RiskTree is a method for understanding, recording, and managing risks.

The process uses workshops to build tree structures that define the risks - we call these RiskTrees. RiskTrees are a straightforward way of showing the relationship between different types of risks. We provide the tools to create and manage them, following a standard risk management cycle:

  • Workshops are used to identify the risks and thus build up a RiskTree.
  • Next, the risks are assessed in a consistent way and with consensus from the participants.
  • The RiskTree Processor analyses the risks to provide a prioritized list.
  • Finally, the risks are placed into a risk register so that they can be tracked and managed.

The RiskTree process provides a structured and systematic way of cataloguing the risks to a system or process. It's not full of technical jargon, and the best trees are formed in a collaborative process that closely involves the business. The risks are captured in the language used by the participants of a workshop, and then assessed. The assessments for each risk are recorded onto the RiskTree, and are then processed by the 2T Security RiskTree Processor tool. This returns a prioritized list of risks that can be compared to the organization's risk appetite, and which can immediately form the core of a risk register.

RiskTree can take your threats into account in its risk assessment. It also captures the countermeasures deployed to mitigate your risks, and presents a 'before and after' view.

RiskTrees can be exported in an industry-standard XML format used by mind-mapping tools. This means that the trees can be uploaded into such tools and made more beautiful, which can be important if the trees are needed for important reports. It also allows trees drawn up in third-party mind-mapping tools to be imported into the RiskTree Processor.

RiskTree can be extended into a complete risk management solution, called RiskWiki. This allows the risks to be viewed at a corporate, organizational, or departmental level, as well as by asset. Your countermeasures can be mapped against controls (such as ISO27001) and compliance reports can be created. Our tool of choice for this is Confluence. We can help set up a customized RiskWiki solution for you. The system will capture risk owners, review dates, and all of the evidence to support decisions that have been taken to ensure full traceability of decisions. If you already use Confluence we can extend it; if not, we can help with the deployment. We can even help with cloud hosting if you prefer.

If a Confluence-based risk management system isn't for you, RiskTree integrates with MS Excel. At the push of a button risks and controls can be inserted into a spreadsheet risk register, which can be tailored to meet your requirements.

To find out more, download our overview paper, or get in touch at risktree@2t-security.com.