Risk Management

SignalBreak's Risk Management feature provides a comprehensive system for identifying, tracking, treating, and remediating AI-related risks across your organization.

Overview

The Risk Management module consists of four integrated pages:

Page	Purpose	Key Features
Risk Register	Centralized risk inventory	MIT framework structure, severity scoring, treatment tracking
Trends & Metrics	Monitor risk exposure over time	Historical trends, delta analysis, industry benchmarking
Decisions	Track treatment decisions	Audit trail, acceptance log, deferral management
Gaps & Remediation	Identify and close control gaps	Untreated risks, overdue reviews, incomplete evidence

---

Risk Register

Location: Dashboard → Risk Management

The Risk Register is your centralized inventory of AI risks across all workflows, organized using the MIT AI Risk Framework.

What You'll See

Summary Cards (Top Row):

• Total Risk Exposure — Sum of all risk scores across your organization
• Average Risk Score — Mean risk per workflow
• Highest Risk — Maximum individual risk score and which workflow it affects
• Treatment Coverage — Percentage of risks with documented treatment

Risk Hierarchy:

MIT Domain (e.g., "1. Harmful or Unfair Outcomes")
└── Subdomain (e.g., "1.1 Harmful Decision")
    └── Workflow (e.g., "Customer Credit Approval")
        └── Risk Details (score, severity, treatment status)

Understanding Risk Codes

Each risk has a risk code in the format: subdomain_code/workflow_initials

Example: 1.1/CRA

• 1.1 = MIT subdomain "Harmful Decision"
• CRA = Workflow initials "Customer Risk Assessment"

This standardized format makes it easy to:

• Reference risks in discussions
• Sort and filter systematically
• Map to MIT Framework domains

Risk Severity Levels

Severity	Score Range	Meaning
🔴 Critical	76-100	Immediate action required. Business-critical impact.
🟠 High	51-75	Priority treatment needed. Significant business risk.
🟡 Medium	26-50	Scheduled treatment. Moderate impact.
🟢 Low	0-25	Monitor and review. Minimal current impact.

Severity Aggregation

If a subdomain contains any Critical risk, the entire subdomain shows as Critical. The highest severity "wins" at each level.

Treatment Status Options

Status	Meaning	Requirements
Untreated	Risk identified but no treatment plan	Default state for new risks
Mitigated	Controls implemented to reduce risk	Requires evidence documentation
Accepted	Risk consciously accepted by authority	Requires decision authority approval
Transferred	Risk delegated to third party	Document transfer arrangement

Filtering & Search

Available Filters:

• Domain: Filter by MIT Framework domain (1. Harmful Behavior, 2. Malfunction, etc.)
• Severity: Show only Critical, High, Medium, or Low risks
• Treatment: Filter by treatment status (All, Untreated, Mitigated, Accepted, Transferred)
• Relevance: Primary (core AI risks) or Secondary (supporting risks)
• Search: Find risks by workflow name, domain name, or risk code

Industry Benchmarking

Compare your risk exposure to industry peers:

Available Industries:

• Technology / SaaS
• Financial Services
• Healthcare
• Retail / E-commerce
• Manufacturing
• Professional Services
• Government / Public Sector

Percentile Interpretation:

• 75th percentile = You have higher risk exposure than 75% of peers (improvement opportunity)
• 50th percentile (median) = Average for your industry
• 25th percentile = You have lower risk exposure than 75% of peers (strong position)

Example:

"Your total exposure is at the 68th percentile for Technology / SaaS companies with 10-20 workflows. This means your risk is higher than 68% of similar organizations."

Taking Action

To Treat a Risk:

1. Click Treat next to the workflow in the risk register
2. You'll be taken to the workflow's Risk tab (/workflows/{id}?tab=risk)
3. Document your treatment approach:
   • Choose treatment status (Mitigate/Accept/Transfer)
   • Add evidence or justification
   • Set review due date
   • Assign decision authority
4. Save the treatment decision
5. Return to Risk Register to see updated coverage percentage

Best Practices:

• Treat Critical and High severity risks first
• Document why you chose each treatment option
• Set review dates for mitigated risks (quarterly recommended)
• Get appropriate authority approval for acceptances

Exporting Risk Data

Click Export to CSV to download:

• All visible risks (respects current filters)
• Columns: domain, subdomain, risk code, workflow name, relevance, score, severity, treatment status, review due date

Use Cases:

• Board reports
• Audit documentation
• Quarterly risk reviews
• Compliance evidence

---

Trends & Metrics

Location: Dashboard → Risk Management → Trends

Monitor how your risk posture evolves over time and identify improvement trends.

Current Metrics

Five Key Metrics:

Metric	What It Measures
Total Exposure (Sum)	Combined risk score across all workflows
Average Risk (Mean)	Risk per workflow on average
Highest Risk (Max)	Single highest risk score in your portfolio
Total Risks	Count of identified risks
Treatment Coverage	% of risks with documented treatment

Delta Analysis

For each metric, see:

• Current Value — Where you are now
• Previous Month — Value 30 days ago
• Change — Absolute difference (+/-)
• Change % — Percentage increase or decrease

Example:

Total Exposure: 2,850
Previous Month: 3,200
Change: -350 (-10.9%)
✅ Your risk exposure decreased by 11% this month

Time Ranges

Choose your analysis window:

• 3 Months — Short-term trend spotting
• 6 Months (default) — Medium-term strategic view
• 12 Months — Annual trend analysis

Historical Chart

Coming Soon

Historical trend visualization is currently being populated. Once you have 2+ months of data, you'll see a line chart showing how each metric has changed over time.

Interpreting Trends

Good Trends (Improving):

• ✅ Total Exposure decreasing
• ✅ Treatment Coverage increasing
• ✅ Critical risk count decreasing

Concerning Trends (Declining):

• ⚠️ Total Exposure increasing
• ⚠️ Treatment Coverage decreasing
• ⚠️ Average Risk per workflow rising

Stable Trends:

• Total Risks unchanged but coverage increasing = Good (treating backlog)
• Total Risks increasing but coverage stable = Neutral (growth with governance)

Exporting Trends Data

Click Export to CSV to download historical metrics for:

• Reporting to leadership
• Quarterly board presentations
• Year-over-year comparisons
• Compliance documentation

CSV includes: date, sum, mean, max, total, coverage_pct, treated, untreated

---

Decisions

Location: Dashboard → Risk Management → Decisions

Track all risk treatment decisions, acceptances, and strategic deferrals in one auditable location.

Three Views

1. Recent Decisions Tab

Shows the audit trail of all treatment status changes across your organization.

What You'll See:

• Workflow name
• Subdomain affected
• Old status → New status
• When the change was made
• Who made the decision and their role
• Justification provided

Use Cases:

• Audit compliance
• Leadership reporting
• Understanding treatment patterns
• Tracking decision authority

Example Entry:

Workflow: Customer Credit Approval
Subdomain: 1.1 Harmful Decision
Old Status: Untreated
New Status: Mitigated
Changed At: 2026-02-02 14:30 UTC
Changed By: Sarah Chen (GRC Lead)
Justification: Implemented rule-based guardrails and quarterly model review process

2. Acceptances Tab

Filters the audit trail to show only risk acceptances — decisions to consciously accept a risk rather than mitigate it.

When to Accept a Risk:

• Cost of mitigation exceeds potential impact
• Risk falls within risk appetite thresholds
• Temporary acceptance while implementing controls
• Strategic business decision (e.g., competitive advantage)

Requires:

• Appropriate decision authority (see below)
• Clear justification
• Review period defined

Decision Authority Levels:

Authority Level	Max Budget	Can Accept Risk	Can Approve Policy Exception
Delegated (Workflow Owner)	£5,000	❌	❌
Committee (GRC Lead)	£25,000	✅	✅
Executive (Exec Sponsor)	£100,000	✅	✅
Board	Unlimited	✅	✅

Authority Requirements

Risk acceptances automatically calculate required authority based on the workflow's business value and potential impact. Ensure decisions are approved at the appropriate level for audit compliance.

3. Deferrals Tab

Shows strategic deferrals — decisions to postpone risk treatment for valid business reasons.

Valid Deferral Categories:

• Resource Constrained — Lack of budget or team capacity
• Lower Priority — Consciously deprioritized against higher risks
• Dependency Blocked — Awaiting external completion (vendor, platform, etc.)
• Accepted Risk — Risk accepted but action deferred with time limit
• Strategic Choice — Aligned with business strategy

Deferral Lifecycle:

Created → Active → [Review] → Reactivated / Extended / Closed

What You'll See:

• Deferral title and description
• Linked workflow
• Deferral category and detailed reason
• Current status (Active/Reactivated/Completed/Cancelled)
• Review date and frequency
• Who deferred it and when

Review Frequencies:

• Weekly — For critical items under short-term deferral
• Monthly — Default for most deferrals
• Quarterly — For lower-priority strategic deferrals
• Annual — For long-term strategic decisions

Decision Urgency Levels

When creating decisions, you can set urgency:

Urgency	Meaning	Example
Immediate	Action needed today	Critical vulnerability discovered
Urgent	Action needed this week	High-risk system going live
Normal	Action needed this month	Quarterly risk treatment
Low	Can be scheduled flexibly	Minor policy update

Decision Summary Card

At the top of the Decisions page, you'll see:

• Total Decisions — Count of all status changes
• Acceptances — Count of accepted risks
• Active Deferrals — Count of open deferral items

Exporting Decisions

Each tab has its own Export to CSV button:

Recent Decisions Export includes: workflow, subdomain, old/new status, date, role, justification Acceptances Export includes: Same fields, pre-filtered to acceptances only Deferrals Export includes: title, description, workflow, category, reason, status, review date

Use Cases:

• Audit documentation
• Quarterly governance reviews
• Board compliance reporting
• Authority matrix validation

---

Gaps & Remediation

Location: Dashboard → Risk Management → Gaps

Identify control gaps and track remediation progress across three critical areas.

Summary Card

Three Gap Types Tracked:

• Untreated Risks — Risks without treatment plans (includes count of critical untreated risks)
• Overdue Reviews — Mitigated risks past their review due date (includes count 30+ days overdue)
• Incomplete Evidence — Mitigated risks missing supporting documentation

Total Gaps = Sum of all three types

Gap Type 1: Untreated Risks

Definition: Risks with treatment_status = Untreated or no status set.

Why It's a Gap: These are identified risks without any documented treatment approach — the highest priority remediation target.

What You'll See:

• Risk code (e.g., 1.1/CRA)
• Workflow name
• Subdomain
• Risk score and severity
• Relevance (Primary/Secondary)
• Date identified

Remediation Steps:

1. Review each untreated risk
2. Assess treatment options (Mitigate/Accept/Transfer)
3. Navigate to workflow's Risk tab
4. Document treatment decision
5. Set review due date
6. Gap automatically closed when status updated

Priority: Start with Critical severity untreated risks first.

Gap Type 2: Overdue Reviews

Definition: Risks with treatment_status = Mitigated and review_due_date in the past.

Why It's a Gap: Treatment evidence may be stale. Controls need re-validation to ensure they're still effective.

What You'll See:

• Risk code
• Workflow name
• Subdomain
• Current treatment status
• Review due date
• Days overdue

Remediation Steps:

1. Navigate to workflow's Risk tab
2. Re-validate controls are still in place
3. Update evidence if needed
4. Set new review due date (e.g., +90 days)
5. Gap automatically closed when review_due_date is updated to future

Priority: Address reviews 30+ days overdue first — these are flagged separately in the summary.

Gap Type 3: Incomplete Evidence

Definition: Risks with treatment_status = Mitigated but no evidence_reference documented.

Why It's a Gap: Claims of mitigation without supporting evidence won't satisfy auditors or regulators.

What You'll See:

• Risk code
• Workflow name
• Subdomain
• Treatment status (always "Mitigated")
• Date decision was made

Remediation Steps:

1. Navigate to workflow's Risk tab
2. Locate the evidence for the mitigation
3. Add evidence reference (document link, ticket number, policy page)
4. Save the update
5. Gap automatically closed when evidence_reference is populated

Evidence Examples:

• "Control documented in IAM Policy v2.3"
• "Quarterly review process defined in JIRA-1234"
• "Fallback provider configured (see binding #42)"
• "Human-in-loop approval workflow implemented (Ticket SB-567)"

Gap Severity Classification

Gaps are automatically assigned severity based on the underlying risk:

• 🔴 Critical — Gap affecting a Critical-severity risk
• 🟠 High — Gap affecting a High-severity risk
• 🟡 Medium — Gap affecting a Medium-severity risk
• 🟢 Low — Gap affecting a Low-severity risk

Export Gaps Data

Each gap type tab has its own Export to CSV button.

Untreated Risks CSV: risk_code, workflow, subdomain, score, severity, relevance, identified_date Overdue Reviews CSV: risk_code, workflow, subdomain, treatment_status, review_due_date, days_overdue Incomplete Evidence CSV: risk_code, workflow, subdomain, treatment_status, decided_at

Use Cases:

• Remediation sprint planning
• Audit preparation
• Quarterly governance reporting
• Team accountability tracking

---

Common Workflows

Workflow 1: Initial Risk Assessment

Goal: Populate your risk register for the first time.

Steps:

1. Create all your workflows (see Workflows guide)
2. Navigate to each workflow's Risk tab
3. Complete the risk assessment for each workflow
4. Go to Risk Management to see the populated register
5. Filter by Severity: Critical and Treatment: Untreated
6. Create treatment plans for the highest-priority risks

Time Estimate: 15-20 minutes per workflow for initial assessment

---

Workflow 2: Quarterly Risk Review

Goal: Refresh risk treatments and validate controls.

Steps:

1. Go to Risk Management → Trends
2. Review 3-month trend (is exposure increasing or decreasing?)
3. Go to Risk Management → Gaps
4. Check Overdue Reviews tab
5. For each overdue item:
   • Validate controls still in place
   • Update evidence if needed
   • Set new review due date (+90 days recommended)
6. Export updated risk register for board reporting

Frequency: Quarterly (recommended)

---

Workflow 3: Board Reporting

Goal: Generate compliance evidence for board governance reporting.

Steps:

1. Go to Risk Management
2. Select your industry benchmark (e.g., Financial Services)
3. Note your percentile ranking and current metrics
4. Click Export to CSV
5. Go to Trends → Export historical trends
6. Go to Decisions → Acceptances tab → Export acceptances log
7. Go to Gaps → Export untreated risks and overdue reviews
8. Compile exports into board report template

Artifacts Generated:

• Current risk inventory
• Treatment coverage percentage
• Industry benchmark comparison
• Trend analysis (improving or declining)
• Acceptance audit trail
• Outstanding gaps with remediation plans

---

Workflow 4: Audit Preparation

Goal: Provide auditor with comprehensive risk documentation.

Steps:

1. Go to Risk Management → Gaps
2. Address all Incomplete Evidence items (add documentation links)
3. Address Critical Untreated Risks (document treatment plans)
4. Go to Decisions → Acceptances
5. Verify all acceptances have appropriate authority approval
6. Export all decision audit trails (Recent Decisions tab)
7. Go to Risk Management → Export full risk register
8. Compile exports + evidence documents for auditor

Audit-Ready Checklist:

• [ ] Zero incomplete evidence items
• [ ] All critical risks treated or accepted with authority
• [ ] Treatment audit trail exported
• [ ] Acceptance decisions documented with justifications
• [ ] Review dates current (no overdue reviews)

---

Workflow 5: Risk Acceptance Process

Goal: Formally accept a risk that cannot be cost-effectively mitigated.

Prerequisites:

• Risk identified and scored
• Mitigation cost assessed
• Business case for acceptance documented

Steps:

1. Navigate to workflow's Risk tab
2. Review risk score and severity
3. Determine required decision authority level:
   • Critical/High risks → Executive or Board
   • Medium risks → Committee (GRC Lead)
   • Low risks → Committee
4. Document justification (why accepting this risk)
5. Set review period (3-12 months depending on severity)
6. Update treatment status to Accepted
7. Record decision maker's name and role
8. Verify decision appears in Decisions → Acceptances tab

Authority Matrix Reference:

• Board: Can accept any risk, unlimited budget
• Executive: Can accept risks up to £100,000 impact
• Committee: Can accept risks up to £25,000 impact
• Delegated: Cannot accept risks (escalate to Committee)

---

Workflow 6: Strategic Deferral Management

Goal: Temporarily defer risk treatment for valid business reasons.

When to Defer:

• Resource constraints (budget/staffing)
• Dependency on external completion (vendor upgrade, platform migration)
• Lower priority relative to other critical work
• Strategic business decision (competitive timing)

Steps:

1. Navigate to workflow's Risk tab
2. Identify the risk to defer
3. Go to Risk Management → Decisions → Deferrals tab
4. Click Create Deferral
5. Fill in details:
   • Title: Clear summary (e.g., "Defer model monitoring implementation pending headcount")
   • Category: Select appropriate reason
   • Detailed Reason: Minimum 10 characters (be specific)
   • Review Frequency: Default to Monthly
   • Review Date: When should this be reconsidered?
6. Save the deferral
7. Track status changes: Active → Reactivated / Extended / Closed

Review Process:

• System will flag deferrals approaching review date
• At review, decide:
  • Continue Deferral: Extend with new review date
  • Reactivate: Move back to active treatment
  • Close: Mark as completed

---

FAQ

What's the difference between Risk Register and Scenarios?

Feature	Risk Register	Scenarios
Purpose	Ongoing risk inventory	Disruption planning
Scope	All AI risks across workflows	Specific "what-if" situations
Lifecycle	Continuous, updated as risks change	One-time execution with results
Treatment	Document how you're addressing risks	Plan how you'd respond to disruption

Use both:

• Risk Register tracks what risks exist today and how you're treating them
• Scenarios model what would happen if a specific event occurred (e.g., provider outage)

Do I need to manually add every risk?

No — risks are automatically identified when you complete workflow risk assessments.

Process:

1. Go to each workflow's Risk tab
2. Answer the risk assessment questions
3. SignalBreak synthesizes risks based on your answers
4. Risks automatically appear in the Risk Register

Manual Addition: You can also manually add risks if needed, but most users rely on workflow assessments.

How often should I review risk treatments?

Recommended Review Frequencies:

Risk Severity	Review Frequency
Critical	Monthly
High	Quarterly
Medium	Semi-annually
Low	Annually

Set review_due_date when you document treatment to ensure timely re-validation.

What if I don't have evidence for a mitigated risk?

This creates a gap in Gaps & Remediation → Incomplete Evidence.

Steps to resolve:

1. Locate or create the evidence document
2. Add a clear reference in the workflow's Risk tab:
   • Document link (Google Drive, Confluence, etc.)
   • Ticket number (JIRA, Linear, etc.)
   • Policy section reference
   • Control implementation record
3. Gap automatically closes once evidence_reference is populated

Examples of Good Evidence:

• ✅ "Quarterly model review process documented in Confluence: [link]"
• ✅ "Fallback provider configured, see binding #42 in workflow detail"
• ✅ "Human approval workflow implemented, ticket JIRA-567"

Examples of Insufficient Evidence:

• ❌ "We do this regularly"
• ❌ "Handled by team"
• ❌ "Documented somewhere"

Can I delete a risk from the Risk Register?

Not directly — risks are generated from workflow assessments.

To remove a risk:

1. Navigate to the workflow's Risk tab
2. Update the assessment that created the risk
3. Mark the risk as no longer applicable
4. The risk will be removed from the Risk Register on next sync

Why this design? Ensures risk register stays synchronized with actual workflow configurations, preventing "ghost risks" from manual deletions.

What's the MIT AI Risk Framework?

The MIT AI Risk Framework is an academic risk taxonomy developed by MIT researchers to categorize AI-related risks systematically.

Structure:

• 7 Domains (e.g., "1. Harmful or Unfair Outcomes", "2. AI System Malfunctions")
• Multiple Subdomains per domain (e.g., "1.1 Harmful Decision", "1.2 Discriminatory Outcomes")
• Standardized Risk Codes for consistent classification

Why SignalBreak uses it:

• Industry-standard taxonomy
• Comprehensive coverage of AI risks
• Enables benchmarking across organizations
• Audit and compliance friendly

Learn more: MIT AI Risk Repository

How is industry benchmarking calculated?

Process:

1. You select your industry (e.g., "Technology / SaaS")
2. SignalBreak finds peer organizations:
   • Same industry vertical
   • Similar workflow count (within size bracket)
3. Calculates percentiles: p25, p50 (median), p75, p90
4. Compares your risk exposure to these percentiles

What percentiles mean:

• 75th percentile = You have higher risk than 75% of peers
• 50th percentile = You're at industry average
• 25th percentile = You have lower risk than 75% of peers

Data privacy: Benchmarks are aggregated and anonymized. Individual company data is never shared.

---

Related Documentation

• Workflows — Create and manage AI workflows
• Scenarios — Model disruption scenarios
• Governance Overview — Compliance frameworks
• Risk Scoring — How risk scores are calculated

---

Need Help?

• 💬 Chat with us via the widget in the bottom-right
• 📧 Email support@signalbreak.io
• 📖 Read the Key Concepts guide