ID,Risk Title,Description,Asset / Process,Threat,Vulnerability,Owner,Likelihood (1-5),Impact Financial,Impact Operational,Impact Reputational,Impact Legal/Regulatory,Impact Health/Safety,Max Impact,Inherent Score,Inherent Risk Level,Existing Controls,Residual Likelihood,Residual Max Impact,Residual Score,Residual Risk Level,Treatment Decision,Status
R-001,Ransomware on file servers,Attackers encrypt central file share and backup shares via compromised admin account,File server FS-01 + central SMB share,Ransomware,"Flat admin network, shared backup credentials",IT Operations Lead,4,5,5,5,4,1,5,20,Critical,"EDR, MFA on admin accounts, offline backups, partial network segmentation",2,4,8,Medium,Mitigate,Open
R-002,Phishing leading to credential compromise,Employee enters credentials on cloned M365 login page,All user accounts,Phishing,"User awareness gap, no phishing-resistant MFA",ISO,4,4,3,4,3,1,4,16,Critical,"Mail filter, awareness training, phishing simulations, MFA (TOTP)",3,3,9,Medium,Mitigate,Open
R-003,Insider data exfiltration via personal email,Leaving employee sends customer list to private Gmail,Customer database,Malicious insider,"Weak DLP on outbound email, broad CRM access",HR Lead,2,3,2,4,4,1,4,8,Medium,"NDA, role-based access, leaver process",2,3,6,Medium,Mitigate,Open
R-004,Supplier outage affecting logistics portal,Critical SaaS provider suffers 8h outage during peak period,Logistics portal (SaaS),Supplier outage,"Single provider, no fallback process",IT Operations Lead,3,4,4,3,2,1,4,12,High,"SLA, incident monitoring, manual fallback checklist",3,3,9,Medium,Accept with monitoring,Open
R-005,GDPR breach via misconfigured S3 bucket,Public bucket exposes 2000 customer records,Marketing bucket s3://nwl-marketing,Misconfiguration,"No IaC review, no scheduled bucket audit",DPO,3,3,2,5,5,1,5,15,High,"Quarterly config audit, bucket policy template",2,4,8,Medium,Mitigate,In treatment
R-006,Loss of historical marketing assets due to local hardware failure,Old campaign creatives stored on a single workstation are lost when its disk fails,Marketing workstation MW-07,Hardware failure,No automated backup of local creative folder,Marketing Lead,2,2,1,2,1,1,2,4,Low,Files older than 12 months are not business-critical and can be re-created or are available from agency partners,2,2,4,Low,Accept,Accepted
R-007,Storage of cardholder data in own ERP,Storing full PAN in the ERP would bring the company into PCI DSS scope and create high regulatory and reputational exposure,ERP (AST-007),Unauthorised disclosure of cardholder data,No tokenisation; no PCI-compliant segmentation,CFO,3,5,2,5,5,1,5,15,High,N/A — risk eliminated by design,1,1,1,Low,Avoid,"Avoided — payments outsourced to PCI-DSS Level 1 provider (Stripe), no PAN ever touches own systems"