Skip to main content
Risk assessment is the process of identifying, analyzing, and evaluating risks to your organization’s information assets. Regentra provides structured workflows for conducting assessments and maintaining an ongoing risk register — a requirement across most compliance frameworks.

Creating a Risk Assessment

1

Navigate to Risk Assessment

Open the Compliance module and select Risk Assessment from the sidebar.
2

Start a new assessment

Click New Assessment. Choose the assessment type:
  • Security Risk Assessment (SRA) — required for HIPAA, aligned with HHS guidance
  • General Risk Assessment — suitable for SOC 2, NIST CSF, ISO 27001, and other frameworks
3

Define the scope

Specify which systems, data types, and business processes are in scope. For HIPAA SRAs, this includes all systems that create, receive, maintain, or transmit electronic protected health information (ePHI).
4

Identify threats and vulnerabilities

Work through the assessment questionnaire to identify threats (what could go wrong) and vulnerabilities (weaknesses that could be exploited). Regentra provides a curated threat catalog to guide this process.
5

Score and finalize

Review the calculated risk scores, add any additional context, and finalize the assessment.
For HIPAA-covered entities and business associates, the Security Risk Assessment is not optional. The HHS Office for Civil Rights (OCR) cites failure to conduct an SRA as one of the most common HIPAA violations.

Risk Scoring Methodology

Regentra uses a 3×3 likelihood × impact lookup calibrated against the HHS/ONC SRA Tool v3.6.1 Risk_Logic matrix. A customer running both Regentra and the SRA Tool workbook sees consistent scores.

The matrix

Low impactModerate impactHigh impact
Low likelihoodLowLowHigh
Moderate likelihoodLowModerateCritical
High likelihoodModerateHighCritical
Each cell is the inherent risk for that combination. Notable cells that surprise some operators:
  • Moderate × High = Critical (high-impact events deserve immediate attention even at moderate likelihood)
  • High × High = Critical
  • Low × High = High (a low-probability but catastrophic event is still a high-priority finding)
Regentra also accepts a fourth “Critical likelihood” tier (for findings the operator wants to flag as effectively-certain). Any cell in the Critical likelihood row is at minimum the same level as the corresponding High likelihood row, never lower.
When scoring risks, involve the people closest to the systems in question. Technical staff understand vulnerabilities better than anyone, and business stakeholders understand impact more accurately.

Alignment with the HHS/ONC SRA Tool

For HIPAA-covered entities, Regentra is structured to map 1:1 against the HHS/ONC SRA Tool v3.6.1 workbook. The alignment touches every layer of the risk-assessment surface:
  • All 60 SRA Tool §refs are covered by Regentra’s HIPAA 2026 framework requirements. The 5 sub-clauses the SRA Tool checks but the prior version of Regentra hadn’t surfaced (§164.316(b)(2)(i/ii/iii) for documentation hygiene, §164.314(a)(2)(i)(A) and §164.314(a)(2)(iii) for BA contract clauses) are now present.
  • Canonical 40-entry threat catalog. When you create a Finding, the Threat Library picker has two tabs: a generic NIST/OCR-derived catalog and the HHS SRA Tool catalog. Threats picked from the SRA tab carry a stable code (e.g., SRA-S4-T1) and surface in audit-package exports as “X of Y findings came from the SRA Tool catalog.”
  • Per-§ref question reference. On each control card, a collapsible “HHS SRA Tool questions for §164.xxx” panel shows the SRA Tool’s questions probing that §ref, with HHS’s multiple-choice answers and per-answer compliant/risk-indicated markers. Read-only reference for customers running both tools in parallel.
  • Risk-matrix calibration (the table above) matches the SRA Tool’s Risk_Logic exactly on the LOW/MEDIUM/HIGH subset.
See Working with Controls for the per-control question panel.

Risk Register

The risk register is your living inventory of identified risks. Every risk from every assessment feeds into the register, creating a centralized view of your organization’s risk posture. Each risk entry includes:
  • Description — what the risk is
  • Threat source — the actor or event that could cause harm
  • Vulnerability — the weakness being exploited
  • Likelihood and impact scores — with the calculated risk level
  • Treatment plan — how you plan to address the risk
  • Owner — the person responsible for treatment
  • Status — Open, In Remediation, Mitigated, Accepted, or Closed

Treatment Plans

For each risk, you must document a treatment approach:
Implement controls to reduce the likelihood or impact. This is the most common approach. Link the risk to specific controls in Regentra to track mitigation progress.

Annual Review Requirements

Most compliance frameworks require risk assessments to be reviewed and updated on a regular cadence:
  • HIPAA — annual SRA review is a best practice and OCR expectation
  • SOC 2 — risk assessments must be current for each audit period
  • NIST CSF — recommends ongoing risk assessment as part of the Identify function
  • ISO 27001 — requires risk assessment updates when significant changes occur or at planned intervals
Regentra tracks when your last assessment was completed and alerts you when a review is due. Do not let assessments go stale — outdated risk assessments are a common audit finding and regulatory citation.
Regentra sends dashboard notifications and optional email reminders as your review date approaches, so your team can plan the next assessment cycle in advance.