See what you can build
Every example is a live render — the same JSON in, pixel-perfect PDF out.
Risk Assessment
A structured risk assessment report with risk register, probability/impact matrix, mitigation strategies, and ownership tracking.
sample data (JSON)
drives the template above
{
"risks": [
{
"id": "RSK-001",
"title": "Advanced Persistent Threat (APT) Targeting Product Infrastructure",
"scoring": {
"impact": 5,
"likelihood": 4,
"risk_level": "Critical",
"risk_score": 20
},
"category": "Cybersecurity",
"mitigation": {
"owner": "Marcus Cole",
"action": "Implement continuous red team exercises and third-party penetration testing quarterly. Expand SBOM (Software Bill of Materials) coverage to 100% of product releases.",
"status": "In Progress",
"due_date": "2026-06-30"
},
"description": "Nation-state or sophisticated threat actors may target Acme's own infrastructure to compromise product pipelines, exfiltrate threat intelligence data, or embed backdoors in software releases.",
"residual_risk": {
"impact": 5,
"likelihood": 2,
"residual_level": "Medium",
"residual_score": 10
},
"current_controls": [
"24/7 internal SOC monitoring via PulseWatch",
"Software supply chain integrity checks (SLSA Level 3)",
"Privileged access management (PAM) enforced across all engineering systems"
]
},
{
"id": "RSK-002",
"title": "Zero-Day Vulnerability in Core Product",
"scoring": {
"impact": 5,
"likelihood": 3,
"risk_level": "High",
"risk_score": 15
},
"category": "Cybersecurity",
"mitigation": {
"owner": "Dr. Priya Nambiar",
"action": "Establish a dedicated Product Security Incident Response Team (PSIRT). Increase bug bounty ceiling to $100K and expand researcher network.",
"status": "Planned",
"due_date": "2026-05-15"
},
"description": "An undisclosed vulnerability in ThreatRadar SIEM or VaultShield EDR could be exploited before a patch is available, potentially compromising thousands of enterprise customer environments.",
"residual_risk": {
"impact": 5,
"likelihood": 2,
"residual_level": "Medium",
"residual_score": 10
},
"current_controls": [
"Secure SDLC with mandatory SAST/DAST scans",
"Bug bounty program (HackerOne) with $50K max reward",
"Coordinated vulnerability disclosure policy"
]
},
{
"id": "RSK-003",
"title": "Customer Data Breach via Insider Threat",
"scoring": {
"impact": 4,
"likelihood": 3,
"risk_level": "Medium",
"risk_score": 12
},
"category": "Data & Privacy",
"mitigation": {
"owner": "Yuki Tanaka",
"action": "Deploy User and Entity Behavior Analytics (UEBA) across all high-privilege accounts. Implement quarterly access reviews and automatic de-provisioning workflows.",
"status": "In Progress",
"due_date": "2026-07-31"
},
"description": "A malicious or negligent insider with privileged access could exfiltrate sensitive customer telemetry, threat intelligence feeds, or PII stored within managed SOC environments.",
"residual_risk": {
"impact": 4,
"likelihood": 2,
"residual_level": "Medium",
"residual_score": 8
},
"current_controls": [
"Role-based access control (RBAC) with least privilege enforcement",
"Data loss prevention (DLP) tools on all endpoints",
"Annual security awareness training with phishing simulations"
]
},
{
"id": "RSK-004",
"title": "Non-Compliance with Evolving Global Data Regulations",
"scoring": {
"impact": 4,
"likelihood": 4,
"risk_level": "High",
"risk_score": 16
},
"category": "Regulatory & Compliance",
"mitigation": {
"owner": "Yuki Tanaka",
"action": "Retain external regulatory counsel in EU and APAC markets. Implement automated compliance monitoring via GRC platform. Achieve FedRAMP Moderate authorization by Q4 2026.",
"status": "In Progress",
"due_date": "2026-12-31"
},
"description": "Rapid changes in data sovereignty laws (EU AI Act, SEC cyber disclosure rules, state-level privacy laws) could expose Acme to fines, contract penalties, or loss of operating licenses in key markets.",
"residual_risk": {
"impact": 3,
"likelihood": 2,
"residual_level": "Low",
"residual_score": 6
},
"current_controls": [
"SOC 2 Type II and ISO 27001 certifications maintained",
"Dedicated compliance team with regulatory monitoring subscriptions",
"GDPR and CCPA data processing agreements in place with all customers"
]
},
{
"id": "RSK-005",
"title": "Cloud Infrastructure Outage Impacting SaaS Availability",
"scoring": {
"impact": 4,
"likelihood": 3,
"risk_level": "Medium",
"risk_score": 12
},
"category": "Operational",
"mitigation": {
"owner": "Marcus Cole",
"action": "Complete multi-cloud redundancy for all Tier-1 services by Q3 2026. Conduct bi-annual disaster recovery drills with full failover simulation.",
"status": "Planned",
"due_date": "2026-09-30"
},
"description": "A major outage at a primary cloud provider (AWS or Azure) could disrupt PulseWatch SOC Platform and SecurePassage Zero Trust services, violating enterprise SLAs and triggering financial penalties.",
"residual_risk": {
"impact": 3,
"likelihood": 1,
"residual_level": "Low",
"residual_score": 3
},
"current_controls": [
"Multi-region active-active deployment on AWS and Azure",
"99.99% uptime SLA with automated failover",
"Runbook-driven incident response with RTO < 15 minutes"
]
},
{
"id": "RSK-006",
"title": "Compromise of Critical Third-Party Software Dependency",
"scoring": {
"impact": 5,
"likelihood": 3,
"risk_level": "High",
"risk_score": 15
},
"category": "Third-Party & Supply Chain",
"mitigation": {
"owner": "Marcus Cole",
"action": "Mandate SLSA Level 4 compliance for all critical dependencies. Introduce isolated build environments and cryptographic signing for all release artifacts.",
"status": "Planned",
"due_date": "2026-08-31"
},
"description": "A supply chain attack targeting an open-source library or third-party vendor embedded in Acme products (similar to Log4Shell or SolarWinds) could introduce vulnerabilities at scale across the customer base.",
"residual_risk": {
"impact": 4,
"likelihood": 2,
"residual_level": "Medium",
"residual_score": 8
},
"current_controls": [
"Automated dependency scanning via Snyk and Dependabot",
"Internal SBOM maintained for all production builds",
"Vendor security questionnaire process for all Tier-1 suppliers"
]
},
{
"id": "RSK-007",
"title": "Revenue Concentration Risk – Top 5 Customers",
"scoring": {
"impact": 4,
"likelihood": 2,
"risk_level": "Medium",
"risk_score": 8
},
"category": "Financial",
"mitigation": {
"owner": "Rafael Osei",
"action": "Diversify customer base by accelerating mid-market GTM motion. Target top customer concentration below 25% of ARR by end of FY2027.",
"status": "Planned",
"due_date": "2027-01-01"
},
"description": "The top 5 enterprise customers account for 38% of ARR. Loss of one or more due to competitive displacement, acquisition, or dissatisfaction would materially impact revenue projections.",
"residual_risk": {
"impact": 4,
"likelihood": 1,
"residual_level": "Low",
"residual_score": 4
},
"current_controls": [
"Executive sponsor program for all accounts over $5M ARR",
"Quarterly business reviews (QBRs) with top 20 customers",
"Multi-year contract structures with early renewal incentives"
]
},
{
"id": "RSK-008",
"title": "Loss of Key Security Research Talent",
"scoring": {
"impact": 3,
"likelihood": 3,
"risk_level": "Medium",
"risk_score": 9
},
"category": "Human Resources",
"mitigation": {
"owner": "Dr. Priya Nambiar",
"action": "Introduce retention bonuses for top 10% of research staff. Build internal knowledge management system to reduce single-person dependency. Partner with 3 universities for talent pipeline.",
"status": "In Progress",
"due_date": "2026-06-30"
},
"description": "Acme's competitive advantage relies heavily on a small team of elite threat researchers. Departure of key individuals to competitors or government agencies could erode product differentiation and innovation velocity.",
"residual_risk": {
"impact": 3,
"likelihood": 2,
"residual_level": "Low",
"residual_score": 6
},
"current_controls": [
"Competitive compensation benchmarked annually against top-quartile peers",
"4-year equity vesting with 1-year cliff",
"Dedicated R&D budget and conference speaking opportunities"
]
}
],
"company": {
"name": "Acme Technologies, Inc.",
"founded": 2014,
"industry": "Cybersecurity",
"products": [
"ThreatRadar SIEM",
"VaultShield EDR",
"SecurePassage Zero Trust",
"PulseWatch SOC Platform"
],
"employees": 1840,
"headquarters": {
"zip": "78702",
"city": "Austin",
"state": "TX",
"street": "1800 Cipher Way"
},
"annual_revenue": 320000000
},
"assessment": {
"scope": "All business units, infrastructure, products, and third-party integrations",
"title": "Enterprise Risk Assessment Report",
"status": "Final",
"version": "2.1",
"framework": "NIST CSF 2.0 / ISO 27001",
"classification": "Confidential",
"assessment_date": "2026-03-18",
"next_review_date": "2026-09-18"
},
"risk_summary": {
"by_level": {
"low": 0,
"high": 3,
"medium": 4,
"critical": 1
},
"by_category": {
"financial": 1,
"operational": 1,
"cybersecurity": 2,
"human_resources": 1,
"data_and_privacy": 1,
"regulatory_and_compliance": 1,
"third_party_and_supply_chain": 1
},
"risk_reduction_pct": 48.5,
"total_risks_identified": 8,
"average_inherent_risk_score": 13.4,
"average_residual_risk_score": 6.9
},
"assessment_team": {
"lead": {
"name": "Dr. Priya Nambiar",
"email": "p.nambiar@Acme.com",
"title": "Chief Information Security Officer"
},
"members": [
{
"name": "Marcus Cole",
"title": "VP of Engineering",
"department": "Engineering"
},
{
"name": "Yuki Tanaka",
"title": "Director of Compliance",
"department": "Legal & Compliance"
},
{
"name": "Rafael Osei",
"title": "Senior Risk Analyst",
"department": "Risk Management"
}
],
"external_auditor": {
"firm": "Veridia Risk Group",
"lead_auditor": "Sandra Hewitt",
"engagement_id": "VRG-2026-0041"
}
},
"recommendations": {
"immediate_actions": {
"items": [
"Escalate APT defenses with expanded red team cadence (RSK-001)",
"Form PSIRT team and double bug bounty ceiling (RSK-002)",
"Begin FedRAMP Moderate authorization process (RSK-004)"
],
"deadline": "2026-04-30",
"priority": "Critical"
},
"long_term_actions": {
"items": [
"Reduce top customer ARR concentration below 25% (RSK-007)",
"Finalize university talent pipeline partnerships (RSK-008)"
],
"deadline": "2027-01-01",
"priority": "Medium"
},
"short_term_actions": {
"items": [
"Deploy UEBA for all privileged accounts (RSK-003)",
"Complete multi-cloud redundancy for Tier-1 services (RSK-005)",
"Mandate SLSA Level 4 for critical dependencies (RSK-006)"
],
"deadline": "2026-09-30",
"priority": "High"
}
},
"risk_scoring_methodology": {
"risk_bands": {
"low": "1–6",
"high": "13–19",
"medium": "7–12",
"critical": "20–25"
},
"impact_scale": {
"1": "Negligible – no material effect",
"2": "Minor – limited operational disruption",
"3": "Moderate – significant but recoverable",
"4": "Major – substantial financial or reputational damage",
"5": "Catastrophic – existential threat to business"
},
"likelihood_scale": {
"1": "Rare – once in 10+ years",
"2": "Unlikely – once in 5–10 years",
"3": "Possible – once in 2–5 years",
"4": "Likely – once per year",
"5": "Almost Certain – multiple times per year"
},
"risk_score_formula": "likelihood x impact"
}
}
Ready to build your own?
Get started free →