Risk Management
From risk register to risk intelligence.
Centralised risk register with probability-by-impact matrix, automated risk scoring from real-time signals including vulnerability data, incident trends, and vendor risks, scenario simulation, and board-ready risk reporting. Maps risks to NIS2 Article 21(2)(a) and DORA Article 6 requirements.
What you get
Risk Register with Probability-Impact Matrix
Centralised risk register with customisable probability and impact scales, risk categorisation (strategic, operational, compliance, technical), and a visual matrix that plots all risks by severity. Risks are linked to specific assets, processes, vendors, and framework requirements for full traceability.
Automated Risk Scoring from Live Signals
Risk scores are dynamically updated based on real-time signals from vulnerability scanners, incident management, vendor risk assessments, and threat intelligence feeds. When a new critical vulnerability affects your infrastructure or a key vendor's security grade drops, affected risk scores adjust automatically.
Scenario Simulation (Arena)
The Arena simulation engine models 'what-if' scenarios: what happens to your risk posture if a critical vendor is breached, if a new zero-day affects your primary platform, or if you delay a security control implementation by 6 months. Monte Carlo simulation quantifies potential impact ranges for informed decision-making.
Risk Treatment Tracking
Track risk treatment decisions (accept, mitigate, transfer, avoid) with full approval chains and audit trails. Each treatment links to specific actions, responsible owners, and deadlines. Treatment effectiveness is measured over time by monitoring whether residual risk decreases as planned.
Board-Ready Risk Reports
Generate executive risk reports with one click, presenting top risks, risk trends, treatment progress, and residual risk levels in language and formats suitable for board members and non-technical executives. Reports align to NIS2 Article 20 management body responsibilities.
Cross-Framework Risk Mapping
Risks are mapped to specific regulatory requirements across frameworks. A data breach risk maps to GDPR Article 33 breach notification, NIS2 Article 23 incident reporting, and DORA Article 19 ICT-related incident classification. This ensures risk treatment plans address all applicable regulatory obligations simultaneously.
How it works
Identify Risks
Catalogue risks through structured risk identification workshops, automated discovery from connected systems, or import from existing risk registers. Each risk is categorised by type, linked to affected assets and processes, and assigned an initial owner.
Assess & Score
Assess each risk using configurable probability and impact scales, enriched by automated signals from vulnerability data, incident history, and vendor assessments. Risk scores combine qualitative expert judgement with quantitative data for more accurate prioritisation.
Treat & Mitigate
Define treatment plans for each risk — mitigate with specific controls, transfer via insurance or contract, accept with documented rationale, or avoid by eliminating the risk source. Treatment actions are assigned to owners with deadlines and tracked to completion.
Report to Board
Generate board-ready risk reports showing the top risk landscape, movement trends, treatment progress, and residual risk levels. Reports satisfy NIS2 Article 20 requirements for management body awareness and DORA Article 5 governance and control requirements.
Built for your team
Strategic Risk Oversight
The CISO uses the risk dashboard to present quarterly risk posture to the board, satisfying NIS2 Article 20 management body oversight requirements. The Arena simulator models the impact of proposed security investments — demonstrating that a 200K EUR investment in network segmentation would reduce 3 high-severity risks to medium, helping justify the budget to non-technical board members.
Operational Risk Management
The risk manager maintains the daily operational risk register, receiving automated alerts when risk scores change due to new vulnerabilities, vendor downgrades, or incident trends. They update treatment plans, track remediation progress, and escalate risks that exceed appetite thresholds. The cross-framework mapping ensures each risk treatment addresses all applicable regulatory requirements.
Governance Risk Reporting
Board members receive monthly risk reports in clear, non-technical language showing top 10 risks, trend direction, and treatment status. The NIS2 Article 20 compliance dashboard confirms the management body is fulfilling its oversight obligations. Board members can drill into any risk for additional detail without requesting a separate briefing.
Supports your compliance stack
Common questions
How does the automated risk scoring methodology work?
Risk scores combine qualitative assessments (expert-assigned probability and impact ratings) with quantitative signals from connected systems. Vulnerability data adjusts technical risk scores based on actual exposure. Incident frequency trends inform likelihood estimates. Vendor risk grades feed into supply chain risk scores. The composite score is weighted by asset criticality and recalculated continuously. This hybrid approach ensures risk scores reflect both expert judgement and real-time evidence, not just annual assessment snapshots.
How does FortisEU map risks to NIS2 Article 21 requirements?
NIS2 Directive 2022/2555 Article 21(2)(a) requires essential and important entities to implement risk analysis and information systems security policies. FortisEU maps each risk in the register to the specific Article 21(2) sub-requirements it relates to — access control risks to Article 21(2)(i), supply chain risks to Article 21(2)(d), incident response risks to Article 21(2)(b), and business continuity risks to Article 21(2)(c). This mapping ensures your risk treatment plans are regulatory-complete and audit-traceable.
What does DORA Article 6 require for risk management?
DORA Regulation 2022/2554 Article 6 requires financial entities to establish an ICT risk management framework as part of their overall risk management system. This includes risk identification, protection and prevention measures, detection capabilities, response and recovery procedures, and learning and communication processes. FortisEU's risk management module is structured to satisfy each of these DORA Article 6 pillars, with automated mapping between identified risks and the required management processes.
How does FortisEU approach risk quantification?
FortisEU supports both qualitative risk assessment (probability-impact matrices with configurable scales) and quantitative risk analysis via the Arena simulation engine. Quantitative analysis uses Monte Carlo simulation to model potential financial impact ranges for key risk scenarios. Factor Analysis of Information Risk (FAIR) methodology can be applied to translate risk scenarios into annualised loss expectancy figures. This dual approach provides intuitive risk visualisation for boards alongside rigorous financial quantification for risk transfer and investment decisions.
How does the risk module integrate with other FortisEU features?
The risk management module is deeply integrated across the platform. Vendor risk grades from vendor risk management automatically feed into supply chain risk scores. Incident data from incident management updates risk likelihood estimates. Compliance gaps from compliance automation surface as compliance risks. Evidence freshness from evidence collection affects control effectiveness assessments. This integration creates a unified risk picture that reflects your actual security posture rather than a static, siloed risk register.
Related features
Compliance Automation
Map once. Comply everywhere.
Learn moreVendor Risk Management
See your supply chain risk. Before regulators do.
Learn moreIncident Management
From detection to regulatory report. Every deadline tracked.
Learn moreExecutive Dashboards
Board-ready compliance intelligence. Not another spreadsheet.
Learn moreSee Risk Management in Action
Create an account and explore the platform, or talk to our team about enterprise deployment.