Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

Setting Risk models in General Settings

Data Protection Officers, IT administrators, risk managers, and compliance officers use the Risk Settings area to define exactly how DPMS calculates and displays risk across your entire organisation — from the likelihood scale and damage bands through to the colour-coded categories that appear on every Asset record, Risk Scenario, and DPIA report.

The Risk Settings area is the engine room of DPMS risk management. Everything you configure here — the probability levels, the damage thresholds, the calculation formula, and the category boundaries — feeds directly into every risk score displayed on Asset records, Risk Scenarios, ROPA entries, Vendor panels, and DPIA reports. Without a configured and activated risk model, those scores simply show "not set" across your entire tenant. This article walks you through all five sections of the Risk Settings module and explains how to set up, configure, and activate a risk model step by step.

How to open it

Navigate using the left-hand global navigation bar: SettingsRisk Settings. Depending on your tenant's branding this menu item may be labelled Compliance Settings.

You need at least the Asset Risk read permission to see the Standards and Configure Models sections. To make changes, you also need the corresponding edit permission. If you land on a "403 Forbidden" page, contact your system administrator to request the appropriate role.

What you see

Once you're inside Risk Settings, the screen divides into two zones. On the left is a compact navigation panel labelled Risk Settings in bold, listing five sections: Standards (expandable into Active Standards and Configure Models), Control Sets, Risk Scenarios, Maturity Model, and Deadlines & Urgency. The currently selected item is highlighted in the accent colour; clicking the disclosure triangle next to Standards reveals its two sub-items.

The right-hand content area — roughly 80 % of the screen width — shows the detail page for whichever section you've selected. At the top of most sections you'll find a breadcrumb trail (e.g. General Settings → Standards → Configure Models) and an Edit button with a pencil icon. The bulk of the space is taken up by either a list of active items (for Standards and Control Sets) or a rich configuration card with dropdowns, data tables, and sliders (for Configure Models).

Working with this screen

Activating international standards for the first time

Before you can configure a risk model, you need to tell DPMS which compliance standard (or standards) your organisation works under — for example ISO 27001, NIST, or GDPR. Open Standards → Active Standards in the left panel. You'll see a list of already-active standards, each with a filled circle-check icon, and any inactive ones shown with an outline circle.

To add a new standard, click the Edit button (pencil icon) at the top right of the content area. A warning banner appears immediately, reminding you that changing the selected standard will cascade changes through all associated risk models — it's worth reading before proceeding.

In the Select the standards dropdown, type the name of the standard you want or scroll through the list. Click it and it appears as a chip above the dropdown. You can select multiple standards at once. When you're ready, click Save. DPMS sends your selection to the server and redirects you back to Active Standards, where the newly activated standard now shows a filled circle-check icon.

Heads up: If you need to create a brand-new custom framework rather than selecting a published standard, use the Add New button inside the dropdown footer. This requires the Control Set edit permission and takes you to the Control Set creation page.

Configuring the risk model for a standard

With a standard active, head to Standards → Configure Models. At the top of the content area you'll see a pill-shaped identification bar with three segments: the Standard dropdown (styled in blue/dark), the Model type dropdown (additive or multiplicative), and a live formula display showing Risk = Occurrence Likelihood + Damage Scale (or × for multiplicative). To the far right sits the Active / Activate status pill.

Use the Standard dropdown to choose the standard you want to configure. The large configuration card below refreshes to show that standard's current model — likelihood rows on the left, damage rows on the right, and the category slider below.

To make changes, click the Edit button (pencil icon). This opens the full edit form. You'll work through three sections:

1. Occurrence / Likelihood
This section defines the probability axis of your risk matrix. Each row represents one likelihood level (e.g. Rare, Possible, Almost Certain). For each row you fill in:

  • A label — the name shown on risk forms across DPMS (e.g. "Very High"). If your organisation uses multiple languages, use the language-switcher buttons above the list to enter the label in each language.
  • An occurrence tag — a descriptive tag from your tag library (e.g. "Once a year") that gives users helpful context when choosing a likelihood level.
  • A numerical value — the weight this level contributes to the risk score formula.

To add a new likelihood level, fully complete the last row in the list; a + (add) icon appears on the right. Click it to append a new empty row. To remove a level, click the × (delete) icon on that row — it won't appear when only one row remains.

2. Damage
The Damage section works the same way but adds two extra fields: a currency selector at the top (defaults to EUR) and a monetary amount field per row that defines the financial threshold for each damage band (e.g. "Up to €10,000"). As you enter amounts, the DamageChart below the table updates in real time, showing the proportional width of each band — a quick sanity check that your thresholds are evenly distributed.

Tip: Changing the currency selector is a display-only change. DPMS does not convert existing monetary values. Make sure your damage amounts are already expressed in your target currency before switching.

3. Risk Categories and the category slider
Scroll down to the Risk Categories section. If you haven't defined categories yet, an alert box with a Set button (blue pill) prompts you to do so. Clicking Set takes you to a separate page where you choose how many categories you want (e.g. five: Minimal, Reduced, Average, Elevated, Critical) and give each one a name.

Once categories exist, you'll see a colour-coded multi-thumb slider — the Risk scope slider. Drag the boundary thumbs between categories to define the score ranges. The minimum and maximum values on the slider are calculated automatically from your likelihood and damage values, so if you change those values, come back and review the slider boundaries.

Below the category slider sits a second, single-thumb Mitigation threshold slider. Drag this thumb to set the score below which a risk is considered mitigated by implemented controls. This threshold appears on Asset risk detail panels throughout DPMS.

When you're satisfied with all three sections, click Save at the bottom of the form. DPMS validates every field — if anything is missing or out of range, a toast notification explains exactly what needs fixing. A successful save triggers a background recalculation job that updates risk scores on all linked records across your tenant. You'll see a confirmation toast, and the edit button will be temporarily disabled while the job runs.

Choosing between additive and multiplicative formulas

The Model type dropdown in the pill bar lets you switch between two calculation approaches:

  • Additive — the risk score is the sum of the likelihood value and the damage value. This is the more common choice and works well when your likelihood and damage scales use similar numerical ranges.
  • Multiplicative — the risk score is the product of the two values. This amplifies the effect of high values on both axes and is appropriate for frameworks where a high-likelihood, high-damage event should score disproportionately higher. Note: every likelihood and damage value must be at least 1 when using this formula. Any row with a value of 0 will block saving.

Switching the formula type does not save automatically — you still need to click Edit and then Save for the change to take effect.

Activating a risk model

Once your likelihood scale, damage bands, and categories are configured and saved, you're ready to activate the model. On the Configure Models page, look at the status pill on the far right of the pill bar. If it reads ACTIVATE in blue, the model is ready to go live. Click it — the pill turns green and reads ACTIVE.

Heads up: If the ACTIVATE pill appears faded or unclickable, it means the slider validation has not passed. The most common cause is that the numerical range across your likelihood and damage values is too narrow for the number of categories you've defined. Either increase the spread of your values or reduce the number of risk categories.

After clicking ACTIVATE, click Save on the edit form to persist the status change to the server. This triggers a background risk recalculation job. While the job runs — typically a few minutes for large datasets — all edit buttons in Risk Settings are locked with an explanatory tooltip. This is expected behaviour, not an error. Refresh the page once the job completes.

Working with Control Sets

Control Sets are organisation-defined frameworks that fall outside published standards like ISO 27001. Navigate to Risk Settings → Control Sets to manage them. The page works identically to Active Standards: click Edit, select the control sets you want to activate from the dropdown (or create a new one using the Add New button), and click Save.

Tip: Control sets do not appear in the Standard dropdown on the Configure Models page — they are filtered out by design. They are only visible in the Control Sets section of Risk Settings.

Field reference

Label (Likelihood / Damage rows) — The name displayed to users on risk forms throughout DPMS. Supports multiple languages via the language-switcher buttons. Required for any model you intend to activate.

Occurrence tag — A tag from your occurrence likelihood tag library. Provides descriptive context (e.g. "Once a year") alongside the label. Required for active likelihood rows.

Numerical value (Likelihood) — The weight assigned to this likelihood level in the risk formula. Must be a positive integer up to 9,999,999,999,999. For multiplicative models, must be ≥ 1.

Amount (Damage rows) — The monetary ceiling for this damage band (e.g. 10,000 for "Up to €10,000"). The top band automatically mirrors the highest value from all other rows. Maximum: 9,999,999,999,999. Zero is rejected.

Numerical value (Damage) — The weight assigned to this damage band in the risk formula. Same validation rules as the likelihood value.

Currency — Display label only. Shown next to damage thresholds on all risk-related screens. Changing this does not convert existing amounts.

Category names — Free-text names for each risk band (e.g. Minimal, Critical). Multi-language entry supported. Defined on the Set Categories page and edited inline on the Configure Models edit form.

Risk scope slider thumbs — Drag to set the score boundary between adjacent risk categories. Values are constrained to the range derived from your likelihood and damage numerical values.

Mitigation threshold — The score below which a risk is treated as mitigated. Single thumb slider. Displayed on Asset risk panels.

How this connects to the rest of DPMS

The configuration you complete here has a wide blast radius. Once a risk model is active:

  • Asset records display calculated risk scores in the risk badge and on the Asset detail risk panel. Without an active model, these show "not set".
  • Risk Scenarios use the same likelihood and damage labels you defined here in their dropdown fields.
  • Vendor risk panels and ROPA entries reference the active standards to populate control framework dropdowns.
  • AI-assisted risk suggestions read your active likelihood and damage labels to generate contextual recommendations. Without an active model, AI assistance in risk-related features degrades gracefully.
  • DPIA risk model (if enabled on your tenant) builds on the same activation infrastructure as the asset risk model.

After finishing your risk model configuration here, your natural next step is to visit the Risk Scenarios section (also in the left panel) to create or review specific threat scenarios that use the scales you've just defined.

Tips & common pitfalls

Tip: Always save your likelihood and damage values before trying to activate the model. The ACTIVATE pill only becomes clickable once DPMS can validate that your value ranges accommodate all your risk categories.
Heads up: After activating and saving a model, DPMS locks all edit buttons in Risk Settings while a background recalculation job runs. This is not an error — wait a few minutes and then refresh the page.
  • Switching the standard or formula type in the pill bar does not save anything. These controls change what is displayed in the card below. You must click Edit and then Save to persist any changes, including activating a model.
  • Multiplicative models reject zero values. If you switch to multiplicative and see a validation toast when saving, check each likelihood and damage row for a value of 0 and replace it with at least 1.
  • Currency changes are cosmetic. If you change from EUR to USD, DPMS does not convert your damage amounts. Update the amounts manually to reflect the correct currency before switching the label.
  • The "Add New" button in the standards dropdown is only visible if you have the Control Set edit permission. If it's missing, ask your administrator to grant that permission to your role.
  • Newly created control sets will not appear in the Configure Models standard dropdown. Control sets and standards are separate concepts in DPMS. Control sets live only under the Control Sets section and are not available as bases for the asset risk model configuration.


Was this article helpful?

English
Powered by Product Fruits