# How it Works

This article explains how Sprinto enables organisations to register, assess, treat, and monitor risks to meet security compliance requirements.

### Step 1: Register Risks

You can add risks in Sprinto using any of the following methods:

* **Sprinto Risk Library**: Choose from a curated list of industry-standard risks.
* **Manual Registration**: Define custom risks tailored to your organisation.
* **Bulk Upload**: Use the CSV upload option to import multiple risks at once.

Each risk includes detailed metadata such as risk category, owner, source, CIA classification, and scoring parameters.

> ⚠️ Risks added through bulk upload or manual entry must undergo scoring to become complete.

### Step 2: Score Risks

For each registered risk, enter the following parameters:

* **Likelihood**: Probability of occurrence before mitigation.
* **Impact**: Severity if the risk occurs.
* **Residual Likelihood & Impact**: Values after mitigation.

Sprinto calculates both **inherent risk** and **residual risk** scores based on these parameters. The risk remains in **Incomplete** status until this step is completed.

### Step 3: Map Controls

Controls are mitigation measures mapped to each risk. You can:

* Manually select controls relevant to your risk.
* Use **Sprinto AI** to get smart control suggestions.

Controls are mapped to compliance frameworks like SOC 2, ISO 27001, or GDPR.

> 💡 You can review each control’s applicability and associated framework before mapping.

### Step 4: Define Treatment Plan

Each risk requires a treatment approach:

* **Accept**: Acknowledge the risk and accept its residual score.
* **Transfer**: Shift risk responsibility (e.g. outsourcing, insurance).
* **Further Mitigate**: Plan additional actions to lower the residual score.
* **Avoid**: Eliminate the risk by discontinuing related activities.

Sprinto lets you assign a treatment reason and add optional notes.

### Step 5: Create Treatment Tasks

For risks that require action, you can create **Risk Treatment Tasks**:

* Assign tasks to Security Hub admins.
* Set due dates and descriptions.
* Attach evidence or add notes.

Once a task is marked complete, its status updates to **Passing**.

### Step 6: Perform Risk Assessment

Risk assessments must be conducted periodically (at least once a year). You can:

* **Assess in-app** using the risk register.
* **Upload assessment reports** from external systems.

During the assessment:

* Review each risk’s parameters.
* Register new risks if needed.
* Update control mappings and treatment plans.

### Step 7: Review by Senior Management

Once the risk assessment is completed, senior management must review it:

* Access the pending review card under **Security Hub > Review**.
* Review all risks and assessment details.
* Acknowledge the assessment to complete the process.

This sets the risk assessment system check to **Passing**.