Risk Assessments
Risk assessments provide a structured framework for evaluating and scoring risks associated with data products. Each assessment uses a multi-category scoring model and tracks mitigation actions to completion.
Overview
Risk assessments are product-scoped — each assessment is linked to a specific data product within a space. The system supports:
- Multi-category scoring across dimensions like bias, privacy, security, and robustness
- Automatic risk tier computation based on severity × likelihood × impact scores
- Mitigation tracking with owners, deadlines, priorities, and evidence
- Product sync to update a product's risk classification from an assessment
Creating an Assessment
- Navigate to a product's detail page
- Open the Risk Assessment tab
- Click New Assessment and select the type:
- Initial — First-time risk evaluation
- Pre-deployment — Before production launch
- Periodic — Scheduled recurring review
- Incident — Response to a specific incident
Scoring Model
Each assessment contains one or more evaluations — each representing a risk category:
| Dimension | Scale | Description |
|---|---|---|
| Severity | 1–5 | How serious is the potential harm? |
| Likelihood | 1–5 | How probable is the risk materialising? |
| Impact | 1–5 | How wide-reaching are the consequences? |
Category score = Severity × Likelihood × Impact (max 125)
Overall score = Average of all category scores, normalised to 0–100
Risk Tiers
| Tier | Score Range | Description |
|---|---|---|
| 🔴 Unacceptable | ≥ 80 | Requires immediate action |
| 🟠 High | ≥ 50 | Significant risk, mitigation required |
| 🟡 Limited | ≥ 25 | Manageable risk with monitoring |
| 🟢 Minimal | < 25 | Low risk, standard controls sufficient |
Mitigation Actions
Each assessment can include mitigation actions to address identified risks:
- Assign an owner and set a deadline
- Track status through
pending→in_progress→completed - Attach evidence (links, issue IDs) to demonstrate completion
- Link to platform issues for formal remediation tracking
- Set priority levels:
low,medium,high,critical
Mitigation Categories
| Category | Use Case |
|---|---|
| Bias Mitigation | Addressing statistical or demographic bias |
| Retraining | Model or pipeline retraining |
| Robustness Testing | Stress testing and edge cases |
| Privacy Enhancement | Data anonymisation, access controls |
| Explainability | Improving model interpretability |
| Monitoring Improvement | Enhanced alerting and dashboards |
| Process Change | Organisational or procedural changes |
Completing an Assessment
When all evaluations are scored and mitigations are planned:
- Click Complete Assessment
- Review the computed risk tier (or override it)
- Optionally sync to product — this updates the product's
risk_classificationfield - The assessment becomes read-only after completion
Integration with Compliance
Risk assessments feed directly into compliance reporting:
- Assessments appear in the product's Compliance section
- Completed assessments with
unacceptableorhightiers trigger visibility in compliance dashboards - Mitigation progress is tracked across the organisation