How do I assess and treat a risk?
Quick answer
Section titled “Quick answer”Open Compliance → Risks, click “New Risk”, choose the affected asset, set the risk level (Low, Medium, High, Critical), and rate likelihood and impact each on a scale of 1 to 5. Document the treatment via the mitigation, review date, and reviewer fields — and update them later as things progress.
Prerequisites
Section titled “Prerequisites”Compliance is a Pro feature. You’ll also need an existing asset, since every risk assessment references a specific asset via the asset ID.
Instructions
Section titled “Instructions”-
Open the “Risks” tab. In the Compliance module, switch to the Risks tab and click “New Risk”.
Screenshot pendingcompliance-risiko-01List of risk assessments with the 'New Risk' buttonThe risk list with the button for creating a new one. -
Enter the assessment. Fill out the fields:
- Asset ID — the affected asset (UUID of the related asset).
- Risk Level —
Low,Medium,High, orCritical. - Likelihood (1–5) and Impact (1–5) — the two axes of the risk matrix.
- Optional, for treatment: Mitigation (the planned countermeasure), Review Date (when the risk will be reassessed), and Reviewer ID.
Screenshot pendingcompliance-risiko-02'New Risk' form with Asset ID, Risk Level, Likelihood, Impact, and MitigationThe risk form. Asset, risk level, likelihood, and impact are required. -
Save and treat. After saving, the assessment appears in the list. To treat the risk, update it later: add the mitigation, set a review date, or adjust the risk level once countermeasures take effect.
Create a risk: POST to /api/v1/compliance/risks. asset_id,
risk_level, likelihood, and impact are required. Allowed risk_level
values: low, medium, high, critical. likelihood and impact each
range from 1 to 5.
curl -X POST https://demo.notory.io/api/v1/compliance/risks \ -H "Authorization: Bearer inv_dein_token" \ -H "Content-Type: application/json" \ -d '{ "asset_id": "a2f1c9e4-7b3d-4a11-9c2e-8f6b1d0a7e55", "risk_level": "high", "likelihood": 3, "impact": 4, "mitigation": "Festplatte verschlüsseln, MDM-Enrollment erzwingen.", "review_date": "2026-10-01", "reviewer_id": "b7c3f2a1-9d0e-4c33-a5b6-7e8f9a0b1c2d" }'Response HTTP 201 Created:
{ "id": "018f7c31-88a2-7bd1-9c04-5e6f7a8b9c0d", "tenant_id": "3d9b0c12-4e5a-4f88-b1c7-2a9e6d4f0011", "asset_id": "a2f1c9e4-7b3d-4a11-9c2e-8f6b1d0a7e55", "risk_level": "high", "likelihood": 3, "impact": 4, "mitigation": "Festplatte verschlüsseln, MDM-Enrollment erzwingen.", "review_date": "2026-10-01", "reviewer_id": "b7c3f2a1-9d0e-4c33-a5b6-7e8f9a0b1c2d", "created_at": "2026-07-08T09:25:00Z", "updated_at": "2026-07-08T09:25:00Z"}Progress the treatment — e.g. lower the risk level once countermeasures
take effect — via PUT:
curl -X PUT https://demo.notory.io/api/v1/compliance/risks/018f7c31-88a2-7bd1-9c04-5e6f7a8b9c0d \ -H "Authorization: Bearer inv_dein_token" \ -H "Content-Type: application/json" \ -d '{ "risk_level": "medium", "review_date": "2027-01-15" }'Possible errors: 401 (token missing/invalid), 403 (no write access
or Compliance not in your tier), 404 (risk not found), 422
(validation — e.g. likelihood outside 1–5 or an unknown risk_level).
What happens behind the scenes?
Section titled “What happens behind the scenes?”- Scales of 1–5:
likelihoodandimpactmust fall within the range of 1 to 5 — they span the risk matrix. Values outside that range result in 422. - Risk level is set, not calculated: Notory stores
risk_level,likelihood, andimpactindependently of each other. You choose the level deliberately — it is not automatically derived from likelihood × impact. - Asset binding:
asset_idreferences an asset belonging to your tenant. If the asset is deleted, the associated assessment is deleted with it (database cascade). - Review cycle: Review date and reviewer document the recurring review — useful for finding overdue reviews (see Compliance Status).
- Audit trail & isolation: Creator/editor with timestamp; strictly bound to your tenant.
Related topics
Section titled “Related topics”- What does the Compliance module cover?
- Add and assess a policy
- Keep track of compliance status
- Assets — Overview — find the asset ID here