Risk Register

Track, prioritize, and remediate information security risks using a structured 5×5 risk matrix. Risks can be created manually or auto-generated from failing compliance checks.

Risk Lifecycle

Every risk in zGovern follows a defined lifecycle from discovery through resolution:

OPEN IN_PROGRESS RESOLVED CLOSED
OPEN ACCEPTED (risk accepted as-is, no remediation)
Status Description
OPEN Newly identified risk. Requires an owner assignment and mitigation plan.
IN_PROGRESS Remediation is actively underway. Mitigation steps have been defined and are being executed.
RESOLVED The underlying issue has been fixed. If linked to a monitoring check, the check should now pass.
CLOSED Confirmed resolved after a verification period. Archived but visible in history.
ACCEPTED Risk is acknowledged and formally accepted by management. No remediation planned. Requires documented justification.

5×5 Risk Matrix

zGovern uses a standard 5×5 risk matrix to calculate risk severity. Severity = Likelihood × Impact. Each dimension is scored 1–5.

IMPACT →
LIKELIHOOD ↑ 1 — Minimal 2 — Minor 3 — Moderate 4 — Major 5 — Severe
1
Rare		 1 LOW 2 LOW 3 LOW 4 MED 5 MED
2
Unlikely		 2 LOW 4 LOW 6 MED 8 MED 10 HIGH
3
Possible		 3 LOW 6 MED 9 MED 12 HIGH 15 HIGH
4
Likely		 4 MED 8 MED 12 HIGH 16 HIGH 20 CRIT
5
Almost certain		 5 MED 10 HIGH 15 HIGH 20 CRIT 25 CRIT
Score Range Severity Recommended Response Time
1–3 LOW Address within 90 days
4–8 MEDIUM Address within 30 days
9–16 HIGH Address within 7 days
20–25 CRITICAL Address immediately (24–48 hours)

Risk Fields

Field Type Description
title string Short name for the risk (e.g., "IAM user without MFA")
description string Detailed description of the risk, its source, and potential impact
likelihood 1–5 Probability of the risk occurring (1=Rare, 5=Almost certain)
impact 1–5 Business impact if the risk materializes (1=Minimal, 5=Severe)
severity LOW / MEDIUM / HIGH / CRITICAL Computed from likelihood × impact — see matrix above
status enum Current status in the risk lifecycle
ownerId UUID User responsible for remediating this risk
mitigationSteps string Step-by-step remediation plan
dueDate datetime Target date for resolution
sourceCheckId UUID (nullable) Links to the IntegrationCheck that auto-created this risk. null for manually created risks.
reopenCount integer Number of times this risk has been reopened after being closed
lastReopenedAt datetime (nullable) Timestamp of the most recent reopen event

Auto-Risks from Monitoring

Risks with a sourceCheckId are created automatically by the monitoring engine when an integration check fails with HIGH or CRITICAL severity. These risks are visually distinguished in the Risk Register:

  • A [Auto] badge next to the risk title
  • A "Source Check" field showing the integration name and check name
  • A Reopened ×N badge if the risk has been reopened one or more times
💡
Traceability Auto-risks maintain a bidirectional link between the risk and the check. From the monitoring page you can click through to the risk; from the risk register you can click through to the source check to see its history and trend.

Mitigation Steps Checklist

The mitigationSteps field supports a numbered list format that renders as an interactive checklist in the UI. Each step can be marked complete as the owner works through the remediation. Example format:

1. Enable MFA for all IAM users in the AWS console
2. Apply an IAM policy that denies all actions unless MFA is present
3. Notify all affected users to enrol their authenticator app
4. Verify compliance by running a new monitoring scan
5. Update the risk status to RESOLVED once the check passes

Re-open Behavior

When a risk linked to a monitoring check is marked RESOLVED or CLOSED, but the linked check subsequently fails again during a scan, the risk is automatically reopened:

  1. Status is reset to OPEN
  2. reopenCount is incremented by 1
  3. lastReopenedAt is set to the current timestamp
  4. An email alert is sent to all ADMIN users and the risk owner

Risks that have been reopened multiple times (high reopenCount) indicate systemic issues or ineffective remediations and should be escalated.

Risk Export

All risks are included in the Audit Bundle export as risks.csv. The CSV includes all fields listed above, with one row per risk. Download via:

  • UI: Audit Workspace → Export Audit Bundle button
  • API: GET /api/export/audit-bundle → ZIP file containing risks.csv