Risk Register
The Claw GRC Risk Register gives you a structured, scored view of your organization's risk landscape. AIRSS scoring quantifies risk across five dimensions, while the heatmap and treatment workflows keep your risk posture current.
AIRSS Scoring
Claw GRC uses AIRSS (AI-Informed Risk Scoring System) — a five-factor model designed to score risks in environments with both human and AI agent actors. Each factor is scored 1–5, and the final AIRSS score is a weighted composite on a 0–100 scale.
The 5 AIRSS Factors
| Factor | Description | Weight |
|---|---|---|
| Likelihood (L) | Probability that the risk event will occur within the next 12 months. Considers threat intelligence, historical incidents, and industry data. | 25% |
| Impact (I) | Magnitude of harm if the risk event occurs — financial, reputational, operational, and regulatory impact combined. | 25% |
| Detectability (D) | How quickly the organization would detect the risk event occurring. Low detectability increases effective risk score. | 20% |
| Velocity (V) | How fast the risk can escalate once triggered. Ransomware has high velocity; gradual compliance drift has low velocity. | 15% |
| Control Coverage (C) | Effectiveness of existing controls in reducing the risk. High control coverage reduces the AIRSS score significantly. | 15% |
AIRSS score examples
Here are example AIRSS scores for common risk scenarios to help calibrate your own risk entries:
Risk Categories
Risks are organized into categories that correspond to common GRC risk taxonomies. The category affects which framework controls are suggested as risk-linked treatments.
| Category | Description |
|---|---|
| cyber_security | Technical security risks — vulnerabilities, attacks, breaches, unauthorized access |
| ai_governance | Risks from AI system behavior — hallucinations, autonomous actions, training data issues, model drift |
| data_privacy | Personal data exposure, regulatory non-compliance (GDPR, HIPAA, CCPA) |
| operational | System availability, process failures, supply chain disruptions, key person dependencies |
| regulatory_compliance | Failure to meet compliance requirements, audit failure, regulatory fines |
| third_party | Vendor risk, partner breaches, SaaS dependency failures |
| financial | Financial fraud, budget impact from incidents, insurance gaps |
| reputational | Brand damage from incidents, public disclosure events, negative press |
Risk Treatment Strategies
When you create or update a risk, you assign a treatment strategy. The strategy determines how the organization will handle the risk and what supporting evidence is required.
| Strategy | Description | When to Use |
|---|---|---|
| mitigate | Implement controls to reduce likelihood or impact. Link specific controls as risk treatment evidence. Most common strategy. | Most Common |
| transfer | Transfer risk through insurance, contracts, or outsourcing. Requires evidence of the transfer mechanism (insurance policy, contract clause). | Use for insurable |
| accept | Formally accept the risk as within the organization's risk tolerance. Requires signed acceptance by an authorized executive. | Low risks only |
| avoid | Eliminate the risk by stopping the activity that creates it. Document what was changed to avoid the risk. | Highest risks |
Risk acceptance requires executive sign-off
Any risk with an AIRSS score above 50 that is set toaccept treatment will trigger an escalation requiring an executive-level user to approve the acceptance. This approval is logged in the audit trail with the executive's name and timestamp.Risk Heatmap
The Risk Heatmap at the top of the Risk Register page visualizes all active risks on a 5×5 grid — Likelihood on the X-axis, Impact on the Y-axis. Risks in the top-right quadrant (high likelihood, high impact) are the highest priority for treatment.
Heatmap quadrant colors:
- 🔴 Red quadrant (top-right) — Critical risks. AIRSS typically 60+. Require immediate treatment.
- 🟠 Orange quadrant — High risks. AIRSS 40–60. Should be actively mitigated.
- 🟡 Yellow quadrant — Medium risks. AIRSS 20–40. Monitor and treat in planned cycles.
- 🟢 Green quadrant (bottom-left) — Low risks. AIRSS below 20. Accept or monitor only.
Click any bubble on the heatmap to open the risk detail. The bubble size represents the velocity (V) factor — larger bubbles indicate faster-escalating risks.
Filter the heatmap by category
The heatmap has a category filter that lets you focus on a specific risk category — for example, view onlyai_governance risks to assess your AI-specific risk posture, or cyber_security risks ahead of a penetration test.Top Risks Summary
Below the heatmap, the Top Risks panel lists your 10 highest-scoring risks sorted by AIRSS score descending. For each risk, you'll see:
- Risk name and category
- AIRSS score with trend indicator (improved/worsened since last assessment)
- Treatment strategy and status
- Control coverage percentage (how many linked mitigating controls are implemented)
- Owner and next review date
Linking Risks to Findings
When a security scan creates a finding, Claw GRC suggests linking it to existing risks in the register. This creates a two-way relationship:
- The finding can increase the Likelihood score of the linked risk
- Resolving the finding can improve the Control Coverage factor
- Risk history shows all findings that have informed the risk score over time
To link a finding to a risk, open the finding detail and click Link to Risk, or open the risk and add the finding from the Related Findings tab.