Executive overview
The SCO read-only thesis, pointed at enterprise risk: the register, appetite, indicators, mitigations, and loss events - plus the one thing point tools miss, a risk view synthesized across every other domain.
What this is, and what it is not. A preview of a planned domain, not a live product. In production it would sit read-only on top of your risk register / GRC, control and audit systems, and the other AssetShop domains - surfacing exposure, appetite breaches, overdue mitigations, and cross-domain risk signals. It does not own risk decisions, set appetite, or replace the risk committee or internal audit; it informs them. All figures here are synthetic.
Residual risk index & outlook synthetic
Risks by category synthetic
Signals worth attention
Synthetic preview. In production, derived read-only from GRC, control, and audit systems plus cross-domain AssetShop signals, with SHA-256-anchored lineage.
Risk register
The enterprise risks being tracked - by category, likelihood, and impact - and how the register moved.
Register movement (TTM) synthetic
Top risks by score read-only
| Risk | Category | Likelihood | Impact | Score |
|---|---|---|---|---|
| Single-source supplier (steel) | Supply chain | High | High | 20 |
| Customer-credit concentration | Financial | Med | High | 16 |
| Cyber breach (edge / OT) | Cyber / IT | Med | High | 15 |
| Uncapped contract liability | Legal | Med | Med | 12 |
| Key-person dependency (eng) | Operational | Med | Med | 10 |
Synthetic, aggregated. Score = likelihood x impact (1-25); read-only from the risk register, never auto-edited.
Risk appetite
Where current exposure sits against the appetite thresholds the board has set - and where it has breached.
Exposure vs appetite by category
Synthetic, aggregated. Appetite thresholds are illustrative; exposure measured read-only against board-set limits.
Key risk indicators
The leading indicators that warn before a risk materializes - which are green, which have breached.
KRIs in breach - trend synthetic
Indicators worth attention read-only
| Indicator | Domain | Status | Value vs threshold |
|---|---|---|---|
| Top-supplier spend share | Supply chain | Breach | 34% vs 25% |
| DSO (days sales outstanding) | Financial | Breach | 58d vs 45d |
| Critical vulns open | Cyber | Breach | 14 vs 5 |
| Engineering attrition | Workforce | Warning | 14% vs 12% |
| On-time delivery | Operations | Warning | 93% vs 95% |
Synthetic, aggregated. KRIs computed read-only from the source domains; thresholds illustrative.
Mitigation & controls
The actions in flight to reduce risk - their status, ownership, and whether controls are actually covering the register.
Mitigation status
Overdue mitigations read-only
| Mitigation | Risk | Owner |
|---|---|---|
| Second-source qualification | Supplier conc. | Procurement |
| Credit-limit review | Credit conc. | Finance |
| OSK-03 continuity plan | Plant outage | Operations |
| Service-key rotation | Cyber | IT / Security |
Synthetic, aggregated. Reads mitigation and control status read-only; ownership routed to the responsible function.
Loss & events
What actually went wrong - operational loss events and near-misses - by category and financial impact.
Loss-event impact trend ($K / quarter) synthetic
Losses by category read-only
| Category | Events | Impact |
|---|---|---|
| Supply disruption | 6 | $1.3M |
| Quality / scrap | 5 | $0.8M |
| Process / downtime | 5 | $0.7M |
| Compliance / penalty | 3 | $0.4M |
| Cyber / fraud | 3 | $0.2M |
Synthetic, aggregated. Reads loss/event records read-only; impact figures illustrative.
Cross-domain synthesis
The differentiator: risk seen across every domain at once. The same concentration shows up as a supplier risk, a delivery risk, and a credit risk - one picture instead of three.
Risk exposure by source domain synthetic
Compounding signals read-only
| Signal | Seen in | Net |
|---|---|---|
| Steel supplier concentration | SCO + Financial + Risk | High |
| Retail-customer credit | Revenue + Financial | High |
| OT cyber + EOL assets | Security + Operations | Med |
| Contract liability + vendor | Legal + Security | Med |
Synthetic preview. In production, risk signals are synthesized read-only from the other AssetShop domains with lineage to each source.
Scenario & resilience
How the business holds up under downside scenarios, and how ready continuity plans are.
Scenario impact (illustrative)
Synthetic, aggregated. Scenario impacts are illustrative and combine read-only signals across domains; not a forecast.
Compliance & assurance
How well controls are tested, where audit findings remain open, and which obligations are coming due.
Open audit findings by area read-only
| Area | Findings | Highest severity |
|---|---|---|
| Vendor / third-party | 4 | High |
| Access management | 3 | Med |
| Segregation of duties | 3 | Med |
| Change management | 2 | Low |
| Business continuity | 2 | Med |
Synthetic, aggregated. Maps control testing and audit findings read-only; this is assurance reporting, not an audit opinion.
Connectors & data
Where Risk Management would read from - dedicated GRC systems plus, uniquely, the other AssetShop domains.
Read-only, and partly powered by the other domains. These connectors are scaffolded, not built - each reports 0/12 conformance until a tenant integration is done. Risk is the domain where the cross-domain advantage is sharpest: much of its signal is synthesized read-only from SCO, Financial, Legal, Security, and Workforce, with SHA-256-anchored lineage to each source.
Risk & GRC connectors
| System | Category | Mode | Status |
|---|---|---|---|
| ServiceNow GRC / IRM | GRC | Read-only | Scaffolded 0/12 |
| Archer (RSA) | GRC | Read-only | Scaffolded 0/12 |
| LogicGate / AuditBoard | Risk / audit | Read-only | Scaffolded 0/12 |
| Workiva | Reporting | Read-only | Scaffolded 0/12 |
| AssetShop domains | Cross-domain | Read-only | Internal feed |
How it stays trustworthy
Planned domain. Connectors are scaffolds; functional conformance (12/12) is verified per tenant at integration, never assumed.
Signals & opportunities
Enterprise risk signals across supply, governance, and cyber - read-only from the risk register, GRC, and incidents. Surfaces and quantifies; mitigation is owned by your teams. Figures synthetic (Meridian Industrials).
Detected signals synthetic
| Signal | Area | Severity | Magnitude | Conf. | Source |
|---|---|---|---|---|---|
| Supplier concentration risk | Supply | high | 34% top-1 spend | med | AP + master |
| Single-source components | Supply | high | 6 critical parts | high | BOM + master |
| Overdue mitigations | Governance | medium | 8 past due | high | register |
| Control gaps - access | Cyber | medium | 4 controls | med | GRC |
| Incident recurrence | Operational | medium | 3 repeats QoQ | med | incidents |
| Residual-risk drift | Governance | medium | +0.4 avg | low | register |
| Emerging - FX volatility | Financial | low | EUR exposure | med | treasury |
Opportunities the signals point to
How to read this
Synthetic. Signals computed from read-only risk register / GRC / incidents data; magnitudes labeled modeled are estimates, not posted figures. Operational signal, not advice; AssetShop never writes back to source systems.
Risk register detail
The full register behind the risk signals - likelihood, impact, status, owner.
Detail records synthetic
| Risk | Category | Likelihood | Impact | Status | Owner |
|---|---|---|---|---|---|
| RK-1 Supplier concentration | Supply | 4 | 5 | open | Procurement |
| RK-2 Single-source parts | Supply | 3 | 5 | mitigating | Procurement |
| RK-3 FX volatility | Financial | 3 | 3 | open | Treasury |
| RK-4 Access control gaps | Cyber | 3 | 4 | mitigating | IT |
| RK-5 Incident recurrence | Operational | 4 | 3 | open | Ops |
| RK-6 Key-person dependency | Workforce | 2 | 4 | open | HR |
| RK-7 Contract lapse | Legal | 3 | 3 | mitigating | Legal |
| RK-8 Demand volatility | Commercial | 4 | 2 | open | Planning |
| RK-9 Quality escape | Quality | 2 | 5 | mitigating | Quality |
Synthetic (register + GRC). Read-only detail; AssetShop never writes back to source systems. Figures illustrate Meridian Industrials.