Risk
Enterprise risk management inside Railbase — risk register, heat map, cumulative risk appetite, live KRI monitoring and controls testing, governed by real approval workflows.
المشاكل التي يحلها
- The risk register lives in a spreadsheet: no ownership, no review dates, no audit trail, and nobody knows which version is current.
- Risk scores are opinions. There is no defensible methodology linking likelihood and impact to money — materiality, exposure, expected loss — so the board asks 'so what?' and gets silence.
- Incidents happen in finance, procurement and HR systems, but the risk function learns about them weeks later, if ever.
- Accepting or downgrading a risk takes one click by one person — no delegation-of-authority chain, no independent review, no record of who approved what.
- Control testing evidence is scattered across email and folders; every audit becomes an archaeology project.
Risk turns your Railbase into a complete enterprise risk management system: a governed risk register with a 5×5 heat map, a quantitative cumulative risk-appetite layer, event-driven key risk indicators fed by your other Railbase modules, and a full controls-testing cycle with evidence and exceptions. It is built for risk managers, internal control teams and CFOs who need defensible answers, not another spreadsheet.
Risk is a data-resident Railbase module: every risk, treatment, KRI, signal, control test and approval envelope lives in your Railbase Vault, tenant-scoped and auditable. The UI mounts at /risk the moment the marketplace install completes — no rebuild, no separate deployment.
What you get
- Risk register with real governance. Categories, owners, reviewers, inherent and residual 5×5 scoring with tenant-configurable bands, response strategies, review cycles, CSV import/export. Silent score lowering is impossible: downgrades require an explicit review note or an approval workflow.
- Cumulative risk appetite — the layer boards actually ask for. Set an assessment base (revenue, budget, asset value, payroll), a materiality alpha and a risk budget. Risk computes exposure, expected loss and the risk-materiality ratio for every risk, aggregates them by category, and tells you plainly: does cumulative expected loss exceed materiality, does total exposure burn through the risk appetite, and which disclosure tier it belongs to — monitoring, quarterly, committee, board or immediate.
- Heat map that matches the numbers. Inherent and residual 5×5 matrices with drill-down, driven by the same data as every report.
- Treatments that don't rot. Remediation actions with owners, due dates, progress and priorities; overdue items are marked automatically and escalated to owners.
- KRI monitoring wired to your business (Pro). Define key risk indicators with green/amber/red thresholds and feed them manually or from events published by other Railbase modules — budget overruns, invoice variances, payment batches, journal postings, HR separations, compliance alerts. Breaches update the KRI, notify the owner, can open a treatment automatically, and only ever raise residual scores — lowering always stays a human decision.
- Controls, assessments, evidence, exceptions (Max). A control library with design/operating effectiveness, assessment campaigns that generate test items per control, pass/fail/partial verdicts with findings and reviewer sign-off, evidence stored through Railbase's managed document repository, risk acceptances with expiry dates that revert automatically, and ISO 31000 / COSO / SOX-404 framework mappings.
- Approvals through real delegation of authority. Sensitive actions — accepting a risk, lowering a score, changing the appetite profile, approving an exception, releasing a board pack — travel through Railbase's authority matrices and task inbox. The approver sees the request in
/tasks; Risk applies the change only after the approval callback, idempotently, and fails closed when no authority matrix is configured. - Reporting without a BI project. Portfolio summary, register export, heat-map report, cumulative appetite report with snapshot history, treatments aging, KRI status, signal ingestion, breach trends, control effectiveness, assessment results, evidence coverage, exceptions calendar and a board risk pack — all tenant-scoped, all from the same live data.
How it works
- Set the appetite profile. Choose the assessment base and amount, the materiality alpha and the cumulative risk budget. The heat map works even without it; the quantitative layer switches on the moment you save.
- Build the register. Create risks or import your existing register as CSV. Each risk carries qualitative scores and, optionally, monetary exposure inputs.
- Watch the dashboard. Active risks by band, overdue treatments and reviews, cumulative RMR and the disclosure tier — with explicit warnings when expected loss exceeds materiality or exposure exceeds budget.
- Wire the signals (Pro). Add KRIs bound to event topics from your other modules. Missing producers are a normal state — indicators simply wait for data.
- Run the controls cycle (Max). Create a campaign, let it generate test items, collect verdicts and evidence, review findings, track remediations, and manage exceptions with automatic expiry.
Plans
| Plan | Monthly, per company | Unlocks |
|---|---|---|
| Basic | $499 | Register, heat map, cumulative appetite, treatments, reports, approval workflows |
| Pro | $1,499 | Everything in Basic + KRIs, cross-module signals, escalation, monitoring reports |
| Max | $4,999 | Everything in Pro + controls, assessments, evidence, exceptions, frameworks, board pack |
Pricing is flat per company per month — users, roles and approvers are not billed separately. Access inside your company is governed by Railbase RBAC role templates (director, manager, owner, reviewer, auditor, executive viewer) that ship with the plugin.
Limits and honesty
- Machine judgment is out of scope: Risk never lowers a residual score automatically and never approves anything by itself — automation raises flags, humans make decisions.
- The quantitative layer is a methodology, not an oracle: exposure and expected-loss figures are only as good as the inputs your team maintains.
- PDF/XLSX report exports are deferred until the core export binding ships; JSON and CSV are available today.
- Pro signal ingestion consumes events from other installed Railbase modules; without them, event-driven KRIs stay manual.
Reviews
No reviews yet — be the first to review Risk.