Manage a Risk

This article guides you through the quantitative risk management process end-to-end. The AI risk management process is dynamic and you will likely move back and forth in the process.

What is a Risk

A risk, in the context of compliance, is a potential event or circumstance that could negatively impact an organization's ability to meet its regulatory obligations, achieve its business objectives, or maintain its reputation. Risks represent uncertainties that, if realized, may lead to non-compliance, financial losses, or other adverse outcomes. Learn more about Risks.

Requirements

• You're logged into the Modulos platform
• You have access to a project and you're assigned the editor role
• For organization-level risk management configuration, you need the Risk Manager role or organization administrator rights

Risk Manager Role

The Risk Manager is an organization-level role responsible for maintaining and configuring risk management across the organization. Risk Managers have the authority to:

• Configure organization-wide risk appetite and limits
• Define risk taxonomy, threat vectors, and risk categories
• Set category limits and project risk allocation methods
• Oversee risk management practices across all projects

Risk Management Configuration

Before creating and quantifying risks in projects, the organization must configure its risk management settings.

Step 1: Access Risk Management Settings

Navigate to Organization Settings → Risk Management to access the risk management configuration area.

Risk Management Tabs

The Risk Management section contains four key tabs:

1. Risk Overview

The Risk Overview dashboard provides a comprehensive view of all risks across the organization, including:

• Total risk exposure across all projects
• Risk distribution by category
• Project-level risk summaries
• Risk trends and analytics

Risk Overview Dashboard

2. Risk Taxonomy

Define the organization's risk structure, including:

• Risk Categories: Classifications for different types of risks (e.g., Financial, Operational, Compliance, Reputational)
• Threat Vectors: Specific sources or pathways through which risks may materialize
• Risk Classification: Hierarchical organization of risk types

Risk Taxonomy Configuration

3. Risk Limits

Configure organization-wide risk parameters:

• Total Organization Risk Appetite: The maximum aggregate risk exposure the organization is willing to accept
• Category Limits: Maximum monetary value of risk per risk category

These limits ensure that the organization's total risk exposure remains within acceptable bounds.

Risk Limits Configuration

4. Project Risk Limits

Define how risk limits are allocated across projects using one of two methods:

Economic Value-Based Allocation:

• Projects receive risk budgets proportional to their annual economic value
• Higher-value projects receive larger risk allocations
• Ensures risk limits align with business impact

Equal Distribution (Default):

• Risk limits are distributed equally across all projects
• Simpler approach suitable when projects have similar strategic importance

Project Risk Limits Configuration

Step 2: Set Total Risk Appetite

Configure the organization's overall risk appetite:

1. Navigate to Risk Management → Risk Limits
2. Enter the Total Organization Risk Appetite as a monetary value
3. This represents the maximum risk exposure across all projects

Step 3: Configure Category Limits

Define maximum risk exposure for each risk category:

1. In the Risk Limits tab, set monetary limits for each category
2. Ensure the sum of category limits aligns with your total risk appetite
3. Consider regulatory requirements and organizational priorities when setting limits

Project Types and Risk Quantification

The platform supports two types of projects with different risk capabilities:

AI Application Projects

AI Application projects support risk quantification. These projects:

• Can create and quantify risks using monetary values
• Contribute to organization-wide risk exposure
• Require Annual Economic Value configuration in Project Settings

Organization Projects

Organization projects do not support risk quantification. These projects:

• Can track risks qualitatively
• Do not contribute to quantitative risk limits
• Are used for general organizational compliance activities

Risk Management Workflow

Step 1: Create an AI Application Project

1. Create a new project and select AI Application as the project type
2. Configure the project according to your AI system requirements

Step 2: Set Project Annual Economic Value

1. Navigate to Project Settings → General
2. Enter the Annual Economic Value for the project
3. This value is used for economic value-based risk allocation (if selected)

Setting Project Annual Economic Value

Step 3: Create a Risk

You can create a new risk in the following ways:

1. On the Risk tab of your project, click + New Risk to start the process

2. Alternatively, create a risk directly from a Control by clicking Associate to a Risk in the sidebar

3. Provide a descriptive name for the risk

   NOTE: Some organizations will use specific naming conventions for risk management.

4. Assign a user who will be responsible for this Risk in the sidebar

Step 4: Risk Quantification

After creating the Risk, you can quantify it using one of four methods. Each method provides a different approach to calculating the monetary impact of the risk.

Risk Quantification Methods

Method 1: Risk Matrix

The Risk Matrix method provides a structured approach to risk quantification based on impact and likelihood ratings.

How it works:

1. Risk Impact: Rate the potential severity of the risk on a predefined scale (e.g., 1-5 or Low/Medium/High)
2. Risk Likelihood: Estimate the probability of the risk occurring
3. Risk Detection: Assess your ability to detect the risk before it materializes
4. Monetary Mapping: Each combination of impact and likelihood maps to a monetary value based on your organization's risk matrix

When to use:

• Quick risk assessments requiring consistent evaluation
• When historical data provides reliable impact/likelihood mappings
• For standardized comparison across multiple risks

Output: The method calculates a Risk Priority Number (RPN) and maps it to a monetary value representing the expected loss.

Risk Matrix Quantification

Method 2: Manual Entry

Manual Entry allows direct input of the risk's monetary value based on expert judgment or external analysis.

How it works:

1. Enter the estimated monetary impact of the risk directly
2. Provide justification and supporting documentation for the estimate
3. Link to relevant evidence or analysis that supports the valuation

When to use:

• When you have specific data from external risk assessments
• For risks with clear, calculable financial impacts
• When regulatory guidance provides specific monetary values
• For risks analyzed by external consultants or actuaries

Output: The manually entered monetary value becomes the quantified risk value.

Manual Entry Quantification

Method 3: Scenario Analysis

Scenario Analysis evaluates multiple potential outcomes with different probabilities and impacts.

How it works:

1. Define Scenarios: Create multiple scenarios representing different potential outcomes (e.g., Best Case, Most Likely, Worst Case)
2. Assign Probabilities: Assign a probability to each scenario (must sum to 100%)
3. Estimate Impact: Provide the monetary impact for each scenario
4. Weighted Calculation: The system calculates the expected value using: Expected Value = Σ(Probability × Impact)

When to use:

• When a risk has distinct possible outcomes with different impacts
• For complex risks with multiple potential materialization paths
• When you can estimate probabilities based on historical data or expert judgment

Output: A probability-weighted expected monetary loss value.

Scenario Analysis Quantification

Method 4: Monte Carlo Simulation

Monte Carlo Simulation uses statistical modeling to simulate thousands of possible outcomes, providing a probabilistic distribution of risk values.

How it works:

1. Define Input Variables: Specify key risk parameters (e.g., frequency, severity, exposure)
2. Set Distributions: Choose probability distributions for each variable (normal, triangular, uniform, etc.)
3. Run Simulation: The system performs thousands of iterations, randomly sampling from the distributions
4. Analyze Results: Review the probability distribution of outcomes, including percentiles (e.g., P50, P90, P95)

When to use:

• For complex risks with multiple uncertain variables
• When you need confidence intervals around risk estimates
• For regulatory reporting requiring statistical rigor (e.g., capital adequacy)
• When understanding tail risks (extreme outcomes) is important

Output: A probability distribution showing the range of possible outcomes, including expected value, median, and confidence intervals.

Monte Carlo Simulation Quantification

Step 5: Review Quantified Risk

After quantification, review the risk assessment:

1. Verify the monetary value aligns with your expectations
2. Check against project risk limits to ensure compliance
3. Compare with category limits to confirm the risk fits within organizational constraints

Quantified Risk Summary

Risk Management Best Practices

Choosing a Quantification Method

• Risk Matrix: Best for initial assessments and consistent comparative analysis
• Manual Entry: Use when external data or specific calculations are available
• Scenario Analysis: Ideal for risks with distinct possible outcomes
• Monte Carlo Simulation: Required for complex risks or regulatory capital calculations

Maintaining Risk Limits

• Regularly review risk appetite in response to business changes
• Monitor aggregate risk exposure across projects
• Adjust category limits based on strategic priorities
• Re-quantify risks when material conditions change

Integration with Compliance

• Link risks to relevant controls to demonstrate mitigation efforts
• Use risk quantification to prioritize control implementation
• Ensure treatment strategies are documented with evidence
• Maintain audit trail of all quantification methodologies and assumptions

Key Concepts

Risk Appetite: The total amount of risk an organization is willing to accept in pursuit of its objectives

Expected Value: The probability-weighted average of all possible outcomes

Confidence Interval: A range within which the true risk value is likely to fall with a given probability (e.g., 95% confidence interval)

---

The quantitative risk management process on the Modulos platform is based on best practices from various laws and industry standards, including ISO/IEC 23894:2023 "Information technology — Artificial intelligence — Guidance on risk management" and ISO 31000:2018 "Risk management — Guidelines".