Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings
Risk settings overviewVendor risk settingsManage risk scenariosMaturity settingsSetting Risk models in General SettingsThe Data Protection Risk ModelThe Information Security / Asset Risk ModelMaturity model

Manage risk scenarios

Create and edit reusable asset and data subject risk scenarios.

Manage Risk Scenarios

Risk scenarios are the building blocks of every risk assessment in DPMS. This screen is where you create, review, and organise your organisation's full library of scenarios — each one describing a specific threat event (for example, "Unauthorised access to customer data stored in the CRM system") together with its likelihood, potential damage, and computed risk score. Without a well-maintained scenario library, the risk indicators, sliders, and colour-coded ratings that appear on asset pages, Records of Processing Activities (ROPAs), and vendor assessments will show no meaningful data. If you are a Data Protection Officer, compliance officer, risk manager, or IT administrator responsible for keeping the organisation's risk picture up to date, this is the screen you will return to regularly.

How to open it

Navigate to Risk Settings in the left-hand sidebar. Within the Risk Settings menu, click Risk Scenarios. The screen opens at /risk/settings/risk/scenarios.

You need at least read access to Risk Scenarios to see this menu item. If the entry is missing from your sidebar, ask your system administrator to check that your user role includes this permission. Users who only have the general Risk Settings read permission but not the specific Risk Scenarios permission will not see the entry — it is either visible and clickable, or completely hidden. There is no disabled state.

To create or edit scenarios you also need the Risk Settings write permission. Without it, the Create button is hidden and the per-row action menus show no editing options.

What you see

The screen follows the standard two-column Risk Settings layout. On the left is the Risk Settings sidebar, a vertical navigation panel listing all available risk configuration sections: Standards (with sub-items for Active Standards and Configure Models), Control Sets, Risk Scenarios, Maturity Model, and Deadlines and Urgency. The Risk Scenarios entry is highlighted as the active selection.

The right-hand panel is the main content area. At the top you will find a search and filter bar for narrowing the list, and a Create button in the top-right corner. Below that sits the scenarios table, where every risk scenario configured for your organisation appears as its own row. The columns are: Name, Risk, Likelihood, Damage, and Type. Each column header is clickable to sort the list. The overall look is clean and consistent with the rest of DPMS — white cards, thin borders, and standard typography.

Working with this screen

Reviewing your scenario library before a compliance review

When you need a quick overview of where the biggest risks lie — for example, before a board presentation or an audit — start by landing on the Risk Scenarios list. All scenarios load immediately with their current risk rating, likelihood, and damage columns already populated.

Click the Risk column header once to sort by descending risk level, bringing the highest-rated scenarios to the top. If you need to focus on a particular domain, use the filter bar at the top of the table: type a keyword (such as "data breach" or "unauthorised access") or apply a filter by Type to separate asset scenarios from privacy or DPIA scenarios. The list updates in real time as you type or select filter options.

Once you have identified a scenario of interest, click its name in the first column to open the scenario's detail and editing page. There you can review exactly which assets or processing activities are linked, which Technical and Organisational Measures (TOMs) are assigned as mitigating controls, and the full history of risk evaluations. Use your browser's back button to return to the list — DPMS preserves the filter and sort state so you do not need to re-apply them.

If no scenarios match your current filter, the table shows an empty state message. Clear all filters to restore the full list.

Creating a new risk scenario for a newly identified threat

When a new threat vector is identified — from a security advisory, a penetration test, or an internal audit finding — you need to add a corresponding scenario to the library so it can be linked to the affected assets or ROPAs and included in risk calculations.

Click the Create button in the top-right corner of the content panel. DPMS navigates you to the scenario creation form. Fill in the scenario name — because DPMS is multilingual, you can enter the name in multiple languages (for example, both English and German) so colleagues working in different interface languages all see the scenario correctly.

Select the scenario type: choose "Asset Scenario" for information security risks linked to assets, or the appropriate privacy/DPIA type if the scenario relates to a processing activity. This matters because the type determines which risk model's likelihood and damage scale applies, and it controls which records the scenario can be linked to later. If no active risk model has been configured yet, the form will warn you that likelihood and damage assignments cannot be completed until a model is activated.

Assign the likelihood and damage values from the dropdown options — these options are drawn from the active risk model (for example, an additive ISO 27001 model with five levels from Very Low to Very High). DPMS computes the numeric risk score and assigns the scenario to a risk category automatically once you save.

Click Save. DPMS creates the new scenario and returns you to the list (or to the new scenario's detail page). The new scenario will then be available for linking to assets, ROPAs, or vendors across the platform. Note: if you open another browser tab immediately after saving, you may need to reload that tab before the new scenario appears in dropdown selectors elsewhere in DPMS — the scenario list used by dropdowns refreshes on the next page load.

Locating scenarios of a specific type before activating a new risk model

Before switching to a new active risk model, it is good practice to verify that all the required scenarios already exist in the library for that model's domain. If they are missing, linked assets or ROPAs will have gaps in their risk coverage after the model is activated.

Open the Risk Scenarios list and use the filter bar to filter by Type — for example, select "Process Scenario" to show only privacy or DPIA-related scenarios, or "Asset Scenario" to focus on the information security domain. Count the entries and compare against your expected scenario inventory. If scenarios are missing, click Create to add them before activating the new model.

Once you are satisfied the library is complete, navigate to the Asset Risk settings page (accessible from the same Risk Settings sidebar) to activate the updated model. The scenarios you verified here will immediately participate in risk score calculations across all linked records.

Deleting or editing a scenario via the row action menu

Each row in the scenarios table carries a small action icon (three dots) on the right. Clicking it opens a contextual menu with options specific to that scenario, such as navigating to its edit page or deleting it.

Before deleting a scenario, always click the scenario name first to open its detail page and check whether it is currently linked to any assets, ROPAs, TOMs, or vendors. If the scenario is linked and you delete it, those linked records will lose their risk score reference. DPMS does not automatically recalculate or warn you about this cascade effect at the moment of deletion. Confirm that removing the scenario is intentional and that you have updated the linked records accordingly.

If you are read-only (you hold only the read permission for Risk Scenarios), the action menu will be empty or show no destructive options. You can still click scenario names to open their detail pages and review all linked information.

Field reference

The scenario creation and editing form (reached via Create or by clicking a scenario name) contains the following non-obvious fields:

  • Name — The scenario's display name, stored as a multilingual object. Enter the name in every language your organisation uses. If you only fill in one language, colleagues using a different interface language will see the English fallback rather than an empty cell — but it is best practice to translate all names. Required.
  • Type — Classifies the scenario as an asset scenario, a privacy/DPIA scenario, or another supported type. Determines which risk model scale applies and which record types the scenario can be linked to. Required. Changing the type after creation may require re-evaluating all linked records.
  • Likelihood — A qualitative rating selected from the active risk model's likelihood categories (for example, Very Low through Very High, each mapped to a numeric value). Required for risk score calculation. If no active model exists, this field cannot be populated.
  • Damage — The potential impact category, selected from the damage scale defined in the active risk model (for example, named categories mapped to monetary ranges). Required for risk score calculation.
  • Risk score — Computed automatically from the likelihood and damage values using the active model's formula (additive or multiplicative). You do not enter this manually; it is displayed after saving.

How this connects to the rest of DPMS

The Risk Scenarios screen is the central maintenance point for your scenario library, but the scenarios you create here are used everywhere risk is calculated in DPMS.

After creating or updating scenarios here, the next step is typically to link them to the relevant assets, ROPAs, or vendors. You do this on the detail page of each asset or record — open an asset, go to its risk tab, and add the scenario from the dropdown. The dropdown list of available scenarios is drawn from the library you maintain on this screen.

Screens that depend on this screen:

  • Asset detail pages display linked risk scenarios with their current risk ratings. The risk slider and colour-coded risk categories shown on an asset page are only populated if scenarios have been linked and evaluated.
  • ROPA detail pages show linked risk scenarios in their risk tab. Scenario names here link back to the scenario edit page.
  • TOM (Technical and Organisational Measures) detail pages list the scenarios each TOM is designed to mitigate. This linkage is managed on the scenario and TOM pages but is grounded in the library here.
  • Vendor risk assessments use asset-type scenarios to drive risk scores on vendor records.
  • Risk Monitor dashboards and any risk reporting views derive their data from scenarios that have valid likelihood and damage assignments.

Screens that link in to individual scenarios:

  • Clicking a scenario name on an asset's risk tab, a ROPA's risk tab, or a TOM's detail page navigates directly to the scenario's edit page — the same destination as clicking the name here.
  • The Risk, Likelihood, and Damage cells in the table are also clickable and navigate to the relation-editing page for that scenario, where the relationship between the scenario and its parent record (asset, ROPA, or vendor) can be configured.

Tips & common pitfalls

Heads up: If a colleague reports that the Risk Scenarios menu item is missing from their sidebar, the most likely cause is that their role includes the general Risk Settings read permission but not the specific Risk Scenarios permission. These are separate permissions — both are needed for the menu item to appear.
Heads up: After creating a new scenario, it may not appear immediately in scenario-linking dropdowns on asset or ROPA pages in other open browser tabs. The dropdown list refreshes on page load. If a colleague tries to link the new scenario right away in another tab without reloading, it will not be visible yet. A simple page reload resolves this.
  • Empty Risk, Likelihood, and Damage columns mean the scenario exists but has not yet been evaluated against an active risk model. Activate a risk model on the Asset Risk or Privacy Risk settings page first, then return and edit the scenario to assign likelihood and damage values. Until a model is active and scores are computed, the risk indicators on linked records will also be blank.
  • Multilingual scenario names: If a scenario was created only in English and your interface language is set to German, the Name column will fall back to the English name rather than showing a blank. This is correct behaviour, but it can be confusing. Best practice is to fill in all active languages when creating a scenario.
  • Assigning the correct Type at creation time is important. The type determines which risk model scale is used for likelihood and damage, and which asset or ROPA records the scenario can be linked to. If you assign the wrong type and later change it, all linked records may need to be re-evaluated.
Tip: Before deleting a scenario, always open its detail page and check for active linkages to assets, ROPAs, TOMs, or vendors. Deleting a linked scenario removes the risk score reference from those records without any automatic warning or recalculation. If in doubt, deactivate the scenario or rename it rather than deleting it.
  • Sorting by the Risk column is the fastest way to prioritise your review. Click the column header once for ascending order, again for descending. Combined with a Type filter, this gives you a focused view of the highest-priority scenarios in any domain within seconds.


Was this article helpful?

English
Powered by Product Fruits