Risk Analysis

Assess, quantify, and manage compliance risk across your managed Microsoft 365 tenants. OpsPilot365 provides a structured risk assessment framework with likelihood and impact scoring, risk treatment planning, residual risk tracking, and stakeholder-ready risk reports.

Note: Risk Analysis integrates with Compliance Assessments and Drift Detection to automatically identify and score risks based on compliance gaps, configuration drift, and tenant security posture. Risks are mapped to compliance controls and frameworks, providing a unified view of organizational risk for each managed tenant.

Risk Dashboard

Metric	Value
Critical Risks	6
High Risks	15
Medium Risks	28
Low Risks	42

Risk Assessment Methodology

Risks are assessed using a standardized methodology that evaluates both the likelihood of occurrence and the potential business impact. The combined score determines the overall risk rating and prioritization.

Automated Risk Identification — Risks are automatically generated from compliance assessment gaps, drift detection events, and security posture analysis. Each identified gap is mapped to a risk entry with pre-populated likelihood and impact scores based on the control category and the nature of the deficiency.
Manual Risk Entry — Add custom risks for organizational concerns not covered by automated scanning. Examples include vendor risks, process gaps, personnel-related risks, and risks identified through client interviews or third-party assessments.

Risk Matrix

The risk matrix plots each risk by likelihood (vertical) and impact (horizontal) to provide a visual heat map of the tenant’s risk posture.

Likelihood / Impact	Negligible (1)	Minor (2)	Moderate (3)	Major (4)	Severe (5)
Almost Certain (5)	5	10	15	20	25
Likely (4)	4	8	12	16	20
Possible (3)	3	6	9	12	15
Unlikely (2)	2	4	6	8	10
Rare (1)	1	2	3	4	5

Risk score ranges: Low (1-4), Medium (5-9), High (10-15), Critical (16-25).

Risk Treatment Plans

Treatment	Description	When to Use	Example
Mitigate	Implement controls to reduce likelihood or impact	Risk is above tolerance and can be reduced with available controls	Enable MFA to mitigate credential theft risk
Transfer	Shift risk to a third party via insurance or contract	Risk cannot be fully mitigated through controls alone	Cyber insurance for data breach financial impact
Accept	Acknowledge risk without additional action	Risk is within tolerance or cost of mitigation exceeds benefit	Accept low-risk configuration deviation for business need
Avoid	Eliminate the risk by removing the source	Risk is too high and cannot be adequately mitigated	Disable external sharing entirely for regulated data

Residual Risk Tracking

After treatment plans are applied, residual risk represents the remaining risk level. Track residual risk over time to ensure controls remain effective.

Inherent vs. Residual Comparison — View side-by-side comparison of inherent risk (before controls) and residual risk (after controls) for each risk entry. Demonstrates control effectiveness and justifies continued investment in compliance measures.
Risk Trend Charts — Track risk score changes over time as controls are implemented and drift occurs. Identify trends showing whether overall risk posture is improving or degrading across your managed tenant portfolio.
Risk Acceptance Registry — Maintain a formal record of accepted risks with justification, approval authority, review dates, and conditions for re-evaluation. Required by most compliance frameworks as evidence of risk management governance.
Control Effectiveness — Measure how effectively each control reduces risk by comparing pre- and post-control risk scores. Identify underperforming controls that may need strengthening or replacement with more effective alternatives.

Risk Reporting for Stakeholders

Executive Risk Summary — High-level risk overview for client leadership. Includes top risks by severity, trend direction indicators, and key actions needed. Designed for non-technical audiences with clear business impact language.
Technical Risk Report — Detailed risk assessment for IT teams. Includes specific Microsoft 365 configuration details, affected services, remediation steps, and API-level evidence. Suitable for technicians and security teams.
Auditor Risk Package — Comprehensive risk documentation for external auditors. Contains the risk register, treatment plans, residual risk assessments, acceptance records, and supporting evidence. Formatted for SOC 2, ISO 27001, and other audit requirements.

Best Practices

Perform initial risk assessments during client onboarding to establish a baseline risk profile
Review and update risk scores after every compliance assessment to reflect the current posture
Use the risk matrix to prioritize remediation efforts based on combined likelihood and impact
Document risk acceptance decisions with clear justification and management sign-off
Present executive risk summaries quarterly to maintain client awareness and accountability
Track residual risk trends to demonstrate the value of ongoing compliance management to clients
Align risk categories with the client’s industry-specific risk appetite and regulatory requirements
Re-evaluate accepted risks at least annually or when significant changes occur in the tenant environment

API Reference

GET /api/addons/trust-center/risks — List all risks with filtering by severity, treatment status, tenant, and framework
POST /api/addons/trust-center/risks — Create a new risk entry with likelihood, impact, and control mapping
PUT /api/addons/trust-center/risks/:riskId — Update risk assessment scores or treatment plan
POST /api/addons/trust-center/risks/:riskId/treatment — Create or update a risk treatment plan
POST /api/addons/trust-center/risks/:riskId/accept — Record a risk acceptance decision with justification
GET /api/addons/trust-center/risks/matrix — Get the risk matrix data for heat map visualization
GET /api/addons/trust-center/risks/report — Generate a risk report for stakeholders (executive, technical, or auditor format)
GET /api/addons/trust-center/risks/trends — Retrieve risk score trends over time for trend analysis