Govern risk,
prove compliance,
without the busywork
A practical guide for GRC leads, risk managers, and compliance officers. Run your enterprise risk registers, manage assessments, and produce audit-ready evidence — all in one place.
Risk registers
Run enterprise and third-party risk in one place.
Assessments
Run DPIAs, TPIAs, and risk assessment reports.
Audit-ready
Evidence, exports, and a full activity trail.
This guide is for the people who own governance, risk, and compliance day to day — keeping registers honest, risks scored consistently, and evidence ready before anyone asks for it.
Read it in any order, and lean on the Ethira Agent whenever you'd rather ask a question than navigate a menu.
New to Ethira? Start with the platform basics — signing in, navigation, the dashboard, and the Agent — then come back here for the GRC workflows. For vendor risk specifically, the procurement & TPRM guide goes deeper.
Enterprise risk registers
Your enterprise risk lives under Risk Management → Enterprise Risks. You can run more than one register — each with its own risks, scoring, custom fields, and triage queue — so different parts of the business can work the way they need to.
Find your way around a register
Use the register switcher in the page header to move between registers or create a new one. Each register gives you four tabs:
- RisksThe full list — search, filter, create, and open any risk.
- InboxA triage queue of risks that need attention, with a live count.
- ConfigurationYour scoring setup — levels, likelihood, impact, and statuses.
- Custom fieldsExtra fields you define to capture what your team cares about.
First time in?
If you haven't set one up yet, Ethira creates a Default register for you. A short setup wizard helps you start from recognized ISO 31000 defaults or bring in your existing register from a file — so you're not building from a blank page.
Scoring & appetite
Set up how your organization measures and classifies risk once, and every risk follows the same consistent rules.
Define how risk is scored
From a register's Configuration tab — or the workspace-wide Risk taxonomy hub — you can shape every part of your scoring model:
- Risk levelsYour severity bands, from Low to Critical, with colours and score ranges.
- Likelihood & impactThe scales that describe how probable a risk is and how much it would hurt.
- Impact categoriesThe dimensions you care about — security, financial, privacy, reputation, and more.
- Scoring matrixThe likelihood × impact grid that turns scores into a risk level.
- Risk categoriesA hierarchy for classifying risks, aligned to your framework.
- StatusesThe lifecycle states a risk moves through, named your way.
Not sure where to begin? Confirm the ISO 31000 defaults in a click, then adjust the bands and categories to fit. Retired bands and categories stay on historical risks, so your past records never change underneath you.
Score impact by category
A single risk rarely hits everything equally. Ethira lets you record a different impact level per category on the same risk — say, medium operational impact but high reputational impact — for a truer picture than one blunt score.
Make sign-off explicit
For each severity band you can record who must approve a risk at that level — a risk owner, the CISO, or the board risk committee. Owners see the right approver right next to the band as they classify, and every change to your appetite settings is captured in the activity log.
Working with risks
The same simple rhythm applies to both enterprise and third-party risks. Open a list, create or open a risk, and work it through to resolution.
- Open the relevant list — Enterprise or Third Party — and select Create.
- Give it a title, owner, category, and set the inherent and residual levels.
- Save, then click any row to open its detail panel for quick edits.
Day-to-day, a few things make the work lighter:
- Review AI suggestionsEthira proposes risks for you to approve or dismiss — accept the ones that matter and move on.
- Follow what mattersFollow a risk to get notified when its owner, level, or status changes.
- Work in bulkSelect several risks at once to reassign owners or link them to an asset.
- Filters that remember youYour filters are saved per workspace and waiting for you when you return.
A guardrail you'll appreciate. Residual risk can never be set higher than inherent risk on the same record — Ethira won't let an impossible score slip through, whether you're editing by hand or asking the Agent.
Mitigations & controls
Reduce a third-party risk by attaching the controls and actions that bring it down — and keep tabs on whether they're actually getting done.
Open a third-party risk, go to Mitigations, and add one with a title, description, and status you update as work progresses. After an AI risk analysis, you'll also see suggested mitigations you can accept with a click.
Connect to the tools your team already uses
From a mitigation, create or link a Linear or Jira issue so the work lands in your engineering backlog. Jira status flows back automatically — when the issue moves, the mitigation moves with it — and you can refresh a linked Linear issue's status on demand.
Assessments & DPIAs
Run structured assessments — DPIAs, TPIAs, and risk assessment reports — from reusable templates, under My Organization → Assessments.
Start from a template
Create a new template three ways: adopt an Ethira-curated baseline, start blank and build your own sections, or upload a Word document and Ethira turns its headings into sections for you.
In the editor, add sections with guidance text, mark which are required, and reorder them by dragging. Publish when you're ready — one version stays active at a time, so everyone's working from the same approved template. Built-in defaults are read-only; just duplicate one to make it yours.
Review what's been produced
Your completed DPIAs, TPIAs, and risk assessment reports all gather in one place for review. For GDPR-style impact assessments tied to specific processing activities, the Data Privacy → Impact assessments area lets you document necessity, proportionality, and the measures you've taken.
Good to know. Assessments are sensitive by design, so they're visible only to the people whose role allows it — not to every member of the workspace.
Reporting & audit
When the auditor calls, the evidence is already there. Ethira keeps a running record of what happened and gives you clean exports on demand.
A trail of everything
- Per-vendor logsA read-only history of every change on each vendor relationship.
- Activity & audit trailBrowse your own actions under My Activity, and — with the audit-log permission — export the full workspace audit trail of scoring changes, approvals, access reviews, Agent actions, and deletions.
Exports for every occasion
- Vendor list exportExport your filtered vendor list to an Excel workbook — a ready auditor sample.
- Regulatory registerThe DORA Register of Information export, for workspaces that need it.
- Risk reportsA per-vendor AI risk analysis report you can open and share.
Bringing existing risk in
Already track risk elsewhere? Import from a file and Ethira reads and enriches each item, then hands them to you to accept or reject — so migrating a register doesn't mean retyping it.
Privacy built in. When Ethira records automated policy decisions, sensitive details are masked within the hour and the records age out on a schedule you control — so your audit trail stays useful without holding onto more than it should.
Automate the routine
The recurring parts of compliance — the weekly summaries, the periodic reviews — don't need your hands every time. Hand them to the Agent on a schedule.
- Go to Workflows and select Create workflow.
- Write the prompt — the same kind of request you'd type to the Agent.
- Choose when it runs: on a schedule (daily, weekly, monthly) or on an event like a newly discovered vendor.
- Turn it on. Use Run now to try it without waiting.
Each run creates its own Agent conversation, so you can always read back exactly what it did. You can also connect Google Calendar to sync review dates and compliance reminders into the calendar you already check.
Get help & what's next
The Agent is the quickest path through most of this — it knows your registers and can act on your behalf. A few prompts that fit GRC work:
You're set to run the program
Keep your registers honest, your risks scored, and your evidence ready — and let Ethira handle the routine in between.