Risk Management

What Is Risk Management?

Risk management is the systematic process of identifying, assessing, and treating threats that could impact an organization's security, compliance, or operations. Frameworks like ISO 27001 and SOC 2 require organizations to maintain a formal risk management program as part of their compliance program.

The Risk Register

Imara's risk register is a centralized repository where your organization documents all identified risks. Each risk contains:

• Name and Description — What the risk is and how it may manifest
• Likelihood — Chance of the risk occurring (Low, Medium, High)
• Impact — Consequences if the risk materializes (Low, Medium, High)
• Risk Score — Automatically calculated based on likelihood × impact
• Treatment — How the risk will be addressed (Accept, Mitigate, Transfer, Avoid)
• Owner — Who is responsible for treating the risk
• Linked Controls — Which security controls mitigate this risk
• Linked Vendors — If the risk is associated with a specific vendor

Creating a Risk

1. Go to Risks in the side menu and click New Risk.
2. Describe the risk, its cause, and potential consequences.
3. Assess the inherent likelihood and impact (before controls).
4. Select the treatment and assess the residual risk (after controls).
5. Assign an owner and set a review date.

Risk Treatments

• Mitigate — Implement controls to reduce the likelihood or impact of the risk
• Accept — Acknowledge the risk and decide not to act (usually for low-impact risks)
• Transfer — Pass the risk to a third party (e.g., cyber insurance, vendor contract)
• Avoid — Eliminate the activity that creates the risk

Periodic Reviews

Risks should be reviewed periodically — especially after incidents, significant organizational changes, or audit cycles. Imara supports setting review dates for each risk and sends reminders when the deadline approaches.