RiskTree is a process for understanding, recording, and managing risks.

The process uses workshops to build tree structures that define the risks – we call these RiskTrees. RiskTrees are a straightforward way of showing the relationship between different types of risks. We provide the tools to create and manage them, following a standard risk management cycle:

  • Workshops are used to identify the risks and thus build up a RiskTree using the RiskTree Designer.
  • Next, the risks are assessed in a consistent way and with consensus from the participants.
  • The RiskTree Processor analyses the risks to provide a prioritized list.
  • Finally, the risks are placed into a risk register so that they can be tracked and managed.

The RiskTree process provides a structured and systematic way of cataloguing the risks to a system or process. It's not full of technical jargon, and the best trees are formed in a collaborative process that closely involves the business – this will deliver the greatest benefits. The risks are captured in the language used by the participants of a workshop, and then assessed. The assessments for each risk are recorded onto the RiskTree, and are then processed by the RiskTree Processor tool. This returns a prioritized list of risks that can be compared to the organization's risk appetite, and which can immediately form the core of a risk register.

RiskTree can take your threats into account in its risk assessment. It also captures the countermeasures deployed to mitigate your risks, and presents a 'before and after' view.

All of the data used by RiskTree is stored in JSON files, which is a standard, independent, human-readable format. The trees, assessment reports, and all associated data such as tag, countermeasure, and threat libraries use this format. Assessment reports can also be printed directly from the software into paginated documents, either in hard copy or to PDF.

RiskTrees can also be exported in an industry-standard XML format used by mind-mapping tools. This means that the trees can be uploaded into such tools and made more beautiful, which can be important if the trees are needed for important reports. It also allows trees drawn up in third-party mind-mapping tools to be imported into the RiskTree Processor.

RiskTree can be extended into a complete risk management solution, called RiskWiki. This allows the risks to be viewed at a corporate, organizational, or departmental level, as well as by asset. Your countermeasures can be mapped against controls (such as ISO27001) and compliance reports can be created. Our tool of choice for this is Confluence. We can help set up a customized RiskWiki solution for you. The system will capture risk owners, review dates, and all of the evidence to support decisions that have been taken to ensure full traceability of decisions. If you already use Confluence we can extend it; if not, we can help with the deployment. We can even help with cloud hosting if you prefer.

If a Confluence-based risk management system isn't for you, RiskTree integrates with MS Excel. At the push of a button, RiskTree data (including risks and countermeasures) can be exported into CSV files, which can be loaded into any spreadsheet or database software to create documents such as risk registers. These can then be tailored to meet your requirements.

To find out more, download our overview paper, or get in touch.