| Risk ID | Description | Inherent Score | Selected Treatment | Control(s) / Action(s) | Owner | Target Date | Residual Score |
| R-001 | Credential stuffing attack on customer-facing APIs leads to account takeover | 16 | Mitigate | • AWS WAF rate-limiting
• MFA required for employee/admin access; customer MFA encouraged via SSO (not mandatory)
• Credential monitoring service | SRE Lead | 2025-07-31 | 6 |
| R-002 | Single-region cloud outage impacts all services | 20 | Mitigate | • Automate restore and infrastructure provisioning (Terraform/Ansible)
• Documented cross-region restore drills using replicated data (eu-central-1 -> eu-west-1) | Head of Product | 2025-09-30 | 8 |
| R-003 | Insider exfiltration of customer data | 15 | Mitigate | • DLP rules in GSuite
• Endpoint EDR
• Bi-monthly access reviews | Security Manager | 2025-06-30 | 5 |
| R-004 | Key supplier (email delivery) suffers breach | 12 | Transfer / Mitigate | • Add contractual security clauses
• Implement dual-provider routing | Procurement | 2025-08-15 | 4 |
| R-005 | Non-compliance with GDPR due to incomplete privacy notice | 9 | Mitigate | • Update privacy notice – retention periods clarified (marketing data deleted 2 years after consent withdrawal; logs retained 365 days; backups retained 30–365 days per policy) | DPO | 2025-05-31 | 3 |