Step-by-step guide to completing an operational risk assessment, with screenshots from a full walkthrough.
This guide walks through a complete operational risk assessment — from sign-in to final report. For session and billing behaviour see How assessments work and How billing works.
Overview
An operational risk assessment in Riskonami is a guided, ten-phase workflow. You describe the system, build an architectural model, assess controls and threats, estimate risk, plan remediation, and produce a final report. This walkthrough follows a complete assessment captured on 2026-05-22.
Before you start
Open the product home page, sign in, and launch Risk Assessment from the Assessments menu.
Product home and Assessments menu
The product landing page. From the top navigation, under Assessments, choose Operational risk assessment to begin a workflow.
Sign in
You must be signed in to run an assessment. Sign-in is currently via Google; local sign-in is not supported. Microsoft sign-in is planned.
Phase 1 — Identify assets and CIA impacts
Capture who owns the system, what it does, and which technologies matter. Optional AI enrichment gathers public context about the organisation and stack.
System profile questions
When you enter the assessment, Phase 1 asks for product information: the system under review, owners, purpose, and technologies in use. Technology choices matter because they are used later to infer vulnerability and enrichment context.
AI enrichment
Each phase can offer AI enrichment: the product researches the company, product, and technology stack and stores additional context for later phases.
Review Phase 1 artifact
At the end of Phase 1, use the status panel to review what was captured. View the phase JSON, open DOT diagrams when available, or switch to a table view. Use Reset phase to restart if needed; validation alerts appear when JSON has problems.
Phase 2 — Build the architectural model
Model trust zones, applications, and data flows manually or by uploading a diagram. Review the import, inspect the DOT preview, and confirm CTL security attributes used in later phases.
Add zones, apps, and flows — or import a diagram
Phase 2 builds an architectural model. From the action menu you can add trust zones, applications, and data flows, set attributes, and define relationships. You can edit or remove objects at any time.The fastest path is often to upload a system diagram. Valid sources include Excalidraw, draw.io, the Microsoft Threat Modeling Tool, and OWASP Threat Dragon. Export or save your diagram as PNG (or another supported image format), then import it in the assessment UI. AI infers trust zones, applications, and data flows from the diagram.When importing, choose a confidence level for inferred facts (Balanced is recommended; a more liberal setting accepts wider AI suggestions).
Example diagram suitable for import
Diagram import in the assessment UI
Approve diagram import
After importing a diagram, review and approve the import. Confirm the trust zones, applications, and data flows inferred by AI before continuing.
Architecture diagram (DOT) preview
The DOT diagram preview shows trust zones, applications, and flows. Use it to verify the model, then edit manually or re-upload a revised diagram if needed.
CTL security attributes
Import also infers CTL security attributes for applications, trust zones, and data flows. These attributes are required in later risk phases. Override or refine them at any time.
Quick picks
The quick picks panel offers common next actions while you finish the architectural model.
Phase 3 — Assess current controls
Scope controls from the catalogue, optionally enrich with best-practice suggestions, then record implementation status per control.
Scope controls from the catalogue
After the architectural model is complete, Phase 3 derives the controls relevant to the model (often a large set). Accept all controls, an average subset (~half, priority-sorted), or a minimal top-10 set by relevance.
Enrich control selection with GPT
With a scoped set (for example minimal), you can enrich with GPT to suggest additional best-practice controls beyond the configured catalogue (such as ISO).
Review catalogue and best-practice controls
AI returns proposed controls: confirmed catalogue controls plus BP (best practice) items not in the base catalogue. Accept or reject the full proposal; you can edit individual controls later.
Control scope table
Review the control table in detail to see what is in scope and out of scope before implementation assessment.
Default implementation status
After scoping, set a default implementation status for all in-scope controls: implemented, partially implemented, not implemented, planned, or will not do. Override per control afterward.
Per-control implementation
Adjust each control to its actual implementation level individually.
Finish Phase 3
At the end of Phase 3 you can review out-of-scope controls and re-include them if needed, then mark Phase 3 complete and move to Phase 4.
Phase 4 — Identify relevant threats
Select threat actors, enumerate threats, enrich with AI, and refine individual threat rows.
Threat actors
Phase 4 recommends threat actors from CTL attributes in the architectural model. Include or exclude actors (for example competitive customers or environmental threats) before threat enumeration.
Threats per actor
Threats are listed per actor. You can enrich with AI to add known vulnerabilities and additional threats, then review how broadly each threat affects flows and applications.
AI threat enrichment results
After AI enrichment, review detected threat types and affected apps and data flows. Accept or reject the proposal, then refine individual rows.
Edit individual threats
Individual threats can be modified, updated, or clarified after enrichment.
Phase 5 — Estimate likelihood and impact
Review baseline likelihoods, then run VL (Vulnerability Level) and TEL (Threat Event Level) AI enrichment for organisation-specific estimates with rationale.
Likelihood estimation
Phase 5 estimates likelihood. Initial values are raw lookups and do not yet reflect controls, implementation status, threat actors, or your environment. Run VL (Vulnerability Level) enhancement for organization-specific estimates.
VL enrichment in progress
The VL enrichment submission shows context being sent to AI while estimates are refined.
VL enrichment results
VL enrichment results include rationale explaining why vulnerability levels were set.
TEL enrichment results
Run TEL (Threat Event Level) enrichment so AI estimates threat strength and likelihood. The results table lists vulnerabilities, compromise likelihood, and assistant rationale per threat.
Phase 6 — Compute inherent risk
Review inherent risk ranked by severity and adjust individual rows before confirming.
Inherent risk table
Phase 6 shows inherent risk in a table sorted from highest to lowest severity. Scroll and edit individual risk rows before confirming.
Phase 7 — Propose compensating controls
Work through compensating controls for loaded threats and use AI to suggest additional controls.
Compensating controls list
Phase 7 lists loaded threats and supports an AI enrichment cycle to suggest compensating controls.
Suggested compensating controls
AI suggests additional compensating controls during the Phase 7 enrichment cycle.
Phase 8 — Create remediation plan
The remediation worksheet lists controls to implement. AI enrichment can propose owner, effort, and cost.
Remediation plan worksheet
Phase 8 opens the remediation plan worksheet with controls you agreed to implement. AI enrichment can recommend owner, effort, and cost per item.
Phase 9 — Assess residual risk
The residual risk worksheet ties threats to vulnerabilities, controls, and remediation status.
Residual risk worksheet
The residual risk worksheet lists each threat with related vulnerabilities and controls, including remediation status. Edit rows to record which risks you will address by implementing specific controls.
Phase 10 — Generate the final report
Configure report audience and purpose, preview HTML, edit Markdown, run AI fill for narrative sections, then issue the report.
Report setup
Phase 10 configures the final report: target audience, purpose, and amount of detail. Generate a template and preview before issuing.
HTML report preview
Preview the report in HTML before AI fill and manual edits.
Markdown editor and preview
Edit report content in Markdown on the left with a live preview on the right. Run AI fill for sections marked in the template (introductions, conclusions, executive summaries). Avoid breaking structural comments used for enrichment; use Restart if the template becomes invalid.
Conclude the assessment
Issuing the report consumes a credit and archives the session. Clone to continue work; download PDF, HTML, or DOCX from your profile.
Archived assessment and downloads
Concluding the assessment consumes a credit and archives the session (it can no longer be edited). Clone to start a new run from the same work. Download the assessment and report as PDF, HTML, or DOCX. From your profile you can clone assessments, reopen previous runs, or download finished reports.
