Risk Management

A risk register built on evidence

Six stages turn approved assessments into a governed, evidence-linked risk register — with every entry traceable, every owner named, and every treatment tracked.

01Readiness02Extraction03Consistency04Treatment05Governance06Dashboards

Get started →

Acompli Risk Management Brochure — page 1

View brochure

The risk workflow

From assessment to action — with nothing lost in between

Acompli builds your risk register directly from approved assessments — extraction, consistency checks, treatment plans, and dashboards in one governed workflow.

01Readiness

A readiness check before anything runs

Before any extraction begins, a readiness assessment validates whether the assessment covers the questions needed for meaningful risk identification, where quality signals are strong, and which areas are likely to produce low-confidence results.

The DPO knows whether the data is ready before any AI analysis runs — not after a set of unreliable results has already been generated.

Coverage validation

Does the assessment cover the questions needed for meaningful risk identification?

Quality prediction

Where are signals strong? Where are inputs missing or likely to produce low-confidence results?

Proceed or improve

Clear recommendation on whether to proceed with extraction or improve the assessment first.

02Extraction

Risks extracted from the whole assessment

Acompli analyses the complete set of responses holistically — identifying cross-question patterns, contextual risks, and control gaps that isolated analysis would miss. Each extracted entry includes structured fields, confidence scoring, and grounding verification.

The DPO reviews each proposed entry, accepting, adjusting, or rejecting individual fields before anything is published. The register reflects human decisions, supported by machine-generated analysis.

Risk Extraction — Employee Monitoring DPIA

Excessive data collectionCritical

Inadequate legal basisHigh

Retention period overreachHigh

Cross-border transfer exposureMedium

Consent withdrawal mechanismLow

Processor contractual gapsMedium

Inherent risk levels

CriticalHighMediumLow

03Consistency

Consistency analysis catches what humans miss

Consistency analysis runs automatically on each extraction batch, identifying duplicates, severity mismatches, and control contradictions.

An overall quality score aggregates all checks into a single readiness indicator, with a clear recommendation on whether the batch is ready for DPO review. Probing questions resolve ambiguity while context is still accessible.

Duplicate detection

Same risk captured from different questions — similarity scores and suggestions to merge or cross-reference.

Severity inconsistencies

Similar risks rated differently without documented rationale. Control effectiveness vs risk gap contradictions.

Probing questions

Targeted clarifying questions for ambiguous responses — tracked through pending, answered, dismissed, or resolved.

Quality →Overall quality score with clear recommendation on review readiness

04Treatment

Treatment plans that track to completion

Every risk in the register supports a structured treatment plan with a defined strategy, named owners, costed actions, and ROI tracking.

Each treatment plan is a managed programme of work, accountable to named individuals, with measurable outcomes. Budget allocated and budget spent are tracked against the plan.

Mitigate

Implement controls to reduce likelihood or impact to an acceptable level.

Avoid

Redesign the processing activity to eliminate the risk entirely.

Transfer

Address risk contractually — through processor agreements or insurance.

Accept

Document a reasoned decision to tolerate risk within defined thresholds.

Tracked →Named owners, due dates, cost estimates, progress tracking, and ROI measurement

05Governance

Designed for review, control, and traceability

Risks are proposed by AI, but the register is owned by humans. Every stage of the process is controlled, auditable, and reversible. Nothing enters the register until a human approves it.

Enterprise organisations operating across multiple legal entities get entity-level segregation with consolidated group-level reporting. Entity-scoped users see only the risks relevant to their entity.

Draft-first workflow

Extracted risks presented as drafts. Nothing published without human approval.

Evidence-linked entries

Every risk traces to its source assessment question, response, and approval.

Complete audit history

Every decision, edit, approval, and status change permanently recorded.

Grounding verification

Every AI claim verified against actual assessment text. Nothing asserted without source evidence.

06Dashboards

Dashboards that reflect the current truth

Risk heatmaps, trend analysis, severity distribution by category, treatment progress, residual exposure — all derived from live data, not a quarterly export. When the status changes in Acompli, the dashboard changes.

Filter by business unit, legal entity, risk category, or processing activity. Export to PDF for board packs, Excel for audit committees, or sync via the external API with custom field mapping for downstream GRC platforms.

Risk heatmap

4×4 likelihood-by-impact matrix with drill-down to individual risks per cell.

Status distribution

Open, In Treatment, Mitigated, Accepted, and Closed — at a glance.

Monthly trends

Time-series view of how the register is evolving over time.

Ageing buckets

Risks grouped by age to highlight entries going stale.

Owner breakdown

Risk distribution by assigned owner, prioritising critical and high severity.

GRC export & API

PDF for board packs, Excel for audit, and API with custom field mapping.

See risk management in action

No separate GRC subscription. Readiness checks, structured extraction, evidence linking, treatment plans with ROI tracking, real-time dashboards — all connected to your DPIAs, RoPA, and data map in one platform.

Get started →Book a demo