Risk Management

Kordon’s Risk Management lets you go beyond a static risk register. You can link each risk to business processes, vendors, assets and dynamic controls, involve owners & managers, and monitor mitigation continuously.

Use this guide to understand the feature’s goals, how it works, and the practical steps to run risk management day‑to‑day.

ℹ️ For marketing-level overview pages, see the product page: https://kordon.app/risk-management/.
🔌 For API references, see Risks API (link at the end). This guide focuses on the product feature and avoids duplicating API docs.

Goals

Maintain a single source of truth for organisational risks.
Connect the dots between business processes, risks, assets, vendors, and controls.
Enable live monitoring of residual and mitigated risk based on control upkeep.
Simplify ownership and accountability with clear distinction between the owners, and managers of a risk.
Reduce audit workload through structured data and reusable evidence.

Core concepts

Risk — A potential event or condition that could impact objectives. Each risk can have a title, description, impact/probability scoring, residual score, state, owners/managers, labels, and links to related items (assets, controls, tasks, mitigations).
Asset — Anything you need to protect (systems, information, processes, facilities, people). Connecting risks to assets lets you see what’s at risk and who depends on it.
Dynamic control — A control/policy/process/technical safeguard maintained over time. Controls contain tasks and gather evidence, allowing Kordon to reflect the real‑world effectiveness of mitigation.
Vendor (third‑party) — External suppliers that may introduce risks; link vendor risks just like internal risks.
Task — An action item (maintenance, audit, review; one‑time or recurring) that helps keep a control effective and on schedule.
Business Process — A standardized set of activities or workflows that deliver value to the organization. Business processes can be sources of operational risk themselves or may be impacted by other risks, making them important to link when assessing potential disruption to operations.

How it works (big picture)

Capture risks in one place and classify them (labels, categories, types).
Link risks to assets/vendors/business processes to make impact and ownership concrete.
Attach controls that mitigate the risk; controls drive tasks and evidence.
Assign ownership & management so accountability and responsibility is clear.
Monitor continuously — when control tasks slip or evidence is missing, related risks surface sooner.
Review & treat — update scoring, record mitigations, attach notes and references, and plan follow‑ups.

Getting started

Step 1 — Create a risk

Go to Risk Management → New Risk.
Enter Title and Description (what could happen + why it matters).
Select Owner (accountable) and Manager (responsible day‑to‑day).
Score the Impact and Probability of the risk.

Tip: Keep risk titles short and action‑oriented (e.g., “Outage of Core Billing DB”). Use the description to capture context, triggers, and potential consequences.

Connecting risks to related organizational objects creates a comprehensive view of potential impact and enables targeted monitoring. Link risks based on these relationship types:

Assets

Add Assets that this risk threatens or could damage/compromise. This includes systems, data, facilities, or people that would be directly impacted if the risk materializes.
Powers roll‑up views in the Overview page (e.g., “which assets are currently at risk?” or “what risks threaten our payment system?”).

Business Processes

Link Business Processes that this risk could disrupt or impair. Consider processes that would be slowed, stopped, or degraded if the risk occurs.
Helps identify operational continuity concerns and prioritize risks by business impact.

Vendors

Vendor‑introduced risks: Link the Vendor when they are the source of the risk (e.g., data breach at supplier, service outage from third‑party).
Vendor‑threatened risks: Link the Vendor when the risk could impact them and affect your operations (e.g., natural disaster affecting key supplier).
Enables vendor risk monitoring and supports third‑party risk management workflows.

Tip: A single risk can link to multiple object types. For example, “Payment processor outage” might link to the payment vendor (source), payment processing business process (impacted), and customer database asset (threatened).

Step 3 — Attach controls

Link Controls that mitigate the risk by reducing its likelihood, impact, or both. Each control can specify exactly how it reduces the risk:

Impact Reduction

Controls that limit damage when a risk occurs (e.g., backups, redundancy, containment measures)
Define by how many points the control reduces impact (e.g., “reduces impact from 5 to 3”)
Example: “Automated Capacity Adjustment” reduces DDoS attack impact by 2 points (from 5 to 3) by maintaining service availability, but doesn’t prevent the attack itself

Likelihood Reduction

Controls that prevent or detect risks before they fully materialize (e.g., firewalls, monitoring, training)
Define by how many points the control reduces probability
Example: “DDoS Protection Service” reduces DDoS attack likelihood by 3 points (from 4 to 1) by filtering malicious traffic

Combined Reduction

Some controls affect both likelihood and impact
Example: “Incident Response Plan” might reduce both likelihood (early detection) and impact (faster recovery)

Controls enable recurring tasks and evidence collection, which feed back into risk visibility and ensure mitigation effectiveness over time.

Tip: Be realistic about control effectiveness. A single control rarely eliminates a risk entirely—focus on measurable, achievable reductions that reflect real-world performance.

Step 4 — Connect controls

Connect controls (maintenance, audit, review) with relevant frequency (once, monthly, quarterly, etc.). Tasks help keep mitigations effective.

Continuous monitoring

Control‑driven signals: If a control falls behind on tasks or lacks evidence, the linked risks are highlighted so you can act early.
Task signals: Overdue tasks indicate mitigation drift; review the risk and reprioritise.
Filters: Slice risks by labels, owners, assets, vendors, state, and overdue/at‑risk indicators.

Outcome: You always know what’s at risk right now, not just at the last audit.

Customisation

Fields & labels: Use custom fields / labels (categories like Operational, Security, Compliance, etc.) to group risks for views and reporting.
Scoring: Configure your preferred scoring matrix in the Risk Settings.
Workflows: Standardise review cadences and treatment paths
Notifications: Ensure email is configured so assignees receive reminders for risk reviews and control tasks.

Ownership & roles

Risk Owner — Accountable for risk acceptance and treatment.
Risk Manager — Drives the day‑to‑day mitigation and updates.

Tips & best practices

Start lean: capture the top 10–20 risks that truly matter; expand later.
Tie every major risk to at least one asset and one control to ensure visibility and actionability.
Calibrate scoring together with domain owners to reduce bias; revisit calibration every 6–12 months.
Use labels consistently to power overview.
Close the loop: overdue or failed control tasks → revisit linked risks immediately.

Asset Management — Understand which assets are threatened and who depends on them: https://kordon.app/asset-management/
Vendor Management — Manage third‑party risks and connect them to assets and controls: https://kordon.app/vendor-management/

API links (for integration & automation)

Risks API: https://kordon.app/learn/api/risks/
Tasks API (for recurring reviews, evidence tasks, etc.): https://kordon.app/learn/api/tasks/

Note: This feature guide intentionally avoids duplicating API details. Use the API docs for request/response schemas and endpoints.

Glossary

Mitigation — Measures (controls/actions) that reduce risk likelihood/impact.
Residual risk — Risk remaining after mitigation.
Risk mitigation — Decision and plan: accept, mitigate, transfer, or avoid.