap detection
Missing or failing policies referenced by a risk are flagged as gaps. Nonexistent policy references surface immediately — no silent failures.
For MSPs
Risk visibility across your portfolio
Manage risk registers for every client with consistent methodology. Know where exposure concentrates before it becomes an incident.
Risk registers per client
Each client gets their own risk register, linked to their own policies and scan data. One dashboard shows portfolio-wide risk exposure.
Standardized scoring
Same 5×5 matrix, same treatment strategies, same residual calculation across every client. Compare risk posture consistently.
Overdue visibility
See which clients have overdue treatment plans at a glance. Planned controls with past target dates and pending implementation surface automatically.
From static spreadsheet to live risk engine
Start with a domain scan. Sudory maps findings to risks, links them to policies, and calculates residual scores — all before your first meeting.