Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Relevant Risk Szenarios

Compliance officers, DPOs, risk managers, and auditors use the **Relevant Risk Scenarios** tab on a Control/TOM detail page to see exactly which threats and vulnerabilities a given measure is designed to address — and to verify that the organization's risk landscape is properly covered.

The Relevant Risk Scenarios tab answers a simple but critical question: why does this control exist? A Technical and Organizational Measure (TOM) like "AES-256 encryption at rest" is only meaningful when you can point to the threats it defends against — for example, "unauthorized disclosure of personal data stored on decommissioned hardware." This tab makes that connection explicit. Compliance officers and DPOs use it during routine reviews; auditors open it during regulatory inspections to confirm that every linked scenario is intentional and up to date. Because the link between a TOM and its scenarios is bidirectional, any change you make here is immediately reflected on the corresponding Risk Scenario detail pages and on every Asset that uses this TOM.

How to open it

  • In the left sidebar, click Controls & TOMs.
  • Click the name of any TOM in the list to open its detail page.
  • In the left detail menu, click Relevant Risk Scenarios.
Heads up: You need at least read access to Controls & TOMs to see this page. If your account lacks this permission, the entire TOM detail page shows a "403 Forbidden" message. To link or unlink scenarios, you also need edit access. Users who only have read access will see the scenarios listed but will not be able to make changes.


What you see

The screen follows DPMS's standard two-column layout. On the left is a collapsible sidebar listing all available tabs for this TOM: General, Documents, Relevant Risk Scenarios, Assets, ROPA, DPIA, Vendors, Projects, Tasks, Assessments, and Workflows. The currently active tab — Relevant Risk Scenarios — is highlighted. You can collapse the sidebar with the small blue circle icon at the far left if you need more reading space.

The right side begins with a breadcrumb bar showing Controls & TOMs → [TOM name] → Relevant Risk Scenarios. Small left and right chevron arrows sit next to the TOM name, letting you jump directly to the previous or next tab without going back to the list. A clock icon in the top-right corner gives you quick access to the Activity Log.

Below the breadcrumb is a sticky header that shows the TOM's responsible person(s), its current status badge (Draft, Active, Inactive, Review, or any custom status your admin has configured), and the last updated and last review dates. These stay visible as you scroll.

The main content area is the Relevant Risk Scenarios table, identified by a light-bulb icon and the heading "Relevant Risk Scenarios." In the default read-only view, this table lists every scenario that has been linked to this TOM. If nothing has been linked yet, the table displays an empty-state message. Each row is clickable and takes you directly to that scenario's detail page.

Working with this screen

Verifying a TOM's risk coverage (read-only review)

This is the most common reason to land on this tab. You open a TOM — say, "Access Control Policy" — and click Relevant Risk Scenarios in the left menu. The table shows every scenario this TOM is meant to address: for example, "Unauthorized access by internal users," "Brute force authentication attack," and "Privilege escalation via shared credentials."

To double-check when those links were created and who created them, click the clock icon in the top-right corner. This opens the Activity Log drawer on the right side of the screen.


The drawer lists every change ever made to this TOM record, including when each scenario was linked or unlinked, who changed the status, and when the record was last edited. You can scroll through the full history. When you're done, close the drawer by clicking outside it or using its close button, and return to your review.

If the coverage looks complete, no further action is needed. You can navigate to the next tab using the chevron arrows in the breadcrumb, or move to the next TOM entirely.

Linking additional scenarios to a TOM (edit mode)

Suppose you're an IT admin reviewing "Data-at-rest Encryption" and you realize two scenarios are missing from the list. To add them, click the Edit button in the sticky header. DPMS takes you to the edit view of this TOM, opening directly on the Relevant Risk Scenarios tab.

In edit mode, the table gains two tabs: All (the full scenario catalogue) and Linked (only the scenarios already associated with this TOM). Switch to All, use the search bar to find the scenario you want — for example, type "unauthorized disclosure" — and tick the checkbox next to it. Repeat for any other scenarios you need. When you're ready, click Save. DPMS immediately records the new links, and you are returned to the detail view, which now shows the updated list.

Tip: There is no confirmation step before the link is saved. If you accidentally link the wrong scenario, you'll need to re-open edit mode and remove it. Make sure you've selected the right rows before clicking Save.

Reviewing scenario details from the list

Each row in the Relevant Risk Scenarios table is a live link. Clicking any scenario name opens that scenario's full detail or edit view, where you can see its description, likelihood, impact, linked TOMs, and any assessment notes. Use your browser's back button or the breadcrumb in the scenario view to return to the TOM.


This is useful when an auditor needs to understand the full context of a scenario — not just its name, but the reasoning behind its likelihood and impact scores.

Auditing multiple TOMs in sequence

If you're reviewing a batch of TOMs, you don't have to go back to the index between each one. After reviewing the Relevant Risk Scenarios tab on one TOM, use the left and right chevron arrows in the breadcrumb to move between tabs on the current record. When you're ready to move to the next TOM entirely, use the navigation arrows adjacent to the TOM name in the breadcrumb. DPMS will try to keep you on the Relevant Risk Scenarios tab as you move from one TOM to the next, so you can work through your list without losing your place.

Field reference

The Relevant Risk Scenarios table columns in the read-only view:

  • Name — The scenario's title as defined in the Risk Settings catalogue. Clicking the row opens the scenario detail.
  • Priority — A risk-level badge reflecting the overall risk level assigned to this scenario (e.g., High, Medium, Low). Calculated from the scenario's likelihood and impact settings in the catalogue.
  • Status — The current lifecycle status of the scenario (Active, Draft, etc.), as configured in the Risk Settings catalogue.

Additional columns may appear depending on how your administrator has configured the risk catalogue.

How this connects to the rest of DPMS

What you configure on this tab has a ripple effect across several other areas of DPMS.

Risk Settings catalogue: Scenarios do not originate here — they are created and managed by administrators in Settings → Risk Settings. This tab only lets you associate existing scenarios with the current TOM.


Asset Risk tab: Every asset that has this TOM listed as an implemented control uses the TOM-to-scenario links to calculate its risk maturity and coverage score. If you unlink a scenario here, that calculation changes on the next load of the Asset's Risk tab — there is no delay and no undo prompt.

DPIA and ROPA: Both the Data Protection Impact Assessment and the Record of Processing Activities include a "TOMs" section. The scenario links you manage here flow into those records. An auditor reviewing a DPIA will see the same TOM-to-scenario relationship you've established on this tab.

Workflow reviews: When a Workflow review is triggered on this TOM (via the Workflows tab), reviewers are expected to check this tab as part of their evidence review. A well-populated Relevant Risk Scenarios list makes the review straightforward.

After finishing here: If you've just linked new scenarios to a TOM, it is good practice to check the TOM's status in the sticky header. If it was in "Draft," consider moving it to "Active" once coverage is confirmed. You may also want to open the linked scenarios individually to verify their likelihood and impact scores are current.

Tips & common pitfalls

Heads up: The detail page is always read-only by default. There are no checkboxes or selection controls visible here — that is intentional. To link or unlink scenarios, you must click the Edit button in the sticky header, which opens the editable version of the tab.
Tip: If the Edit button shows a "Missing permission" tooltip when you hover over it, your account is either read-only or you are assigned as "edit only for assigned records" but are not listed as a responsible person on this TOM. Ask your admin to assign you, or request edit access.
  • Unlinking is immediate and irreversible without re-linking. When you remove a scenario in edit mode and click Save, the link is deleted at once. There is no trash or undo. If asset risk scores change unexpectedly, check whether a scenario was accidentally unlinked.
  • The Activity Log is hidden on shared/consulted TOMs. If a TOM was shared with your organization from another organization, the clock icon does not appear. This is by design — you cannot view the originating organization's internal audit trail.
  • Scenario names come from the catalogue — you cannot rename them here. If a scenario name looks wrong or outdated, ask your administrator to update it in Settings → Risk Settings. The change will be reflected everywhere the scenario is used.
  • Sub-tab state is remembered as you navigate between TOMs. If you move to the next TOM while on the Relevant Risk Scenarios tab, DPMS will try to open the same tab on the new record automatically.
  • Custom statuses may appear in the status dropdown. If your compliance administrator has set up custom TOM statuses under Compliance Settings, those will appear alongside (or instead of) the default Draft / Active / Inactive / Review options. The behavior is the same regardless of which status you select.


Was this article helpful?

English
Powered by Product Fruits