Risk Management

Kordon’s risk management creates a unified view by linking risks to business processes, vendors, assets, and dynamic controls. It involves owners and managers in the process and allows for continuous monitoring of mitigation performance.

Use this guide to understand the feature’s goals, how it works, and the practical steps to run risk management day‑to‑day.

ℹ️ For marketing-level overview pages, see the product page: https://kordon.app/risk-management/.
🔌 For API references, see Risks API (link at the end). This guide focuses on the product feature and avoids duplicating API docs.

Goals

Single Source of Truth – Maintain all organisational risks in one reliable place, not scattered in spreadsheets.
Connected Picture – Create clear links between business processes, risks, assets, vendors, and controls.
Real-time Monitoring – Monitor residual and mitigated risk based on the actual performance of controls. If a control fails, it immediately impacts the risk score.
Responsibility & Accountability – Clearly distinguish between risk owners (strategic responsibility) and managers (operational responsibility).
Reduced Audit Burden – Structured data and automatically collected evidence make audits smoother.

Core concepts

Risk — A potential event or condition that could impact objectives. Each risk can have a title, description, impact/probability scoring, residual score, state, owners/managers, labels, and links to related items.
Asset — Value that needs protection (systems, information, processes, facilities, people). Connecting risks to assets shows what’s at risk and who depends on it.
Dynamic control — A control, policy, or technical safeguard that operates over time. Controls contain tasks and gather evidence, reflecting the real‑world effectiveness of mitigation. If tasks are missed, the control becomes “Failing,” and the related risk increases.
Vendor — An external party (third‑party) that may introduce risks or be threatened by risks.
Task — An action item (maintenance, audit, review) that keeps a control effective. Completing a task automatically generates evidence.
Business Process — A set of activities that deliver value. Processes can be sources of risk or be impacted by them, making them critical for impact analysis.

How it works (big picture)

Risk management in Kordon is not a static register, but a living system:

Capture – Risks are centralized in one place and classified (labels, categories).
Link – Risks are connected to assets, vendors, and business processes to make impact concrete.
Mitigate – Controls are added, which generate tasks and evidence.
Assign – Ownership and management roles are defined for clear accountability.
Monitor – This is Kordon’s key differentiator: If control tasks slip, the control is marked as failing. This automatically raises the mitigated risk score, giving an immediate signal that the situation has deteriorated.
Review – Assessments are updated regularly, and follow-ups are planned.

Getting started

Step 1 — Create a risk

Go to Risk Management → New Risk.
Enter Title and Description (what could happen + why it matters).
Select Owner (strategic, responsible for risk acceptance) and Manager (operational, responsible for day-to-day mitigation).
Score the Impact and Probability (initial assessment without controls).

Tip: Keep risk titles short and specific (e.g., “Outage of Core Billing DB”). Use the description to capture context and potential consequences.

Connecting risks to related organizational objects creates a comprehensive view of potential impact.

Assets

Add Assets that this risk threatens or could damage/compromise.
This powers roll‑up views: “Which assets are currently at highest risk?”.

Business Processes

Link Business Processes that this risk could disrupt or impair. Consider processes that would be slowed or stopped.
Helps identify operational continuity concerns and prioritize risks from a business perspective.

Vendors

Vendor‑introduced risks: Link the Vendor when they are the source of the risk (e.g., data breach at supplier).
Vendor‑threatened risks: Link the Vendor when the risk could impact them (e.g., natural disaster at vendor location).

Tip: A single risk can link to multiple object types. For example, “Payment processor outage” might link to the payment vendor (source), payment processing business process (impacted), and customer database asset (threatened).

Step 3 — Add controls

Link Controls that mitigate the risk by reducing its likelihood, impact, or both.

Impact Reduction

Controls that limit damage when a risk occurs (e.g., backups, redundancy, containment measures).
You define how many points the control reduces the impact score (e.g., from 5 to 3).
Example: “Automated Capacity Adjustment” reduces DDoS attack impact by 2 points (from 5 to 3) by maintaining service availability, but doesn’t prevent the attack itself.

Likelihood Reduction

Controls that prevent or detect risks before they fully materialize (e.g., firewalls, monitoring, training).
You define how many points the control reduces the probability score.
Example: “DDoS Protection Service” reduces DDoS attack likelihood by 3 points (from 4 to 1) by filtering malicious traffic.

Combined Reduction

Some controls affect both likelihood and impact.
Example: “Incident Response Plan” might reduce both likelihood (early detection) and impact (faster recovery).

Controls enable recurring tasks and evidence collection, which ensure mitigation effectiveness over time.

Tip: Be realistic about control effectiveness. A single control rarely eliminates a risk entirely—focus on measurable reduction.

Step 4 — Connect tasks

Connect controls (maintenance, audit, review) with relevant frequency (monthly, quarterly, etc.). Regular tasks help keep mitigations effective and gather necessary evidence.

Continuous monitoring and “living” risk management

This is where Kordon differs from traditional spreadsheet-based registers.

Signals from controls: The risk score is not a static number but depends on the health of your controls. If a control task (e.g., “Weekly Backup Check”) is missed, the control is considered failing.
Automatic risk increase: For a failing control, it loses its mitigating effect, and variables like the mitigated score automatically rise back towards the initial (unmitigated) level.
Filters: Slice risks by labels, owners, assets, vendors, and threat indicators.

Outcome: Management always sees the actual risk level right now, not what was written in the last audit report.

Customisation

Fields & labels: Use custom fields / labels (e.g., categories like Operational, Security, Compliance) to group risks for reporting.
Scoring: Configure your organisation’s preferred scoring matrix (e.g., 5x5 or 3x3) in Risk Settings.
Workflows: Standardise review cadences and treatment paths.
Notifications: Ensure email is configured so owners and managers receive reminders when risks need review or controls need attention.

Ownership & roles

Kordon’s philosophy is that security is the responsibility of the entire organisation.

Risk Owner (often a business lead) — Accountable for risk acceptance and strategic management of risk levels.
Risk Manager (often a technical specialist) — Drives day‑to‑day mitigation, changes, and updates.

Tips & best practices

Start simple: Map the top 10–20 risks that are critical to the organisation; expand later once the process is established.
Link every major risk to at least one asset and one control. A risk without a control is just a worry; with a control, it’s a managed risk.
Calibrate scoring together with domain specialists to reduce subjectivity.
Use labels consistently to keep overviews structured.
Close the loop: If a control fails, address the root cause, don’t just mark the task as done.

Asset Management — Understand which assets are threatened and who depends on them: Asset Management
Vendor Management — Manage third‑party risks and connect them to assets and controls: Vendor Management

API links (for integration & automation)

Risks API: Risks API
Tasks API: Tasks API

Note: This feature guide intentionally avoids duplicating API details. Use the API docs for request/response schemas and endpoints.

Glossary

Mitigation — Measures (controls/actions) that reduce risk likelihood/impact.
Residual risk — Risk remaining after mitigation.
Risk treatment — Decision and plan: accept, mitigate, transfer, or avoid.