Custom Organisation Risks

The SCF Controls Platform includes a built-in risk catalog with predefined risk codes such as R-GV-1 and R-AC-1. Custom Organisation Risks extend this catalog by letting you define risks specific to your organisation that are not covered by the standard SCF risk definitions. Custom risks are fully integrated into the Risk Register and support the same assessment workflows as catalog risks.

Overview

The platform ships with a predefined SCF risk catalog covering governance, access control, data protection, and other domains
Custom Organisation Risks let you capture risks unique to your business, industry, or regulatory environment
Custom risks are automatically assigned sequential R-ORG-N codes (e.g., R-ORG-1, R-ORG-2, R-ORG-3)
They appear alongside SCF catalog risks in the Risk Register under a Custom category
Custom risks can be assessed using the same 5x5 likelihood x impact matrix as standard risks

Creating a Custom Risk

Navigate to the Risk Register in the sidebar (under Risk & Third Party)
Click the Add Custom Risk button
Fill in the form:
- Title (required) — a concise name for the risk
- Description (required) — a detailed description of the risk scenario, its potential causes, and consequences
- Category defaults to Custom and displays a gray badge
The system automatically assigns the next available R-ORG-N code
Click Save to create the risk

The new risk appears immediately in the Risk Register and is ready for assessment.

Managing Custom Risks

Custom risks behave like standard SCF catalog risks with a few key differences:

Capability	Custom Risks	SCF Catalog Risks
Likelihood / Impact scoring	Yes	Yes
Inherent risk assessment	Yes	Yes
Residual risk assessment	Yes	Yes
5x5 matrix visualisation	Yes	Yes
Deletable	Yes	No
Pre-defined control mappings	No	Yes
Manual control linking	Yes	Automatic

Assess a custom risk by setting likelihood and impact scores for both inherent and residual risk, exactly as you would for a catalog risk
Delete a custom risk when it is no longer relevant — SCF catalog risks cannot be deleted

Manual Control Linking

Unlike SCF catalog risks, which come with pre-defined control mappings, custom risks require you to link controls manually.

Linking Controls to a Custom Risk

Open the custom risk detail view by clicking on the risk in the Risk Register
Navigate to the Linked Controls section
Use the search field to find relevant SCF controls by code or name
Select and add the controls that address or mitigate the risk

Why Link Controls?

Linking controls to custom risks serves several purposes:

Demonstrates risk treatment — shows auditors and stakeholders how your organisation addresses each risk
Supports residual risk justification — explains why residual risk is lower than inherent risk
Improves reporting — linked controls appear in risk reports and dashboards alongside the risk

Best Practices

Use custom risks for organisation-specific scenarios not covered by the SCF catalog — for example, specific regulatory risks, business continuity scenarios, or operational risks unique to your industry
Write clear descriptions that explain the risk scenario, its root causes, and potential business impact so that anyone reviewing the Risk Register can understand the risk without additional context
Link custom risks to relevant controls to demonstrate your risk treatment approach and maintain a complete picture of your control coverage
Review custom risks quarterly alongside your standard Risk Register review to ensure they remain relevant and accurately scored
Remove outdated risks — unlike catalog risks, custom risks can be deleted when they no longer apply, keeping your Risk Register clean and current

Risk Management — The full risk register and 5x5 matrix
Control Management — Link controls to address risks
AI Integration (MCP) — Manage custom risks via AI assistants