Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Adding risk scenarios to assets or asset groups

Compliance officers, DPOs, and risk managers use the Risk tab on an asset or asset group detail page to attach risk scenarios from the organisation's catalogue — unlocking scoring, treatment planning, and reporting for that asset in DPMS.

The Risk tab on an asset or asset group detail page is where your risk-management workflow truly begins. Until you link at least one risk scenario here, the rest of the risk lifecycle is on hold: there is nothing to score in the Current Asset Risk tab, no rows appear in the Treatment Options tab, and the Treatment Plan button stays disabled. Think of this screen as the starting gate — once you have linked the right scenarios, DPMS can calculate risk scores, suggest controls, and support treatment planning automatically.

DPOs, risk managers, and compliance officers visit this screen whenever a new asset needs to be risk-assessed, whenever the threat landscape changes and scenarios need to be added or removed, or whenever an auditor asks "which risks are we managing on this system and who set them up?"

How to open it

For an individual asset:

  • In the left-hand main navigation, click Asset Register.
  • Click any asset row to open its detail view.
  • In the left sidebar of the detail view, click the Risk tab.

For an asset group:

  • On the Asset Register index page, toggle the Asset View / Groups View switch to Groups View.
  • Click an asset group row.
  • Click the Risk tab in the left sidebar.

You need read access to the asset or group to view the tab, and write access to link or unlink scenarios.

What you see

The page is split into two parts. On the left is a collapsible sidebar — the ElementMenu — listing all available tabs for this record (General, Risk, Assessments, External Recipients, and so on). The Risk tab is highlighted when active. You can collapse this sidebar by clicking the small blue circle icon at its right edge, which gives you more room to work with the scenario table.

The main content area on the right starts with a sticky header strip. This strip shows the breadcrumb path (e.g., "Assets › CRM System › Risk"), the asset's current status badge (Draft, Active, Inactive, Review), and a responsible persons selector — both of which you can update inline without leaving the Risk tab. In the top-right corner, a small clock icon opens the Activity Log drawer so you can review the change history for this asset.

Below the header, the body of the Risk tab is organised by risk standard. For each standard assigned to the asset, you see three stacked sections:

  • Threshold — a colour-coded risk slider showing where the mitigation threshold sits for this standard.
  • Risk Scenarios — the table of linked scenarios with their current risk scores, suggested controls, estimated costs, and treatment deadlines.
  • Implemented Controls / TOMs — the technical and organisational measures associated with those scenarios.

If the asset has no risk standard assigned yet, the entire body is blank. You must first assign a standard via the asset's edit form before this tab has any content to show.

Working with this screen

Linking a risk scenario for the first time

Imagine you have just added a new asset called "CRM System" and need to document which threats apply to it before the next risk review meeting.

  • Open the asset's detail view and click the Risk tab in the sidebar.
  • Find the standard section (e.g., "ISO 27001 Asset Risk Model"). If no scenarios are linked yet, you see an empty table with a warning notice.
  • Click the Add / Link Risk Scenario button at the top of the Risk Scenarios table. A picker dialogue opens over the page.
  • In the picker's search bar, type a keyword — for example, "unauthorised access". The list filters as you type.
  • Tick the checkbox next to each scenario you want to attach, then click Confirm.
  • The dialogue closes, the table refreshes, and your selected scenarios appear with their current risk scores, suggested controls, and any deadline information.

At this point, scores will read "Score: missing information" — that is expected. DPMS needs you to record likelihood and damage values for each implemented control before it can calculate a numeric score. See the "Updating risk scores" section below.

Heads up: If the scenario picker shows an empty list, it means no scenarios have been created in your organisation's risk catalogue for this particular standard yet. Ask your risk manager to add scenarios to the catalogue first.

Updating risk scores after controls are implemented

Once controls are in place (or at least planned), you need to tell DPMS how effective they are so that a current risk score can be calculated.

  • In the Implemented Controls / TOMs table (below the Risk Scenarios table), find the control whose effectiveness you want to record.
  • Click the pen icon on that row. This opens the control's edit form, pre-loaded with the relevant risk scenario context.
  • At the top of the form you will find a Quick Fill Out row: two dropdowns for likelihood and damage. Selecting values there applies the same settings to every control in the list at once — useful when all your controls have a similar effectiveness level.
  • If controls differ in effectiveness, ignore the quick-fill row and set likelihood and damage values on each row individually.
  • Click Save. DPMS recalculates the current risk score and displays it as "Score X/Y" in the Risk Scenarios table.
Tip: Only after at least one score is saved will the Create / Open Treatment Plan button become active. If the button is still greyed out, check that at least one scenario has a score above the mitigation threshold.

Managing risk at the asset group level

If your organisation has dozens of assets that share the same risk profile — for example, thirty cloud-storage instances — it would be tedious to link the same scenarios to each one individually. Asset groups solve this.

  • On the Asset Register index, switch to Groups View using the toggle at the top of the page.
  • Click the asset group you want to configure.
  • Click Risk in the left sidebar. The group's Risk tab looks and works exactly like an individual asset's Risk tab.
  • Click Add / Link Risk Scenario, select the relevant scenarios, and confirm.
  • All member assets in the group immediately inherit these scenarios and their associated controls.

By default, a member asset's own Risk tab reflects the group's configuration. If one asset needs a different risk profile, an administrator can activate Asset-Specific Risk for that asset, which breaks the inheritance and allows independent scenario management.

Auditing the change history

An auditor asks: "Who linked the 'Data breach' scenario to the Payroll System, and when?" You can answer this in seconds.

  • Open the asset's detail view and navigate to the Risk tab.
  • Click the clock icon in the top-right corner of the content area.
  • The Activity Log drawer slides in from the right, showing a reverse-chronological list of every change made to this asset — including which scenarios were linked or unlinked, by whom, and at what date and time.
  • Scroll through the entries to find the relevant event. Click the × button to close the drawer when you are done.
Heads up: The Activity Log icon does not appear when you are viewing an asset in Consulted mode (shared by another organisation) or on a portal asset. The change history in those cases is not accessible from your account.

Removing a scenario that is no longer relevant

If a threat has been retired from the risk catalogue, or simply does not apply to this asset any more, you can unlink it.

  • On the Risk tab, find the scenario in the Risk Scenarios table.
  • Click the unlink icon (a broken-chain icon) in the rightmost column of that row.
  • A confirmation prompt appears. Confirm the removal.

The scenario disappears from the table. Any treatment plans that relied solely on this scenario should be reviewed, as they may now reference removed data.

Field reference

Risk Scenario picker — search bar
Type any keyword from the scenario name or description. The list updates in real time. Leave it blank to see all available scenarios for this standard.

Status badge (sticky header)
The current lifecycle status of the asset (Draft, Active, Inactive, Review). You can change this here without leaving the Risk tab.

Responsible Persons (sticky header)
One or more people accountable for this asset. Changes are saved immediately.

Mitigation Threshold
Shown in the Threshold section for each standard. The score above which DPMS considers a scenario to require active treatment. Scenarios scored below this value may be excluded from the Treatment Plan. Click Edit next to the Threshold title to adjust it.

Current Asset Risk badge
A read-only pill badge in the top-right of the Risk Scenarios table showing the overall risk category and composite score for this standard across all linked scenarios.

How this connects to the rest of DPMS

The Risk tab is the foundation of the entire asset risk workflow in DPMS. Everything downstream depends on what you configure here:

  • Current Asset Risk tab — only populated when at least one scenario is linked and at least one likelihood/damage pair has been saved. Risk dashboards and reports for this asset will show no score until then.
  • Treatment Plan — the Create / Open Treatment Plan button is disabled until at least one scenario has a score above the mitigation threshold. Once enabled, the treatment plan captures your planned and actual responses to each risk.
  • Risk Evaluation in Assessments — when an assessment includes a risk evaluation step for an asset, it reads the scenario-to-control structure you set up here.
  • Copy Element screen — the Copy Element button (where available) lets you replicate the scenario and control configuration from this asset to other assets, saving time during bulk risk reviews.

After linking scenarios here, your natural next steps are: (1) record likelihood and damage values in the Implemented Controls table, (2) review the Current Asset Risk score, and (3) open or create the Treatment Plan.

Tips & common pitfalls

Heads up: If the Risk tab body is completely empty — no threshold slider, no table, nothing — it means no risk standard has been assigned to this asset yet. Go to the asset's edit form and add at least one standard under Groups & Standards before returning to this tab.
  • "Link all relevant TOMs" may show a warning instead of linking. The button looks active even when there are no relevant TOMs defined. If you click it and see a toast notification with a link to Controls & TOMs, it means the linked scenarios have no TOMs flagged as relevant yet. Add and tag the relevant TOMs in the Controls & TOMs section first.
  • Scores show "missing information" right after linking. This is normal. You must open each control's edit form and select likelihood and damage values before a numeric score appears. Do not try to create a treatment plan before completing this step — the button will be disabled.
  • Quick Fill Out overwrites all rows without warning. The quick-fill dropdowns at the top of the Determine Current Risk form apply to every control in the list simultaneously. If your controls have different effectiveness levels, set them individually per row to avoid overwriting accurate values.
  • Asset group vs. asset-specific risk. When an asset is part of a group, its Risk tab may show the group's scenarios rather than its own. This is intentional and avoids duplication. Only activate asset-specific risk for an asset if it genuinely has a different risk profile from the rest of the group.
  • The Treatment Plan button remains disabled? Check two things: (a) is at least one scenario linked with a saved score, and (b) does that score exceed the mitigation threshold? Both conditions must be met for the button to become active.
  • Navigating between assets quickly. Use the left and right chevron arrows in the breadcrumb strip to jump directly to the previous or next asset in the current list order. This is particularly useful during a risk review cycle when you need to check the same tab across many assets in sequence.


Was this article helpful?

English
Powered by Product Fruits