Risk categories — shared risk-register categories and risk-appetite settings
Last updated: July 12, 2026 by Steve
Risk Categories
Risk categories are the shared classification list for your privacy risk register, and this settings area is also where your risk-appetite threshold is set. Because the register is shared, these categories and the appetite line apply everywhere risks are scored — inside a Privacy Impact Assessment, inside an incident, and on the top-level cross-assessment Risks tab.
(screenshot placeholder — capture: the Risk categories list alongside the risk-appetite setting)
Where to Find It
Open Settings from the app toolbar and choose Risk categories in the Privacy configuration group. This group is visible only to users who hold the relevant privacy configure permission.
Options and Fields
| Field | What it controls |
|---|---|
| Category name | A classification a risk can be tagged with on the Risk details card, translatable across your active languages. |
| Risk appetite | The tolerance line above which a risk is considered over-appetite. Risks above it are flagged and governed more strictly at acceptance. |
How It Affects the Risk Register
- Category appears as a dropdown on a risk's Risk details card, next to title, description, and source.
- When a risk's rating sits above the configured appetite, AccessPoint shows an over-appetite warning on the risk and on its treatment tasks.
- Accepting an over-appetite risk is deliberately gated: a justification and an expiry date are mandatory before the acceptance will save. This enforces time-boxed, governed acceptance rather than a silent sign-off.
Best Practice
Keep the category list aligned with how you report risk to management, and set the appetite line where it should genuinely trigger scrutiny. The over-appetite gate — mandatory justification plus expiry — is only as useful as an appetite threshold that is set thoughtfully.