Help & User Guide

Visit risk3y.com and click Get started free. Enter your work email address and choose a strong password. You will receive a verification email — click the link inside to activate your account.

Once verified you will be prompted to create your organisation workspace. Choose a name that your team will recognise (e.g. "Acme Corp"). You can always change this later in Settings → Organisation.

Go to Settings → Members and click Invite member. Enter their email address and choose a role:

• Risk Manager — full create/edit/archive access across all registers
• Risk Contributor — can add and edit risks, but cannot archive
• Risk Reviewer — read-only access with the ability to record reviews
• Read-only — view-only access, cannot make changes
• Billing Admin — manages subscription only, no risk access

The invitee receives an email with a sign-up link. Once they accept, they appear in your member list. Your plan's member limit applies — upgrade if you need more seats.

From the Dashboard, click New register. Give it a descriptive name such as "Enterprise Risk Register 2026" or "Project Alpha Risks". An optional description helps team members understand scope.

Registers are isolated — risks in Register A are not visible in Register B. You can create one register per project, department, or compliance framework.

Once created, open the register and click Add risk to start populating it.

A risk register is a central log of all known risks for a given scope (e.g. a project, business unit, or compliance area). Each risk records:

• A title and description of the risk event
• Top event and consequences
• Likelihood and consequence scores (1–5 scale) producing a risk score
• Controls in place and their effectiveness
• An owner responsible for managing the risk
• A review schedule

Inside a register click Add risk. At minimum you must provide a title. Additional fields — description, top_event, consequences, scores, owner, and review frequency — can be filled in now or updated later.

Risk Score = Likelihood × Consequence. A 5×5 score is the maximum (extreme risk). Use your organisation's risk matrix to interpret scores.

Risk3y uses a 5×5 likelihood/consequence matrix. Scores are calculated automatically:

• 1–4 — Low
• 5–9 — Medium
• 10–16 — High
• 17–25 — Extreme

Both initial (inherent) and residual (after controls) scores can be recorded. The residual score reflects the risk level after your controls are applied.

If your organisation uses a custom risk matrix, admins can configure it in Settings → Risk Matrix.

Each risk moves through the following statuses:

• Open — Active risk requiring attention
• Mitigated — Controls are in place and residual risk is acceptable
• Accepted — Risk is known and formally accepted by a risk owner
• Archived — Risk is no longer relevant; removed from active views

Only Risk Managers can archive risks. Archived risks are hidden from the default list but remain searchable.

Controls are the measures you have in place to reduce a risk. Open a risk and scroll to the Controls section. Click Add control and describe the control, its type (preventive, detective, corrective), and effectiveness.

Controls contribute to the residual risk score — after applying controls, update the residual likelihood and consequence fields to reflect the reduced exposure.

Evidence links supporting documentation to a risk (e.g. audit reports, testing results, certificates). Open a risk and click the Evidence tab. Click Add evidence, provide a label (e.g. "ISO 27001 Cert 2026"), and paste the URL to the document.

Evidence is immutable once added — to update a link, delete the old entry and add a new one. All evidence additions and deletions are recorded in the audit log.

When creating or editing a risk, set Review frequency (Monthly, Quarterly, Semi-annual, Annual) and a Next review date. Risk3y will send an email reminder to the risk owner when the review date approaches.

To record that a review occurred, open the risk and click Record review. Enter any notes and the system will calculate the next due date automatically based on the frequency.

The Dashboard highlights risks whose review date has passed. Navigate to Dashboard → Overdue reviews to see the full list.

Click any overdue risk to open it and record a review. Regularly completing reviews demonstrates a functioning risk management process and satisfies most compliance frameworks.

To bulk-import risks, open a register and click Import. Download the CSV template and populate it with your data. Supported columns include: title, description, top_event, consequences, status, likelihood, consequence, and owner_job_role_id.

Click Preview import to validate your file before committing. Any rows with errors are highlighted — fix them in your spreadsheet and re-upload. A successful import creates all valid rows; errored rows are skipped.

Open a register and click Export → CSV. All visible risks (respecting any active filters) are included. The export can be opened in Excel, Google Sheets, or any spreadsheet application.

Open a register and click Export → PDF report. An HTML report opens in a new tab — use your browser's Print → Save as PDF function to save it. The report includes a summary table of all risks, colour-coded by status and score.

MCP (Model Context Protocol) is an open standard that allows AI assistants (such as Claude, Copilot, or any MCP-compatible client) to securely interact with Risk3y data using natural language.

With MCP enabled, you can ask your AI assistant things like "Summarise the top 5 risks in the Enterprise register" or "Create a risk for supply chain disruption with likelihood 4, consequence 3" — and it will act directly in Risk3y on your behalf.

Go to Settings → MCP & AI to generate an MCP API key for your account. Copy the MCP server URL and API key, then configure your AI assistant according to its MCP setup guide.

The MCP server URL follows the pattern: https://risk3y.com/mcp. Your AI client will use this endpoint with your API key to authenticate.

Only users with the MCP Client role or higher can generate MCP keys. Keys are scoped to your tenant and honour your role's permissions.

Risk3y exposes the following tools to MCP-compatible AI clients:

• risk_search — Full-text search across risks
• risk_get — Retrieve a specific risk by ID
• risk_summary — Summarise a register's risk landscape
• risk_create — Create a new risk
• risk_update — Update risk fields
• risk_add_control — Add a control to a risk
• risk_list_controls — List controls on a risk
• risk_update_control — Update a control
• risk_record_review — Record a risk review
• risk_change_proposal — Propose a change for human approval

Each Risk3y plan defines limits on:

• Registers — number of risk registers per organisation
• Risks per register — maximum risks in a single register
• Members — number of users in your organisation
• MCP access — whether AI/MCP integration is available

When you reach a limit, Risk3y will show an error explaining which limit has been reached. Upgrade your plan from Settings → Billing to increase limits.

Go to Settings → Billing and click Change plan. Select the plan that meets your needs and complete checkout via Stripe. Upgrades take effect immediately — limits increase as soon as payment is confirmed.

Downgrades take effect at the end of your current billing period.

All invoices are accessible in Settings → Billing → Invoice history. Click any invoice to view or download a PDF copy. Invoices are also emailed to the billing contact on your account.