Skip to content
← Blog & Education · workflow 11 min read

A risk, from the day you log it to the number your board asks for

Identify a risk, score it, treat it, and quantify it in dollars — Talarity runs the whole lifecycle on one record, so 'what's our exposure?' has a defensible answer instead of a guess.

By The Talarity team · June 17, 2026

Every risk framework is really one instruction repeated: manage risk, don’t just record it. ISO 31000 builds its whole model on a lifecycle — identification, analysis, evaluation, treatment, monitoring. SOC 2 CC3.1–CC3.4 expect you to identify risks to your objectives and decide what to do about each. The NIST Risk Management Framework turns the same loop into a federal mandate. None of them is satisfied by a spreadsheet row that says “ransomware — high.”

The gap most teams live in is the distance between “we know that’s a risk” and “here’s what we did about it, and here’s what it would cost us.” The risk gets logged, scored on a gut feeling, and then sits — until an auditor asks for the treatment decision, or a board member asks for the dollar exposure, and neither has an answer anyone can defend. Talarity closes that gap on a single record: a risk you identify, score (inherent and residual), treat with a recorded strategy, and — when the stakes justify it — quantify into a real loss distribution with FAIR. One lifecycle, one audit trail, one number.

Who’s involved

  • Risk owner — logs the risk, sets likelihood and impact, and owns it through to closure.
  • Risk manager / CRO — runs the register, prioritises by score, decides treat-vs-accept, and quantifies the ones that warrant a dollar figure.
  • Control owners — the people whose verified controls pull residual risk down below inherent.
  • Auditor / board — reads the register, the treatment decisions, and the FAIR output: what you found, what you chose, and what it would cost.

What’s on the page

Open the Risk Register (/app/risks) — the portfolio view plus the per-risk case file:

  • Register table + KPIs — every risk with its inherent and residual score, status, and owner; summary tiles up top.
  • New Risk modal — two doors: author one by hand, or generate from completed assessments.
  • Scoring — inherent vs. residual (likelihood × impact).
  • Treatment — the four strategies (mitigate / accept / transfer / avoid), each a recorded decision.
  • Linked controls — the verified controls that earn the residual drop.

Step 1 — Open the register and read the portfolio

Open Risk Register (/app/risks). This is the portfolio view: stat cards across the top — Total Risks, Critical / High, Overdue Reviews, Accepted — over a colour-coded risk-level distribution bar, then a filterable, sortable table. Every column that matters for triage is there: score, level, status, review due (with an overdue flag), and ALE (P90) — the dollar figure that appears once a risk has been quantified.

The risk register — stat cards and the level-distribution bar over a table with Score, Level, ALE (P90), and Review Due columns.

The filter bar is built for “show me the risks that need me right now”: status, level, category, owner, CCL coverage (has controls / no controls / unmitigated), plus group-by and sort. Three tabs sit above the table — List, Matrix (the likelihood × impact heat map), and Review Queue (overdue / upcoming / unscheduled).

The five-step workflow guide — Identify → Assess → Prioritise → Treat → Review — each step showing a live count from your register.

The workflow guide at the top isn’t decoration — each step carries a live count (how many risks are unassessed, how many critical, how many overdue for review), so the register doubles as a to-do list for the program.

Step 2 — Create the risk: two doors

Click New Risk and you describe it in one modal: a title, a category (Strategic, Operational, Cybersecurity, Compliance, Third-Party, and the rest), a review cadence, and a description. Then the part that makes it a risk and not a note — the initial assessment: likelihood and impact sliders (1–5 each) that drive a live preview score and level as you move them, and a treatment strategy to start with.

The New Risk modal — likelihood and impact sliders driving a live preview score circle and level, with a treatment-strategy selector.

The second door is the one most teams miss. Generate from Assessments turns a finished assessment into tracked risks: pick the completed runs, set a score threshold per assessment type, and Talarity previews the candidate risks (the questions that scored below your bar). Review the candidates, select the ones worth tracking, and generate — each new risk is stamped with the assessment run it came from.

Generate from Assessments — completed runs selected, per-type thresholds set, and the candidate risks previewed before you create them.

Manual for the one-off, generate-from-assessment for the sweep. Type a risk in by hand when something specific lands on your desk. But after you finish a CIS or CSF assessment, don’t re-key the gaps as risks one by one — let the register pull them, pre-scored and provenance-stamped, in a single pass.

Step 3 — Score it: inherent versus residual

Open the risk and you land on its case file. The header carries the big score circle, the status and lifecycle badges, the category, and the review-due date; the action bar gives you Edit, Re-Assess, Mark Reviewed, Accept, and the closure workflow.

The risk detail header — score circle, status / lifecycle / category / review badges, and the action bar.

The score itself is likelihood × impact on a 1–5 scale, mapped to five levels — Minimal, Low, Medium, High, Critical. The Overview tab shows two scores side by side: inherent (the risk before your controls) and residual (the risk after the controls you’ve verified). The Assessment tab is where you re-score, with a history timeline of every change and who made it.

The Overview tab — inherent and residual score cards, the lifecycle progress bar, and clickable chips for linked controls, vendors, KRIs, and more.

The gap between inherent and residual is what your security program bought you. A Critical inherent risk that sits at Medium residual is a control story you can tell an auditor: here’s the raw exposure, here are the verified controls, here’s the reduction they earned. A residual score that never moves off inherent means your controls aren’t credited — or aren’t there.

The Assessment tab — the likelihood and impact scales (Possible × Severe) driving the current-score formula (3 × 5 = 15), and the assessment-history log where every re-score is recorded and attributed to the person who made it.

Back on the register, the Matrix tab plots the whole portfolio on a likelihood × impact heat map — the fastest way to see where your concentration of high-stakes risk actually is.

The register's Matrix tab — the portfolio plotted on a likelihood × impact heat map.

Step 4 — Treat it: four strategies, one recorded decision

Open the risk’s treatment view (/app/risks/:riskId/treatment). Talarity gives you the four ISO 31000 strategies as cards, each with the moves it implies:

  • Mitigate — reduce likelihood or impact with controls. Residual risk should fall as the controls land.
  • Transfer — shift the financial risk to a third party (cyber insurance, an outsourced service). The premium is recorded as a cost.
  • Avoid — eliminate the activity that creates the risk. This closes the risk.
  • Accept — knowingly retain it, with a rationale and an expiry so “accepted” can’t quietly become “ignored forever.”

The treatment view — the four strategy cards (Mitigate / Transfer / Avoid / Accept) with their suggested actions.

A treatment plan is a real work item: a title, an owner, a target date, an expected reduction, linked controls, and cost entries. As it progresses, you track it to an outcome — the actual reduction measured after the fact, against the expected.

Creating a treatment plan — strategy, title, owner, target date, expected reduction, linked controls, and cost.

Treat versus accept is the decision the article exists to make easier. Mitigate when a control meaningfully moves the number and the cost is worth it. Transfer when the loss is survivable-with-insurance but not survivable alone. Avoid when the activity isn’t worth the exposure. Accept — explicitly, with an expiry and a named owner — when the residual is genuinely tolerable. The wrong move is the silent one: letting a risk sit untreated with no decision on record.

The active treatment plans table — strategy, status, owner, target date, progress, and cost, each plan tracked to its outcome.

Residual risk doesn’t fall because you wrote a plan; it falls because controls are in place and verified. On the risk’s Controls tab, link the CCL controls that mitigate it. The link is a real relationship, and the strength of your verified control coverage is what justifies a residual score below inherent.

The Controls tab — CCL controls linked to the risk, with the Link Item picker.

Step 6 — Quantify it with FAIR

For the risks where a dollar figure changes a decision, open Quantified Risk (FAIR) (/app/risk/quantified). FAIR turns “high cyber risk” into a loss distribution. In the Configure tab you set the model’s inputs as min/likely/max ranges: Threat Event Frequency, Vulnerability (the share of attempts that succeed), Primary and Secondary loss magnitude, with Loss Event Frequency computed as TEF × Vulnerability.

The FAIR Configure tab — Threat Event Frequency, Vulnerability, primary and secondary loss magnitude, and the readiness checklist.

Run the simulation and Talarity executes a Monte Carlo of 100,000 iterations, sampling each parameter across its range. The Results tab reports ALE at the 10th, 50th, and 90th percentiles plus the mean — and the loss-exceedance curve: the probability of exceeding any given loss. P90 is the prudent number for budgeting; the curve is the picture a board understands.

The FAIR Results tab — ALE at P10 / P50 / P90 and the mean, over the loss-exceedance curve.

The Treatments tab closes the loop with money attached: model a control’s effect on a parameter, re-simulate, and read the baseline-versus-treated comparison — “this control reduces our ALE by 45%.” That is a security investment expressed in the language the budget is written in.

The FAIR Treatments tab — baseline versus treated ALE, with the percentage reduction a control earns.

Not every risk warrants FAIR. Scoring (Step 3) is enough for most of the register. Reserve quantification for the handful where a dollar figure actually changes what you’d do — a budget request, an insurance limit, a board decision. FAIR is the tool you reach for when “high” isn’t specific enough to act on.

Step 7 — Monitor, review, and keep it honest

The lifecycle doesn’t end at “treated.” Each risk carries a review cadence; the register’s Review Queue surfaces what’s overdue. The lifecycle bar tracks the risk through its states, and an acceptance carries an expiry that reopens the risk for re-triage when it lapses. A quantified risk’s ALE flows back onto the register row and into the FAIR governance/approval trail — so the number an auditor reads is the number that was reviewed and signed off.

What you walk away with

  • A register that runs the whole lifecycle on one record — identified, scored, treated, quantified — instead of a list you re-discover at audit time.
  • Inherent and residual scores that make your control story legible: raw exposure, verified controls, and the reduction they earned.
  • A recorded treatment decision — mitigate, transfer, avoid, or accept — with an owner, a cost, an expected reduction, and an outcome, not a silent gap.
  • A FAIR dollar figure for the risks that warrant one — ALE percentiles, a loss-exceedance curve, and a treated-vs-baseline comparison your board can act on.
  • A review cadence and acceptance expiry so a managed risk can’t quietly go stale.

Open /app/risks, log the one risk you’d least like to explain at your next board meeting, set its likelihood and impact, and pick a treatment strategy. If it’s the kind of risk where someone will ask “what would that actually cost us?”, take it through FAIR. You’ll walk into the meeting with a number you can defend — and the trail behind it.

Loading…

See Talarity in action.

A 30-minute walkthrough or a 7-day trial — your call.