Risk register and assessment methodology

1) Why and what is included in the register

Purpose: unified system of description, assessment, prioritization and monitoring of risks affecting money (GGR/CF), licenses, players, data and reputation.
Coverage: Product/Engineering (SDLC/Incidents), Finance and Payments (PSP/Findings), KYC/AML/Sanctions, Privacy (GDPR), TPRM/Vendors, Marketing/SDK, Data (DWH/BI), Infrastructure/Clouds/DR, Support Operations, and VIP.

2) Risk taxonomy (example)

Information security and privacy: PII/KYC leaks, unauthorized access, logging failure, DSAR files.
Regulatory/compliance: violations of license terms, AML/KYC/sanctions, advertising bans.
Operating/technological: downtime PSP/KYC, release defect, latency degradation, DR incidents.
Fraud/abuse: fraud deposits, bonus abuse, payment attacking patterns.
Financial: partner liquidity, chargeback shocks, concentration on one PSP.
Vendor/supply chain: vulnerable SDKs, sub-processors with low TOMs.
Reputational/customer: spike in complaints, NPS drop, RG violations.
Strategic/geopolitical: sanctions, tax/law changes, traffic blockages.

3) Risk card (required fields)

ID/Risk Name

Category (from taxonomy)

Event description (what may happen) and cause

Assets/processes/jurisdictions under the influence of

Risk Owner and Sponsor

Available controls (preventive/detective/corrective)

Probability (P) and Impact (I) before controls (inherent)

Residual risk after controls

Treatment plan: reduce/avoid/accept/transfer

Escalation Threshold/Threat Level (Low/Medium/High/Critical)

KRIs and triggers, metrics and data sources

Next Review Status and Due Date Associated CAPAs/Tickets

Linkage to Control Registry (Control IDs) and Policies

Auditor/Committee Comments (Latest Resolutions)

4) Rating scales (default 5 × 5)

4. 1 Probability (P)

1 - Rare (<1/5 years)

2 - Low (1/2-5 years)

3 - Average (annually)

4 - High (Quarter)

5 - Very high (month/more often)

4. 2 Impact (I) - select maximum from branches

Finance: 1: <€10k· 2: €10-100k· 3: €100k-1m· 4: €1-5m· 5:> €5m

Privacy/Data: 1: <1k records·...· 5:> 1M records/special categories

Regulator/Licenses: 1: Warning· 3: Penalty/Review· 5: License Suspension

Availability (SLO/SLA): 1: <15 min·...· 5:> 8 h for critical areas

Final score: 'R = P × I' → levels: 1-5 Low, 6-10 Medium, 12-16 High, 20-25 Critical.

(Thresholds can be adapted to the company.)

5) Heat map matrix and risk appetite

Risk Appetite: a document with tolerances by domain (for example, PII leaks - zero tolerance; downtime P95 - ≤ X min/month; chargeback rate — ≤ Y%).
Heatmap: visualization of R at 5 × 5; above appetite - require CAPA plan and timeline.
Risk Budget: quotas for "accepted" risks with justification (economic feasibility).

6) Valuation methodologies

6. 1 Quality (fast start)

Expert evaluations on P/I scales + justification, reconciliation with incident history and KRIs data.

6. 2 Quantitative (priority for Top-10)

FAIR approach (simplified): frequency of events × probabilistic distribution of damage (P10/P50/P90); useful for comparing reduction options.
Monte Carlo (1000-10k runs): variability of damage and frequency → Loss Exceedance Curve (probability of loss> X).
TRA (Targeted Risk Analysis): point analysis for selecting monitoring/control frequencies (relevant for PCI/vendors).

7) KRIs and sources

• Availability/Operations: MTTR, 5xx errors, P95 latency, P1/P2 incidents,% autoscale, cluster capacity.
• Security/privacy:% MFA coverage, credential stuffing attempts, unusual exports, DSAR SLA, anti-alvar flags.
• Payments: auth rate by PSP, chargeback rate, bank failure, share of manual cashouts.
• KYC/AML: TAT, false positive rate, sanctions hits, escalation share.
• Vendors: SLA compliance, latency drift, frequency of incidents, relevance of certificates.

KRIs associate with risks and trigger escalations when they go beyond thresholds.

8) Risk life cycle (workflow)

1. Identification → registration of the card.
2. Inherent → Control Mapping → Residual.
3. Treatment decision and CAPA plan (dates/owners).
4. KRIs/incident monitoring, card update.
5. Quarterly Risk Committee: Top-N revision, appetite re-labeling.
6. Close/consolidate or watchlist.

9) Communication with controls and audit

• Proactive: RBAC/ABAC, SoD, limits, encryption, WebAuthn, segmentation.
• Detective: SIEM/alerts, reconciliations, WORM logs, UEBA.
• Corrective: rollbacks, payout locks, key revocation, urgent patches.
• The DE/OE audit verifies that controls reduce risk to appetite and work stably.

10) Sample cards (YAML, fragments)

10. 1 PII leak via vendor SDK (Tier-1)

yaml id: R-PRIV-001 title: "Утечка PII через SDK маркетинга"
category: privacy/vendor assets: [pii_profiles, sdk_mobile]
owner: privacy_lead inherent:
likelihood: 3 impact: 5  # >1M записей / регуляторные штрафы controls:
preventive: [cmp_enforced, data_minimization, sdk_allowlist, tokenization]
detective: [worm_logs, export_signing, siem_anomaly_exports]
corrective: [sdk_kill_switch, key_rotation, incident_comm_plan]
residual:
likelihood: 2 impact: 4 treatment: reduce kri:
- name: "Anomalous export volume"
threshold: ">P99 baseline"
- name: "SDK version drift"
threshold: "N-1 only"
status: active next_review: 2026-01-15

10. 2 PSP Degradation: Payment Authorization Failure

yaml id: R-PAY-007 title: "Падение конверсии авторизации у PSP#1"
category: payments/availability owner: head_of_payments inherent: {likelihood: 4, impact: 4}
controls:
preventive: [multi_psp_routing, rate_limits, timeout_policies]
detective: [auth_rate_dashboard, p95_latency_alerts]
corrective: [failover_to_psp2, traffic_shaping, incident_swar_rm]
residual: {likelihood: 2, impact: 3}
kri:
- name: "Auth rate PSP1"
threshold: "< baseline-3σ for 15m"
escalation: "Incident P1 if <X% for 30m"

11) Aggregation and Portfolio Management

Top-N (Risk Register View): sorted by residual R and "above appetite."

Topics (Risk Themes): clusters (vendors, privacy, PSP) → topic owners.
Dependency maps: riski↔kontroli↔vendory↔protsessy.
Scenarios and stress tests: What if "PSP # 1 and KYC # 1 are not available for 2 hours?" - cumulative damage assessment and action plan.
LEC (Loss Exceedance Curve): Annual loss profile for the council/board.

12) Escalation thresholds and signals

Operational: SLO/SLA violation → Incident P1/P2.
Compliance/Privacy: exceeding retention, DSAR failure, export without 'purpose' → immediate DPO/Legal escalation.
Vendor: repeated SLA failures → CAPA at the supplier, contract revision.
Financial: exit chargeback> threshold → manual checks, adjustment of limits/bonuses.

13) RACI (enlarged)

14) Metrics (KPI/KRI) of the risk management system

Coverage: 100% of critical processes have registered risks and owners.
Review On-time: ≥ 95% of cards are revised on time.
Above Appetite: ↓ QoQ, the proportion of risks is higher than appetite.
CAPA Closure (High/Critical): ≥ 95% on time.
Detection Lag: median time from KRI deviation to escalation (tends to ↓).
Incident Recurrence: repeated incidents for one reason - 0.

15) Checklists

15. 1 Creating a card

• Event/Cause Category and Description
• Assets/processes/jurisdictions marked
• Estimated P/I (inherent) and residual with justification
• Control Mapping (ID), KRIs, and Data Sources
• CAPA Plan/Dates/Owners
• Escalation Threshold and Threat Level

15. 2 Quarterly Committee

• Top 10 for residual and above appetite
• New/emergent risks, changes in laws/vendors
• CAPA and Delinquency Status
• Decisions: accept/reduce/transfer/avoid; update appetite/thresholds

16) Implementation Roadmap (4-6 weeks)

Weeks 1-2: approve taxonomy, scales, appetite; Select a tool (table/BI/IRM). Create 10-15 starting cards for critical processes.
Weeks 3-4: associate risks with controls and KRIs; build a heat map/dashboards; launch a risk committee.
Weeks 5-6: implement quantification for Top-5 (FAIR/Monte Carlo light), automate KRIs collection, formalize escalations and board reporting.

17) Related wiki sections

Internal controls and their audits, ISO 27001/27701, SOC 2, PCI DSS, IGA/RBAC/Least Privilege, TPRM and SLA, Incidents and Leaks, DR/BCP, Log Policy and WORM - for the full cycle "risk → control → metric → evidence."

TL; DR

Working risk register = clear taxonomy + standardized scales + appetite/thresholds → cards with owners, controls and KRIs → heat map and committees → priority quantification for Top risks and CAPAs on time. This makes the risks manageable, comparable and provable for the board and regulators.