Skip to main content

Risk Assessments and Risk Intake

Hyperproof supports risk assessments. Assessments help you review, evaluate, and improve controls, risks, or requirements across your organization. In this article, we'll look at how to work with risk intake and assessments as a risk manager.

Danielle Moerman avatar
Written by Danielle Moerman
Updated over a week ago

Risk Intake

Risk management works best when employees can easily flag new risks and organizations have a clear process to review and add them to the right register. Hyperproof’s risk intake feature streamlines this workflow end-to-end. It allows teams to gather cross-company feedback and seamlessly add validated risks to the Risk Register. Once submitted, proposed risks can be added to risk assessments, allowing teams to quickly evaluate likelihood, impact, and control gaps. With Hyperproof’s integrated intake portal, organizations can maintain an accurate, up-to-date risk posture without relying on external tools or manual data transfer.

The risk intake register allows you to collect and manage proposed risks. Each tab on the register provides you with tools and information to help you manage those risks.

Note: this is an optional feature for purchase in Hyperproof. If you have the risk module, you'll have access to this feature. If you have not purchased that module we recommend reaching out to your Customer Success Manager or Account manager if interested. If you have not purchased this feature, we recommend doing so before reviewing this article.

The article below is shown in the administrator role with organizational permission as a manager in Hyperproof. If you are in another role in Hyperproof or have a different permission, you may not have access to some of these areas shown, or they may be greyed out.

Intake register dashboard

The dashboard contains widgets that tally the number of new and current proposed risks.

  • Proposed Risks - Displays the number of proposed risks that remain on the proposed list. These risks haven't been archived or promoted to the regular risk register.

  • Newly Proposed Risk - Displays the number of proposed risks that have been collected in the past 30 days.

  • Risks in Assessments - Displays the number of proposed risks that are being evaluated through a risk assessment.

Risk intake register details

Use the Details tab to view and edit the following information:

Details pane

Hover over a field and click the pencil icon to edit it.

  • Name - The name of your risk intake register.

  • Description - Additional details or information about the risk intake register.

  • Default risk owner - The Hyperproof user designated as the default owner for any proposed risks collected through the intake survey or entered manually. When entering a proposed risk manually, you can change the default owner. Proposed risks that are assigned to an evaluation or promoted to the risk register display this user as the owner.

Intake survey pane

  • Create survey - This option displays only if you have never configured your intake survey. Click Create survey to configure version 1 of your intake survey.

  • Update survey - Allows you to edit the survey content. Each time you edit and save a survey, the version number is incremented and displayed when viewing both the survey and its corresponding responses.

  • Survey link - Click the Copy link option to copy the URL for your survey. Distribute the URL to team members to collect proposed risks and associated information.

  • Updated on - Date the survey was last updated.

  • Member list - Displays icons representing the Hyperproof users who are members of the intake survey. Users who are members of the survey can update it.

Risk intake register risks

The Risks tab on the intake register displays a list of all proposed risks that haven't been promoted to one of your risk registers.

Risks tab fields and options include:

  • Risks dropdown arrow - Use this menu to switch between archived and unarchived proposed risks.

  • +New - Use this option to add a new proposed risk to the list.

  • Filters - Use the filter option to narrow the list of proposed risks based on the fields displayed in the grid.

  • Settings - Allows you to turn on or off columns in the grid and change their order.

  • Grid columns - The following fields display for each proposed risk and can be used as filter options:

    • ID - ID of the proposed risk. Default proposed risk IDs start with NR-. Risk IDs can be changed during the evaluation process or from the Risk Register.

    • Stage - Stage of the proposed risk. Stages include:

      • Proposed - The risk has been proposed, but no further action has been taken.

      • Evaluating - The risk has been added to an assessment for evaluation and possible promotion to the regular risk register.

    • Name - Name of the proposed risk.

    • Description - Additional information about the risk. This field is required when creating a new proposed risk.

    • Likelihood rationale - A short description of the likelihood that this risk will occur.

    • Impact rationale - A short description of the impact of this risk.

    • Date submitted - Date the proposed risk was submitted.

    • Submitter - Name and initials of the person who submitted the proposed risk. Note that this field may include names of people who are not Hyperproof users but have submitted a proposed risk using an intake survey. Submitters who are not Hyperproof users are added to Hyperproof as external contacts, allowing you to send them a risk assessment survey and request additional information during the risk evaluation process.

Risk intake register issues

The Issues tab on the intake register lists all issues linked to the intake register. You can create new issues here or on the Work Items > Issues tab. Issues provide a way to track exceptions or non-conformities in your process that may need to be mitigated.

From the Issues tab, you can:

  • View a list of issues assigned to the risk intake register

  • Bulk edit many issues at once

  • Create a new issue

  • Import multiple issues

  • Filter issues by different criteria via the Filter icon

  • Edit grid settings by clicking the Settings icon

Risk intake workflow

  1. Configure your risk intake register to include any proposed risks submitted by your organization. If a risk assessment does not already exist, start a new one. Ensure a default risk register is set up to move proposed risks into once they are evaluated and become actual risks.

  2. Set up your risk intake survey and distribute the survey link to your organization via email or your company's intranet. Instruct team members to complete the survey whenever they identify a potential risk.

  3. View the responses to the risk intake surveys to gather additional information about potential risks. Optionally, manually add proposed risks to the risk intake register if necessary.

    You can do this once added to a risk assessment by clicking on the risk in the evaluations area and looking at the survey results under research.

  4. Review the proposed risks and add them to an assessment for evaluation. Determine whether the proposed risks should be classified as actual risks.

  5. Approve evaluations for proposed risks to create actual risks in the selected risk register. Close evaluations for proposed risks that should not become actual risks.

  6. In the risk intake register, archive proposed risks that are rejected and will not be moved to the risk register.

  7. Periodically update the survey to add or remove questions as needed to ensure it remains relevant and effective.

Risk intake surveys are used by organizations to report possible risks and present them for evaluation. Create a risk intake survey and distribute the URL to your team to collect risk information.

  • Hyperproof only supports one risk intake survey per organization.

  • When you create your risk intake survey, it is preconfigured with a few default questions that allow Hyperproof to store the proposed risk with the required fields. The user information and risk description fields can't be edited or removed.

  • You can configure additional sections and questions.

Click to expand the sections below to learn more

Setting up the risk intake register

  1. From the left menu, select Risk.

  2. Click + Setup register.

    1. The Create intake register window opens.

  3. Below Name, enter a name for the register.

  4. Below Description, enter a description of the register.

  5. From the Default risk owner drop-down menu, select the user responsible for owning risks in your organization. All risks must have an owner. The owner of individual risks can be changed later.

  6. Click Create.

  7. The intake register is created.

Creating a risk intake survey

  1. From the left menu, select Risk.

  2. Click the Intake register card.

  3. Select the Details tab.

  4. In the Intake survey box, click Create survey.

    1. The Risk Intake Survey window opens.

  5. If no changes are necessary, click Back.

Note: You can easily add new sections, questions, text, and risk fields to the risk survey. To do this, simply click +New to view the drop-down options. Optionally, you can add gating (conditional) questions to surveys. Note that gating questions can only be used with single-select and single-select with explanation question types.

Adding a proposed risk to the risk intake register

Anyone can add a proposed risk to the risk intake register using the intake survey. If you have a Hyperproof login and the correct permissions, you can add proposed risks directly to the risk intake register without needing to complete the intake survey.

  1. From the left menu, select Risk.

  2. Click the Intake register card.

  3. Select the Risks tab.

    1. The list of proposed risks displays.

  4. Click +New.

    1. The Add risk window displays.

  5. In Risk ID, enter an ID for this risk. If you leave this field blank, Hyperproof assigns an ID starting with NR-.

  6. In Risk name, enter a name for the risk.

  7. Enter a Description. This field is required.

  8. In Owner, select an owner for this risk. This field is automatically filled in with the Default owner listed on the Details tab.

  9. In Likelihood rationale, enter a short description of the likelihood that this risk will occur.

  10. In Impact rationale, enter a short description of the impact of this risk.

  11. Click Create.

  12. The proposed risk is added to the list of risks.

Completing the risk intake survey

Risk intake surveys are used to collect information about potential risks to your organization. These proposed risks are then evaluated, and if they have merit, they are promoted to actual risks by a team in your organization. Those risks are tracked and mitigated where possible.

To complete a risk intake survey, you must have the URL for that survey from your organization.

  1. Depending on how the URL is provided to you, you can click a link or copy and paste it into your browser. The risk intake survey displays in the browser.

  2. Click each entry on the left menu and complete the associated questions.

  3. When all sections are completed, click Submit. Hyperproof indicates that your survey response has been submitted.

Click to expand the section below to learn more

Viewing a risk intake survey response

When someone responds to and submits a risk intake survey, the risk proposed in the survey is added to the risk intake register. Risk fields on the survey are propagated to fields in the proposed risk; however, the response to any additional fields can only be seen from the survey response.

To view a survey response:

  1. From the left menu, select Risk.

  2. Click the Intake register card.

  3. Select the Risks tab.

    1. The list of proposed risks displays.

  4. Locate the proposed risk generated by the survey you want to view.

  5. Click the View survey link for that risk.

    1. The survey displays.

  6. Click the options in the left menu to see different sections of the survey.

  7. Click Done to close the survey response.

Evaluating proposed risks

In Hyperproof, risks can be audited for attributes including design, language, effectiveness, and reliability. Within Hyperproof you can do this in the Assessments tab. Any risks linked to an assessment that are a part of the risk intake register will show on the dashboard.

Note: In the next section below, we'll discuss more about risk assessments in Hyperprooof.

If you've already created risk assessments, you can link risks within the risk intake register. Simply select them from the list and choose +Add to assessment. From there, you can choose which risk assessment you'd like the risk to be added to.

Risk landscapes are constantly evolving, and organizations need better ways to stay ahead of emerging threats while maintaining compliance. In this video, we introduce Hyperproof’s new Risk Intake and Risk Assessments functionality—designed to help teams proactively capture, evaluate, and manage risks all in one place.

With Risk Intake, teams can gather cross-company feedback through customizable intake surveys, automatically detect duplicate or existing risks, and seamlessly route validated submissions into the Risk Register. Proposed risks can be reviewed, evaluated for likelihood and impact, and assessed for control gaps—without relying on external tools or manual processes.

Building on this workflow, Risk Assessments enable structured evaluation of both existing and newly submitted risks. Teams can review intake responses, approve or reject proposed risks, convert approved submissions into active risks, and automatically attach supporting documentation as proof.

Together, Risk Intake and Risk Assessments help organizations capture risk insights earlier, evaluate them faster, and maintain a more accurate, up-to-date risk posture—right inside Hyperproof.

Note: this video will showcase assessments in Hyperproof. We will take a deeper dive into assessments in the next section of this article.

Introduction to assessments

Controls, requirements, and risks can be audited for attributes including design, language, effectiveness, and reliability. When your organization’s controls, requirements, and risks are sufficient, internal audits based on a Document Request List (DRL) run much more smoothly because the bulk of the work is already done.

Many organizations perform assessments for the following reasons:

  1. Early detection - Routinely checking your controls, requirements, and risks for exceptions helps you find them more quickly.

  2. Continuous improvement - Looking critically at your controls, requirements, and risks is the best way to ensure you’re not wasting resources.

  3. Minimize risks - Quickly find exceptions and non-functional controls, requirements, and risks to minimize risk exposure.

  4. Audit preparation - If you find and fix issues with your controls, requirements, or risks, there will be fewer for your auditor to report.

Evaluating risks

Periodically assess proposed risks and re-evaluate existing risks to ensure they remain relevant and manageable.

This process helps maintain a proactive approach to risk management.

Capturing risk details

Document key risk attributes such as likelihood, impact, tolerance, and response strategies.

Thorough documentation ensures a comprehensive understanding of each risk.

Linking risks to controls

Connect risks to specific controls within programs and assign a percentage of mitigation for each control, addressing likelihood and/or impact.

This linkage provides clarity on how controls reduce risk exposure.

Quantifying mitigation

Use tools like Hyperproof to calculate residual risk after applying mitigation measures.

This quantification helps in understanding the effectiveness of the implemented controls.

Evaluating risks

Within the Assessments area of Hyperproof, you'll be able to create a risk assessment to assess risk and record your findings. The majority of the assessment work will be in the Evaluations tab. In this area, you have the option to assign evaluation work to different team members. As always, you can communicate with a team member about a particular evaluation via the Activity Feed.

The risk evaluation user interface differs from the control and requirement evaluation user interface. These differences are intentional and reflect ongoing efforts to improve usability, accessibility, and overall user experience. The updated interface is designed to make your time spent evaluating a risk smoother and more efficient.

Tip: Active evaluations can also be access via Work Items. From the left menu, select Work Items, then select the Evaluations tab.

Risk evaluations feature a new split pane view. The left pane contains information about the target object, i.e., the risk being evaluated, while the right pane contains information about the evaluation itself, such as linked objects, proof, and so on.

Note: The fields displayed in the left pane reflect the risk fields selected during the assessment creation process. For example, if you only selected 'inherent risk', 'inherent impact', and 'mitigation', only those three fields would appear in the left pane.

Below is a workshop from February 2026 that takes a deep dive into Hyperproof's Risk Intake and Risk Assessment capabilities, exploring why these features were introduced, how they work today, and where we're headed next.

If you'd prefer to watch this recording later, you can access the recording via the link below or within the help section in our support chatbot within Hyperproof.

Click to expand the sections below to learn more

Evaluating risks

  1. From the left menu, select Assessments.

  2. Select your assessment.

  3. Select the Evaluations tab.

    1. A list of evaluations is displayed.

  4. Select the evaluation you want to assess.

  5. From the left pane, do any or all of the following:

    1. Change the status of the evaluation:

      • Not started - Work has not yet started on the evaluation.

      • In progress - The evaluation is currently being worked on.

      • Submitted - The evaluation has been submitted for review.

      • In review - The organization is reviewing the evaluation.

      • Closed - The evaluation has been canceled.

      • Approved - All information in the valuation has been verified and accepted.

    2. The fields that appear in the left pane are determined by the evaluation fields chosen during the creation of the risk assessment. You can:

      1. Change the name of the evaluation.

      2. Set the inherent risk, inherent likelihood, inherent impact, rationale, and/or tolerance.

        • Inherent risk - The level of risk if no mitigation is performed. This value is determiined by the risk being evaluated.

        • Inherent likelihood with rationale - The measure of a risk occuring without any preventative measures (controls) in place. This value is determined by the risk being evaluated.

        • Inherent impact with rationale - The measure of impact an event has on an organization when there are no preventative measures (controls) in place. This value is determined by the risk being evaluated.

        • Tolerance - The level of risk that an organization is willing to bear. This value is determined by the risk being evaluated.

      3. Set or change the risk category - the category is the classification to which the risk belongs, e.g. Breach. The value is determined by the risk being evaluated.

      4. Set or change the response action.

      5. Set or change the owner - The owner is the individual in your organization responsible for the risk. The value is determined by the risk being evaluated.

      6. Enter or edit the description - The description is an overview of the risk. The value is determined by the risk being evaluated.

      7. Set or edit any custom fields associated with the risk.

      8. View or link controls - Displays controls that are linked to the risk. This value is determined by the risk being evaluated.

      9. Set or edit mitigation and rationale values for linked controls.

  6. From the right pane, do any or all of the following:

    1. Add a user or group to the evaluation

    2. Click the facepile to manager use permissions for the evaluation.

    3. Hover over the current description to change it.

    4. Expand the Research section to add tasks or surveys.

      1. Surveys must be configured first from the Assessments > Risk Surveys tab.

    5. Expand the Details section and do any or all of the following:Set the evaluation priority.

      1. View the evaluation source.

      2. Edit the due date.

      3. View the Created on and Updated on dates

      4. Enter your observations

    6. Expand the Assignee section and do any or all of the following:

      1. Assign the evaluation to a user or group.

      2. Change the current assignee or group.

    7. Expand the Past evaluations section to link to a preview evaluation (these are previously approved evaluations related to the risk being assessed).

    8. Expand the Linked objects section to link a related object to the evaluation.

    9. Expand the Related issues section to link related issues to the evaluation.

    10. Expand the Proof section to link proof to the evalatuion.

    11. Communicate with team members via the Activity feed.

    12. Archive the evaluations.

Adding risks to an assessment

Follow the steps below to add additional objects to your assessment.

  1. From the left menu, select Assessments.

  2. Select your assessment.

  3. Select the Evaluations tab.

  4. Click New.

    1. The Select a set of risks to evaluate window opens.

  5. Select the checkbox next to each risk you want to add to your assessment. Click the Filter icon to use the filter options to narrow down search results. To select all risks, select the Select all checkbox in the upper-left corner.

  6. Click Create.

    1. The objects have been added to your assessment.

Looking to review the workshop later?

Visit the help section within our support chatbot in Hyperproof to watch the recording.

Workshop

Risk assessment surveys

When conducting a risk assessment, organizations typically collect information through interviews or surveys. In an interview, the assessor meets directly with key stakeholders to gather insights about potential risks. Alternatively, a survey can be distributed to capture input from stakeholders when an interview isn’t necessary. Surveys can also serve multiple purposes: they can document meeting notes, support data collection during interviews, or act as an intake form for identifying and assessing new potential risks.

Risk assessment survey versus questionnaire

When working in Hyperproof, you may encounter both surveys and questionnaires, and while they serve similar purposes, they differ in how they’re accessed and how they relate to objects in the platform.

This video tutorial introduces risk surveys in Hyperproof and how they support the risk assessment process. You’ll see how to create or import a risk survey, send it to stakeholders, and review responses directly within an assessment. The tutorial also shows how survey results are used to inform and approve risks in the risk register.

Click on the sections below to learn more

Creating a risk assessment survey

  1. From the left menu, select Assessments.

  2. Select the Risk surveys tab.

  3. Click New.

  4. The New survey window opens.

  5. In the New survey name field, enter a name for the survey.

  6. Click Create.

  7. Click New, then select Section.

  8. Enter a name for the section.Once you’ve created the first section, you can then begin to add questions. For more information on creating and editing questions.

Note: Risk surveys created in Hyperproof must begin with a section.

Adding questions to a risk survey

Risk surveys can be edited in Hyperproof or outside of Hyperproof via a CSV file. The steps below explain how to add questions to a risk survey directly in Hyperproof.

  1. From the left menu, select Assessments.

  2. Select the Risk surveys tab.

  3. Select the survey you want to edit.

  4. In the right pane, click View survey.

  5. Click Edit.

  6. Click New, then select Question.

    1. The Add question window opens.

  7. Below ID, enter a question ID.

  8. Below Question, enter the question.

  9. From the Type drop-down menu, select a question type:

    1. Single-select - A drop-down list of values where only one value can be selected.

    2. Multi-select - A drop-down list of values where multiple values can be selected.

    3. Single-select with explanation - Same as single-select, but with space for optional free text.

    4. Multi-select with explanation - Same as multi-select, but with space for optional free text.

    5. Open text - Free-form questions that allow the respondent to answer in an open-text format.

    6. Proof upload - The only required answer is an attachment (of proof).

  10. Click Create.

    1. The question is created and added to the survey.

  11. Click Save.

  12. Repeat steps 6 - 11 as needed.

Note: Surveys can be edited in Hyperproof or outside Hyperproof using a CSV file. You can download the example CSV file by clicking import when in the risk survey tab.

Using gating questions in a survey

A gating question, sometimes referred to as a conditional question, can be used to determine the next question or questions in a survey. In Hyperproof, gating questions can be used with single-select and single-select with explanation question types.

For example, you might ask, “Do you have a company handbook?” If your goal is to find out more information about the handbook, you can set the question as a gating question. That way, if the recipient answers 'Yes', they’ll be directed to a follow-up question about the handbook. If they answer 'No', they'll see a different question.

If a question is not shown to a user, the points from that question are not included in the total possible score. For example, let's assume a survey has two questions—one non-gating question (question 1) and one gating question (question 2). If a respondent answers question 1 and is not prompted to answer question 2 (the gating question), the points from question 2 are not included in the total possible questionnaire score.

Note: A gating question must have follow-up questions; it cannot be the last question in a survey.

Sending a risk assessment survey

In Hyperproof, surveys are delivered to respondents through evaluations. First, add a survey to an evaluation. Then, send the evaluation to the risk’s owner, its external contacts, or both—prompting them to complete the survey.

Click on the sections below to learn more

Sending a risk assessment survey

Prerequisite: An existing risk survey.

  1. From the left menu, select Assessments.

  2. Select your risk assessment.

  3. Select the Evaluations tab.

  4. Select the evaluation you want to link the survey to.

  5. In the right pane, expand the Research section.

  6. Click Add, then select Survey.

  7. The Send survey window opens.

  8. From the survey drop-down menu, select the survey you want to send.

  9. From the Respondent drop-down menu, select the respondent to whom the survey should be sent. By default, both the risk owner and risk contact(s) are listed in the menu. To send the survey to all respondents, select the Select all respondents checkbox.

    1. Tip: The users shown in the menu are linked to the risk associated with the evaluation. You can update these respondents at any time by clicking Add on Risk page.

  10. Optionally, enter a message for the respondent or respondents in the Note field.

  11. Click Send.

    1. The survey is sent.

A note about sent surveys: By design, the Attachment icon (paperclip) is present on all questions, even those that are not 'proof upload' questions. Additionally, there are no restrictions on file types that can be uploaded as proof.

All file uploads are scanned and Hyperproof's Operations team is notified of any infected files. Text input is sanitized for malicious HTML/Script.

Sending a risk assessment survey reminder

When you send a reminder to a respondent, it's recorded in the Activity Feed.

  1. From the left menu, select Assessments.

  2. Select your assessment.

  3. Select the Evaluations tab.

  4. Select the evaluation that corresponds with the survey.

  5. In the right pane, expand the Research section.

  6. Locate the respondent to whom you want to send the reminder, then click Remind.

  7. An email is sent to the respondent, reminding them to fill out the questionnaire. Reminders can be sent every 24 hours, and the respondent receives an email each time a reminder is sent.

One-time passcodes for external users

What are one-time passcodes?

One-time passcodes provided via email are a simple way to provide authenticated access to Hyperproof for external users who are assigned work, such as tasks, questionnaires, or surveys.

These passcodes ensure secure access without requiring users to create permanent accounts.

How are one-time passcodes used?

When a task is assigned to a contact, a questionnaire is sent to a vendor, or a survey is sent to a contact, Hyperproof emails the assignee to notify them.

Each email contains a link to the specific task, questionnaire, or survey, ensuring the recipient can easily access their assigned work.

Accessing Hyperproof with a one-time passcode.

When the assignee clicks the link in the email, Hyperproof opens a login page and emails the assignee a second message containing a one-time passcode.

The assignee can then use this passcode to securely log in and complete their assigned tasks.

Note: If you are an Admin user testing this process, be sure to log out of Hyperproof before attempting to log in using the one-time passcode process.

If you are a vendor or a contact and are already logged in to Hyperproof, you don't have to log in again. Hyperproof takes you to the task, questionnaire, or survey referenced in the email.

Click the section below to learn more.

Logging in using a one-time passcode

A Hyperproof user has assigned you a task or sent you a vendor questionnaire or survey. You'll receive an email from Hyperproof notifying you.

  1. Open the email notifying you that you have work to do for Hyperproof.

    • For a survey, click the Launch survey button.

  2. The Hyperproof login window displays.

  3. Verify that the email address is correct and click Next.

    1. The Verify your identity window displays.

  4. Click the Send email button to generate your one-time passcode and receive it via email.

  5. Locate the one-time passcode email and make note of the code.

  6. If you don't see the email, check your Spam or Junk Email folder. You can also click Send again in the verification window.

  7. Enter the code in the verification window and click Verify.

  8. The Hyperproof portal opens and displays your risk survey.

Risk assessment survey respondent view

When a survey is sent to a respondent, they receive an email from Hyperproof with the subject line: "You have been assigned a questionnaire in Hyperproof." When the respondent opens the email, they see the Launch survey button. Clicking this button takes them to the survey.

When the survey is launched, the respondent answers the questions directly in the survey portal. The respondent sees the survey name in the upper-left corner, the survey itself, and the progress bar in the bottom-left corner. When the respondent finishes the survey, they click the Submit button in the bottom-right corner.

Related Articles
The Risk Module
September 2024 Workshop: Control and requirement assessments
January 2023 Workshop: Control Assessments
February 2026 Workshop: Risk Intake and Assessments
Risk Assessments and Risk Intake
Did this answer your question?