Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings
Risk settings overviewVendor risk settingsManage risk scenariosMaturity settingsSetting Risk models in General SettingsThe Data Protection Risk ModelThe Information Security / Asset Risk ModelMaturity model

Risk settings overview

Configure global risk settings and access entity-specific risk models.

Risk Settings Overview

The Risk Settings area is the master calibration panel for DPMS's entire risk engine. Before any asset, processing activity, or vendor can receive a meaningful risk score, someone must define what "risk" means for your organisation — which international standards apply, how likelihood and financial damage are weighted, how many risk categories exist, and where the thresholds between them sit. This screen is where all of that happens. It is primarily used by Data Protection Officers, Risk Managers, Information Security Managers, and Compliance Officers, and it is also visited by IT Administrators managing control sets and by Auditors reviewing the risk model before an assessment.

How to open it

  • In the global navigation, click Settings (sometimes labelled General Settings in your instance).
  • In the settings sidebar, click Risk Settings. The left-hand menu expands.
  • The sub-menu appears with the following items: Standards (with children Activated Standards and Configure Models), Control Sets, Risk Scenarios, Maturity Model, and Deadlines and Urgency.

Each item is independently permission-gated. If you cannot see a particular menu item, you do not have the read permission for that area. If you navigate directly to a URL you lack access to, DPMS shows a full-page access-denied screen.

What you see

The screen uses the same two-column layout shared across all DPMS settings areas. On the left is a narrow sidebar — roughly one quarter of the page width on a large screen — with the heading Risk Settings and the expandable menu items listed below it. The active item is highlighted, and Standards shows a small expand chevron because it has two child pages.

The right-hand content area takes up the remaining four-fifths of the width. At the top of this area you will always see a breadcrumb trail (for example, Settings › Risk Settings › Activated Standards) followed by the section title. Where you have edit permission, a small Edit button with a pencil icon sits to the right of that title. If you lack edit permission, the button still appears but is greyed out and shows a tooltip explaining why it is disabled.

The detail of the content area changes depending on which sub-page you are on. It may show a simple list of active standards with tick-circle icons, a rich configuration table with likelihood and damage rows linked by dotted arrows, or an interactive risk slider with colour-coded category bands. A grey card box wraps the main data tables on the Configure Models page, giving it a visually distinct container.

Working with this screen

Reviewing which standards are currently active

The most common starting point is Activated Standards under the Standards menu item. Click Standards in the left sidebar; it expands and you land on the Activated Standards page.

You will see a list of international frameworks (for example, GDPR 2018, ISO 27001) each with either a filled green check-circle (active) or an outline circle (inactive). This page is read-only — it is the overview. Use it to confirm at a glance which frameworks are currently powering risk calculations across DPMS before you make any changes or before an audit review.

Adding or removing an active standard

When you need to add a new framework — say, NIS2 — or retire one that is no longer in scope, click the Edit button (pencil icon) next to the section title on the Activated Standards page.

The edit page opens with an important warning banner at the top. Read it carefully: activating or deactivating a standard affects existing risk scores across the platform. This is a significant action and cannot be automatically reversed.

Below the warning, a multi-select dropdown lists all available standards in alphabetical order. Currently active standards are already pre-selected and appear as chips inside the control. To add ISO 27001, open the dropdown, find it in the list, and click it. To remove a standard, click the × on its chip. The dropdown also has two buttons at the bottom — Add New and Edit Existing — which take you to the control set creation area if you need to build a custom standard. A Total: N count shows how many options remain selectable.

Once your selection is correct, click Save. DPMS sends your updated list to the server and immediately refreshes the global standard dropdown used throughout the platform — on asset detail pages, vendor scorecards, ROPA process risk tabs, and DPIA assessments. The standard list the rest of DPMS shows to users is driven entirely by what you activate here.

To cancel without saving, click the back arrow at the top of the form. No changes are persisted.

Configuring a risk model (likelihood, damage, categories, and thresholds)

This is the most detailed workflow in Risk Settings, and it all happens on the Configure Models sub-page. Click Configure Models in the left sidebar under Standards.

At the top of the content card you will see two blue dropdown pills: a Standard dropdown and a Model type dropdown. Use the Standard dropdown to switch between frameworks (for example, from GDPR to ISO 27001). Use the Model type dropdown to choose between Additive (likelihood score + damage score = final risk score) and Multiplicative (likelihood score × damage score = final risk score). For most standard compliance frameworks, Additive is the appropriate choice. Multiplicative produces a wider score range and is typically used in quantitative risk analysis.

To the right of the model type dropdown you will see a coloured pill showing the model's current status — either a green Active badge or a blue Activate badge. This is a status indicator on the read view.

To make changes to the model, click the Edit button (pencil icon) next to the model title (for example, "Asset Risk Model"). If a background recalculation job is currently running for this model, the Edit button will be temporarily disabled — you must wait for it to finish before making further edits.

Setting up likelihood levels. On the edit page, the Occurrence / Likelihood section shows a table of rows. Each row represents one likelihood level and has three fields linked by a dotted arrow graphic: a text label (for example, "Very Low"), an occurrence tag selected from a dropdown (for example, "Once a year or less"), and a numerical weight (for example, 1). The dotted arrows appear in a darker colour when all fields in a row are filled, and in muted grey when fields are empty — a quick visual completeness check.

To add a row, fill in all three fields in the current row and click the + circle icon that appears at the end. To remove a row, click the × circle icon (this icon is hidden when only one row remains, since you need at least one likelihood level). You can define as many levels as your model requires — up to any reasonable number. Be aware that for Multiplicative models, numerical values of zero are not accepted; all values must be at least 1.

If your DPMS instance uses multiple languages, a language toggle and a translate button set appear above the table so you can enter or auto-translate labels into each active language. A small flag icon alerts you when a label has been auto-translated and may need review.

Setting up damage levels. Directly below the likelihood table is the Damage / Amount section, which works the same way. Each row has a label, an "Up to" amount threshold (the maximum monetary value for that damage band), and a numerical weight. The topmost row shows "Above" rather than "Up to", representing unbounded damage. A Currency dropdown lets you choose the currency for displaying damage amounts (EUR, USD, GBP, etc.) — changing the currency is a label-only change and does not recalculate stored amounts.

One important behaviour: the second damage row's amount field is automatically set to match the highest amount entered in the first row, and that field is read-only. This is by design — it keeps the damage scale internally consistent. If you find yourself trying to type in that field and nothing happens, that is why.

Below the damage rows, a horizontal bar chart updates in real time as you enter amounts, visualising the relative width of each damage band. This chart is read-only and is there purely to help you see whether your bands are proportionate.

Setting risk categories. Below the damage section is Risk Categories. If you have not yet defined any categories for this model, you will see an alert with a Set button. Click Set to go to the category-count selection page, where you choose how many categories the model will use (for example, 3, 4, or 5). After selecting and confirming, you are returned to the edit form and the categories appear — for example: Minimal, Reduced, Elevated, Average, Critical — each with a colour-coded circle. You can rename each category label in any active language. The number of categories is fixed once set; changing it later requires resetting all threshold data.

Heads up: The risk slider and the Activate badge remain invisible until categories are set AND likelihood and damage values are all filled in. If the slider is not appearing, check that all rows in both the likelihood and damage tables are complete.

Configuring the risk slider. Once categories and values are in place, the Categories and Threshold slider appears. It shows a horizontal coloured track divided into bands — one per category — with draggable thumb handles at each boundary. Drag a thumb left or right to shift where one category ends and the next begins. For example, drag the boundary between Minimal and Reduced so that scores 0–2 fall into Minimal and 3–4 into Reduced.

Below the main risk slider is a second, single-thumb slider labelled Threshold. This sets the mitigation threshold — the score above which DPMS considers a risk to require an active control. For example, if you drag this to 6, any risk score above 6 will be flagged in the risk monitoring module as needing a control assigned.

Activating the model and saving. When all fields are complete and the slider is valid, the Activate badge becomes clickable on the edit page. Click it to toggle the model's status to active. Note: clicking the badge only changes the status in the current form — nothing is saved to the database yet. You must click Save at the bottom of the form to persist all changes including the activated status.

Clicking Save runs validation first. If any likelihood value is missing or zero (for a Multiplicative model), or any damage value is incomplete, a toast notification describes exactly what needs fixing and the save does not proceed. Once validation passes, DPMS saves the complete model and immediately uses it to calculate risk scores for all assets, scenarios, and processing activities linked to this standard.

Managing control sets

Click Control Sets in the left sidebar. This page lists active control catalogues — groups of controls mapped to your compliance frameworks. The layout is identical to Activated Standards: a list of control sets with tick-circle indicators showing which are active.

To activate or deactivate control sets, click the Edit button (pencil icon) next to the section title. The edit form works identically to the standards edit form but does not show the warning banner about affecting risk calculations, because changing control sets has a less immediate impact on existing scores. The dropdown footer still offers Add New and Edit Existing options for creating or modifying custom control sets.

The control sets configured here determine which control catalogues appear in the "Implemented Controls" dropdown on asset pages and Technical and Organisational Measures (TOMs) screens across DPMS.

Reviewing the configuration as an auditor

If you have read-only access, you can still navigate the full Risk Settings area to review the configuration. The Edit buttons will appear greyed out with a tooltip explaining that you lack the required permission — you cannot make changes, but you can see everything.

Use the Standard dropdown on the Configure Models page to switch between frameworks and compare their likelihood tables, damage tables, category definitions, slider positions, and the min/max score range. The green Active badge confirms which models are live. After reviewing standards and models, navigate to Risk Scenarios to cross-reference the scenario library, and to Maturity Model to review maturity level definitions.

Field reference

Standard dropdown (Configure Models page) — Switches the view between configured frameworks. Select the standard whose model you want to review or edit. Changing this dropdown does not save anything; it only changes which model is displayed.

Model type dropdown — Choose Additive or Multiplicative. Additive adds occurrence and damage scores together; Multiplicative multiplies them. For Multiplicative models, zero values in likelihood or damage rows are not permitted.

Likelihood label — The human-readable name of a likelihood level (for example, "Very Low", "Low", "Medium"). Required; must be filled in before you can add another row.

Occurrence tag — A tag from the standard occurrence frequency list (for example, "Once a year or less", "Monthly", "Daily or more"). Required per row.

Likelihood numerical value — The integer weight assigned to this likelihood level. Maximum value is 9,999,999,999,999. Required; must not be zero for Multiplicative models.

Damage label — The human-readable name of a damage band (for example, "Low", "Medium", "High"). Required.

Amount threshold — The maximum monetary amount defining the upper boundary of a damage band. The second row's amount is automatically set from the first row's value and is read-only.

Damage numerical value — The integer weight assigned to this damage band. Required; must not be zero for Multiplicative models.

Currency — The currency used to display damage amounts. Changing this does not recalculate stored amounts; it only changes the display label.

Category label (per category) — The name of each risk category (for example, "Critical", "Minimal"). Editable per language. Required.

Mitigation threshold — A single value on the risk scale above which DPMS flags a risk as requiring an active control. Clamped to the model's min/max range.

How this connects to the rest of DPMS

Risk Settings is foundational to almost every risk-related feature in DPMS. Here is how the configuration flows outward:

  • Active standards populate the Standard dropdown on every asset, ROPA, vendor, and DPIA risk screen. If you deactivate a standard here, it disappears from those dropdowns for new records. Existing records retain their historical scores but are no longer linked to an active model.
  • Likelihood and damage values drive the numerical risk score calculations shown on asset risk scenario pages and the risk monitoring dashboards. Without them, risk sliders elsewhere in the platform are empty.
  • Category thresholds determine the colour (red, orange, yellow, green, blue) and label shown on all risk badges and score pills across the platform — on asset detail pages, vendor scorecards, and ROPA process risk tabs.
  • The mitigation threshold is used by the risk monitoring module to flag assets or scenarios that require a control to be assigned.
  • Control sets configured here determine which control catalogues appear in the Implemented Controls dropdown on asset pages and TOMs screens.

After completing your Risk Settings configuration, you will typically next visit the Risk Scenarios module to set up the threat and risk scenario library that links to assets and processing activities, and the Maturity Model screen to define maturity levels for your compliance posture.

Tips & common pitfalls

Heads up: Clicking the Activate badge on the edit page does not save the model. It only updates the status field in the open form. If you click Activate, see the badge turn green, and then navigate away without clicking Save, the model will remain inactive.
Tip: If the risk slider is not appearing, it means at least one of three things is missing: risk categories have not been set (the Set button is still visible), or the likelihood table has empty rows, or the damage table has empty rows. All three sections must be complete before the slider renders.
  • The "Set categories" step is separate from the main form. Clicking Set takes you to a different page where you pick the number of categories. This is a separate operation with its own save. You must complete it and return to the model edit form before you can configure the slider.
  • The second damage row's amount field is intentionally read-only. It mirrors the highest amount from the first row to keep the damage scale coherent. This surprises users who try to type into it — nothing will happen by design.
  • Deactivating a standard does not delete existing risk scores. Records that were previously assessed under that standard retain their historical scores. Removing a standard from the active list only prevents it from appearing in dropdowns for new records. To clear the scores, each record must be individually updated.
  • Editing is blocked during recalculation. When a large dataset is being recalculated after a model change, the Edit button on the Configure Models page is temporarily disabled. There is no progress indicator on this screen — wait a few minutes and try again.
  • Multiplicative models require all values to be at least 1. Any likelihood or damage value of zero will cause a validation error on save. Additive models accept zero values, so this rule is stricter than you might expect if you switch a model from Additive to Multiplicative after entering values.


Was this article helpful?

English
Powered by Product Fruits