Risk Models

Build risk matrices that match how your business measures risk

For ISOs and CISOs who need a risk framework that reflects their organization's context — not a fixed scale they argue against in every assessment.

For

ISO

CISO

ISO 27001:2022 Clause 6.1.2

ISO 27001:2022 Annex A 5.34

GDPR Art. 35

Book a demo Talk to a Priverion expert

The challenge

A fixed scale you argue against in every assessment

Most tools ship one risk scale and expect every assessment to bend to it. A 5×5 matrix with one definition of "high" likelihood, one notion of "severe" damage, and one scoring method rarely matches how a regulated business actually weighs exposure.

When the model doesn't fit, assessors improvise. Scoring drifts between scenarios, two analysts rate the same risk differently, and the methodology you present to an auditor or the board can't be defended as consistent.

The result is a risk register that looks complete but can't be relied on — because the rules underneath it were never yours.

What you can do

What you can do with configurable risk models

Build multiple risk models per company — one per entity, domain, or assessment type.
Define your own likelihood and damage dimensions, each with the levels your methodology uses.
Configure the matrix — map every likelihood-vs-damage cell to a risk category, including 5×5 layouts.
Choose additive or multiplicative scoring per model, so the math matches your method.
Set thresholds and scoring bands from minimal through critical to turn scores into ratings.
Value damage in your chosen currency for consistent estimates across entities.

Business outcomes

What it delivers to your program

Consistent scoring across every scenario — one defined model removes assessor-to-assessor drift.
A methodology you can defend — present a documented, deliberate framework to auditors and the board.
Faster setup — generate a starting model with AI assistance and auto-translation, then refine it.
Controlled change — active/inactive status lets you revise models without silently rescoring history.
A framework that fits the business — measure risk the way you already do, not how a tool dictates.

Built for compliance

DPMS helps you evidence the specific obligations that govern your risk methodology — mapped to the clause and control, never to "the standard."

What DPMS does	Maps to	How
Defines and documents the risk assessment methodology	ISO 27001:2022 Clause 6.1.2	Configurable likelihood/damage criteria and acceptance thresholds per model
Applies criteria consistently across assessments	ISO 27001:2022 Clause 8.2	Shared models with fixed matrices and scoring bands
Maintains the methodology as controlled documented information	ISO 27001:2022 Annex A 5.34	Model versioning with active/inactive status
Supports risk evaluation behind data protection assessments	GDPR Art. 35	Likelihood-and-severity scoring reusable in DPIA risk work

See how this maps to your obligations — book a 30-minute demo.

Book a demo

Why Priverion

Unlike general-purpose GRC tools that hard-code one risk scale, Priverion lets you configure the dimensions, matrix, scoring method, and thresholds per company — and supports both additive and multiplicative calculation, not one fixed formula.

Because the model lives inside a single unified privacy and InfoSec platform, the same configured scoring feeds risk registers, DPIAs, and assessments without re-keying. The methodology you define once is the methodology applied everywhere.

FAQ

Questions ISOs and CISOs ask before a demo

Can I use different risk models for different entities?

Yes. You can create and manage multiple risk models per company, so each entity or assessment type uses the scale and matrix that fits it.

Does it support additive or multiplicative scoring?

Both. You choose the calculation method per model, so the scoring math matches your existing methodology rather than forcing a single formula.

Can I change a model without rescoring past assessments?

Models carry active/inactive status, so you can introduce a revised model while preserving the basis of earlier evaluations.

How fast can we get a model in place?

You can generate a starting model with AI assistance and auto-translation, then adjust the dimensions, matrix, and thresholds to match your method.

Related features

Explore related capabilities

Ready to measure risk on your terms?

Configure a risk framework that fits your organization — consistent, defensible, and built the way you assess risk. Book a 30-minute demo focused on configurable risk models and matrices.

Book a demo

The Privacy Compliance Briefing

Monthly insights on GDPR enforcement trends, Swiss FADP updates, and automation strategies for DPOs and compliance teams.

By submitting this form, you consent to us contacting you for the purpose of supplying you with information on our products and services. For further details please view our Privacy Notice.

Thank you for signing up to our newsletter. We are happy to have you on board and will keep you updated on newest developments and trends.

Oops! Something went wrong while submitting the form.

Your trusted partner for a smarter, more efficient approach to data privacy management.

Product

Priverion Platform System Status

about us

About Priverion Careers

Imprint Privacy Notice Terms of Service Refund Policy

OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].