Step 1: Describe the risk scenario — what could happen, what would be affected, and what the consequences would be.
Risk description
A ransomware attack encrypts the SAP S/4HANA database, rendering ERP order processing unavailable. Estimated downtime 3-5 days without backup restoration. Financial impact CHF 200K+ from lost orders, SLA penalties, and incident response costs.
Step 2: Link existing controls that already mitigate this risk. Their health feeds into the overall risk health calculation.
CTL-012Endpoint detection and response (EDR)Healthy
CTL-018Daily backup verificationHealthy
CTL-031Network segmentation reviewAt risk
CTL-045Security awareness trainingUnhealthy
Step 3: Assess the inherent risk — likelihood and impact before considering any controls or treatment. The red dot on the matrix shows the current position.
Likelihood
1
2
3
4
5
Impact
1
2
3
4
5
Likelihood
1
2
3
4
5
12
Inherent score
High
Risk level
Step 4: Choose a treatment strategy. This determines how you will address the gap between inherent and target risk.
Mitigate
Transfer
Avoid
Accept
Step 5: Set target likelihood and impact — where you want the risk to be after treatment. The green dot shows the target position on the matrix.
Likelihood
1
2
3
4
5
Target impact
1
2
3
4
5
Target likelihood
1
2
3
4
5
2
Target score
Low
Target level
Step 6: Create a Risk Treatment Plan (RTP) to close the gap between inherent and target risk. Link measures, assign owners, and set deadlines.
RTP-007: Ransomware resilience programme
Target: reduce from High (12) to Low (2) · Owner: CISO · Due: Q3 2026
Deploy immutable backup solution (linked to MSR-034)
Implement network micro-segmentation (linked to MSR-041)
Conduct quarterly ransomware tabletop exercise (linked to MSR-052)
Upgrade security awareness programme (linked to CTL-045)
Step 7 — Monitor health: Risk health is computed in real time from three sources: linked controls, linked measures, and treatment plan progress. Toggle each to see the overall risk health react.