Risk fields
Each risk record contains the following fields:| Field | Description |
|---|---|
| Name | Short descriptive name for the risk |
| Description | Detailed explanation of the risk scenario |
| Category | Free-text category (e.g. “Access Control”, “Third-Party”, “Data Loss”) |
| Treatment | How you are addressing the risk |
| Owner | The team member responsible for managing this risk |
| Note | Additional context or comments |
| Inherent likelihood | Likelihood before controls (1–5) |
| Inherent impact | Impact before controls (1–5) |
| Inherent risk score | Calculated as inherent_likelihood × inherent_impact |
| Residual likelihood | Likelihood after controls (1–5) |
| Residual impact | Impact after controls (1–5) |
| Residual risk score | Calculated as residual_likelihood × residual_impact |
Scoring methodology
Probo uses a 5×5 risk matrix. Both likelihood and impact are rated on a 1–5 scale:When you create a risk and do not specify residual values, Probo initializes
residual_likelihood and residual_impact to the same values as the inherent scores. Update them once you have linked measures to reflect the actual reduction in exposure.Risk treatments
Every risk must have one of four treatment strategies:- Mitigated
- Accepted
- Avoided
- Transferred
You have implemented controls that reduce the likelihood or impact of the risk to an acceptable level.Link the risk to the relevant measures in Probo to show which controls are responsible for the reduction. Update the residual scores to reflect the post-control exposure.
Linking risks to measures
Risks can be linked to one or more measures in a many-to-many relationship. This connection lets you:- Show which controls reduce a given risk
- See all risks that a measure addresses
- Demonstrate to auditors that identified risks have corresponding controls
Risk owners
Each risk can be assigned to a team member as the risk owner. The owner is responsible for:- Keeping the risk assessment current
- Driving remediation or acceptance decisions
- Providing evidence that treatment has been applied
Exporting the risk register
Probo supports filtering and ordering risks by name, category, treatment, inherent risk score, residual risk score, and owner. You can sort ascending or descending on any of these fields to produce a prioritized view of your risk register for reporting or audit purposes.How does Probo calculate the risk score?
How does Probo calculate the risk score?
Probo stores
inherent_risk_score and residual_risk_score as database-computed columns: likelihood × impact. These values are automatically updated whenever you change the likelihood or impact fields.Can a risk be linked to multiple measures?
Can a risk be linked to multiple measures?
Yes. A single risk can be linked to any number of measures, and a single measure can address any number of risks. This many-to-many relationship reflects the reality that one control often reduces multiple risks.
What is the difference between inherent and residual risk?
What is the difference between inherent and residual risk?
Inherent risk is the exposure that exists before you apply any controls. Residual risk is what remains after your measures are in place. The gap between the two scores represents the effectiveness of your control environment.
Can risks be linked to obligations?
Can risks be linked to obligations?
Yes. Probo allows you to map risks to regulatory or contractual obligations, so you can demonstrate that identified risks trace back to specific compliance requirements.
Compliance frameworks
Understand the hierarchy that risks and measures fit into.
Vendor management
Assess third-party vendors as part of your risk program.
Evidence collection
Collect evidence that your risk treatments are effective.
Policies and documents
Document your risk management policies and procedures.