Overview
LowerPlane’s risk management module provides a structured approach to identifying, assessing, treating, and monitoring information security risks. The system supports the full risk management lifecycle required by 50+ compliance frameworks including ISO 27001, SOC 2, HIPAA, GDPR, and PCI-DSS, with tools for risk scoring, treatment tracking, and historical trend analysis.Risk Registers
Organize and manage risks in dedicated registers with full CRUD operations, owner assignment, and control linking.
Risk Library
Pre-built catalog of common information security risks with industry mappings and framework references.
Risk Overview Dashboard
Real-time dashboard with risk distribution, heat maps, category breakdowns, and top risks by score.
Risk Snapshots
Point-in-time captures of your risk posture for trend analysis and compliance reporting.
Risk Scoring Model
LowerPlane uses a standard Likelihood x Impact matrix to calculate risk scores. Both inherent risk (before controls) and residual risk (after controls) are tracked for every risk.Scoring Dimensions
| Dimension | Scale | Description |
|---|---|---|
| Likelihood | 1-5 | Probability of the risk materializing |
| Impact | 1-5 | Severity of consequences if the risk occurs |
Likelihood Scale
| Score | Label | Description |
|---|---|---|
| 1 | Rare | Highly unlikely to occur |
| 2 | Unlikely | Not expected but possible |
| 3 | Possible | Reasonable chance of occurring |
| 4 | Likely | Expected to occur in most circumstances |
| 5 | Almost Certain | Will almost certainly occur |
Impact Scale
| Score | Label | Description |
|---|---|---|
| 1 | Negligible | Minimal impact on operations |
| 2 | Minor | Limited impact, easily recoverable |
| 3 | Moderate | Noticeable impact requiring response |
| 4 | Major | Significant impact on operations or reputation |
| 5 | Catastrophic | Severe impact, potential business continuity threat |
Risk Score Calculation
| Score Range | Risk Level | Color |
|---|---|---|
| 1 - 4 | Low | Green |
| 5 - 9 | Medium | Yellow |
| 10 - 16 | High | Orange |
| 17 - 25 | Critical | Red |
Inherent vs. Residual Risk
Every risk in LowerPlane tracks two sets of scores:- Inherent Risk — the risk level before any controls or treatments are applied. This represents the raw exposure.
- Residual Risk — the risk level after accounting for implemented controls and treatments. This represents the current, managed risk.
Risk Treatments
Each risk must have a documented treatment strategy:| Treatment | Description | When to Use |
|---|---|---|
| Mitigate | Implement controls to reduce likelihood or impact | Most common — apply security controls to reduce the risk |
| Accept | Acknowledge the risk and take no further action | Risk is within tolerance or cost of mitigation exceeds potential loss |
| Transfer | Shift the risk to a third party | Insurance policies, outsourcing to specialized providers |
| Avoid | Eliminate the risk source entirely | Stop the activity that creates the risk |
Every risk should have a documented treatment, even if the treatment is “Accept.” Auditors expect to see a deliberate decision for each identified risk, not gaps where no treatment has been selected.
Risk Categories
Risks are organized into categories that align with common information security domains:| Category | Examples |
|---|---|
| AI & Machine Learning | Model bias, adversarial attacks, training data leakage |
| Data Privacy | Unauthorized data access, consent violations, data breach |
| Data Protection | Encryption failures, backup gaps, data loss |
| Endpoint Security | Malware infection, unpatched endpoints, stolen devices |
| Governance & Controls | Policy gaps, audit failures, compliance drift |
| Identity & Access | Credential compromise, excessive privileges, orphaned accounts |
| Incident Response | Slow detection, inadequate response procedures |
| Infrastructure | Server outages, configuration drift, capacity issues |
| Network & Perimeter | Firewall misconfiguration, DDoS, unauthorized access |
| Payment Security | Card data exposure, PCI non-compliance |
| SDLC & DevOps | Insecure code, supply chain attacks, deployment risks |
| Source Code | Code leakage, IP theft, unauthorized repositories |
| Vendor Management | Third-party breach, vendor non-compliance |
| Workforce | Insider threats, social engineering, insufficient training |
Risk Statuses
| Status | Description |
|---|---|
| Draft | Risk identified but not yet fully assessed |
| Needs Review | Risk requires review by a risk owner or committee |
| Awaiting Submission | Risk is being prepared for formal submission |
| Pending Approval | Risk has been submitted and awaits management approval |
| Requested Changes | Reviewer has requested modifications |
| Approved | Risk has been formally accepted with its treatment plan |
Risk Overview Dashboard
The overview dashboard provides a real-time summary of your risk posture:- Risk Heat Map — visual matrix showing risk distribution by likelihood and impact
- Risk Distribution — pie chart of risks by level (critical, high, medium, low)
- Category Breakdown — bar chart showing risk counts by category
- Top Risks — table of highest-scored risks requiring attention
- Treatment Summary — distribution of risks by treatment type
- Trend Indicators — showing whether risk posture is improving, stable, or worsening
CIA Triad Classification
Risks can optionally be classified by their CIA triad category:- Confidentiality — risks related to unauthorized information disclosure
- Integrity — risks related to unauthorized modification of data or systems
- Availability — risks related to disruption of services or data access
Integration with Other Modules
Risk management connects to multiple areas of the platform:- Controls — risks can be linked to specific controls, showing which controls mitigate which risks
- Vendors — risks can be linked to vendors, enabling vendor-specific risk tracking
- Compliance — risk registers and treatment plans serve as evidence for framework controls
- Snapshots — point-in-time captures support trend analysis and compliance reporting
Next Steps
Risk Register
Create and manage your risk registers.
Risk Library
Browse pre-built risks to populate your register.
Risk Snapshots
Capture and compare risk posture over time.