Risk
/api/v1/grc/risksA GRC risk record, distinct from operational RiskItem.
listgetcreateupdateSchema
| Field | Type | Notes |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | frontend | backend | server | system | apiWhere the write originated. Defaults to 'api'. |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| title | string | Short descriptive title for the risk. |
| description | string | Detailed description of the risk scenario and its potential impact. |
| category | string | Domain category of the risk. |
| owner_id | string | ID of the Person who owns this risk. |
| asset_ids | json | IDs of knowledge-graph asset entities threatened by this risk. |
| threat_actor_ids | json | IDs of knowledge-graph threat actor entities posing this risk. |
| inherent_likelihood | number | Inherent likelihood score (1–5) before controls are applied. |
| inherent_impact | number | Inherent impact score (1–5) before controls are applied. |
| inherent_rating | number | Computed inherent risk rating (inherentLikelihood × inherentImpact). |
| residual_likelihood | number | Residual likelihood score (1–5) after controls are applied. |
| residual_impact | number | Residual impact score (1–5) after controls are applied. |
| residual_rating | number | Computed residual risk rating (residualLikelihood × residualImpact). |
| mitigating_control_ids | json | IDs of Controls that mitigate this risk. |
| treatment | string | Selected risk treatment approach. |
| treatment_rationale | string | Explanation of why this treatment was chosen. |
| status | string | Current lifecycle status of the risk. |
| acceptance_level | string | Delegation level for risk acceptance. |
| accepted_by | string | ID of the Person who formally accepted this risk. |
| accepted_at | date-time | ISO 8601 timestamp when the risk was formally accepted. |
| next_review_date | date-time | Date when this risk is next due for reassessment. |
| last_assessed_at | date-time | ISO 8601 timestamp of the most recent assessment. |
| assessment_notes | string | Notes from the most recent assessment. |
| realized_incident_ids | json | IDs of Incidents that realized this risk. |
| tags | json | Free-form tags for filtering. |
API
client.grc.risks.*Loading manifest…