title: Troubleshooting & FAQ description: Frequently asked questions and solutions for risk-related issues in Tidal Control sidebar_position: 4

Troubleshooting & FAQ

Frequently Asked Questions

Why does my risk keep "Inactive" status?

Note!

Inactive risks currently have no impact on application functionality.

(future feature) In the future, risk assessments will only be scheduled for active risks.

A risk only becomes "Active" when all the following conditions are met:

The "Valid from" date is in the past and "Valid to" in the future (or empty)
At least one asset is linked to the risk

Solution:

Check validity period - Go to Details tab and set correct dates
Link Controls - Go to Rating tab and select relevant Controls under 'Treatment'
Refresh the page - Status update may require a browser refresh

How do I determine the correct likelihood and impact scores?

Estimating Likelihood:

Use historical data - How often did this risk occur in the past?
Analyze external factors - Threat landscape in your sector
Consider current measures - What protection is already in place?
Use the 'Ask TidalBot' button - to receive an immediate example assessment
Consult experts - IT specialists, security advisors

Impact assessment:

Financial consequences - Direct costs and revenue loss
Operational disruption - Shutting down or slowing business operations
Reputation damage - Media attention and customer trust
Compliance impact - Fines and legal consequences

Consistency tips:

Use the same criteria for all risks
Document your assessment methodology
Have multiple people assess independently
Review scores periodically with fresh eyes

Which treatment option should I choose for my risk?

Reduce - Choose when:

Risk has medium to high impact
Effective measures are available
Mitigation costs are proportional
Organization has control over risk factors

Accept - Choose when:

Risk has low impact and likelihood
Mitigation costs more than potential damage
Risk falls within accepted risk appetite
No effective measures available

Transfer - Choose when:

Risk has high financial impact
Insurance or outsourcing is cost-effective
Expertise for risk treatment is lacking
Legal liability can be transferred

Avoid - Choose when:

Risk has extreme impact
Alternatives to risky activity exist
Reputation risk is unacceptable
Legal or ethical objections exist

Why am I not getting realistic AI assessments from TidalBot?

AI has limited context without organizational information:

Add Organizational context - read more about this in Policies
Fill in asset information completely - Systems, data, processes
Describe specific circumstances in risk description
Provide feedback on generated assessments

Improving AI results:

Add more context - More detailed descriptions
Link Assets - AI uses asset information for assessment
Fill in Attributes - Domain, category, threat group
Iterative refinement - Use AI output as starting point, then adjust

Tip

AI as a tool: Use TidalBot for inspiration and consistency, but never replace human expertise and organizational knowledge.

How do I effectively link controls to risks?

Selecting controls for "Reduce" treatment:

Preventive controls - Prevent risk from occurring
Detective controls - Early detection of risk manifestation
Corrective controls - Restore after risk incident
Compensating controls - Alternative protection

Estimating effectiveness:

Direct relationship - Control addresses specific risk cause
Proven effectiveness - Track record in similar situations
Implementation quality - Is the control being executed correctly?
Monitoring possible - Can you measure and adjust effectiveness?

Avoiding pitfalls:

Not too many controls - Focus on most effective options
Check overlap - Avoid redundant protection
Consider costs - Proportionality between risk and mitigation
Monitor residual risk - Assess if additional controls are needed

Common Problems

Residual risk higher than inherent risk

Problem: After linking controls, residual risk appears higher than the original risk.

Possible causes:

Wrong assessment - Original estimate was too optimistic
Poor implementation - Controls don't work as intended
New threats - Risk has evolved since last assessment
Control side effects - New vulnerabilities introduced

Solutions:

Review inherent risk - Was original assessment realistic?
Check controls - Are they being implemented correctly?
Update threat landscape - Have new threats emerged?
Find better controls - More effective alternatives available?

Risk assessment is inconsistent between assessors

Problem: Different people give very different scores to the same risk.

Causes:

Unclear criteria - No shared understanding of likelihood/impact scales
Different perspectives - IT vs Business vs Compliance viewpoint
Lack of information - Assessors have different facts
Personal bias - Risk appetite and experience influence judgment

Solutions:

Standardize criteria - Clear definitions per score level
Organize group sessions - Joint assessment and discussion
Calibration exercises - Train assessors with standard examples
Multiple perspectives - Have different experts assess

Assets are not correctly linked to risks

Problem: Asset linking appears random or incomplete.

Error scenarios:

Too broad linking - All assets linked to every risk
Too narrow linking - Critical exposure missed
Outdated links - Assets not updated after changes
Wrong granularity - Too detailed or too global

Best practices:

Specific linking - Only actually threatened assets
Regular reviews - Periodically update links
Think impact - Which assets actually affected in incident?
Stakeholder input - Involve asset owners in risk assessment

Risk treatment is not followed up

Problem: Chosen treatment is not implemented or monitored.

Causes:

Unclear responsibilities - No one owns execution
Lack of priority - Other work takes precedence
Unrealistic plans - Treatment options are not executable
No follow-up process - No systematic monitoring

Solutions:

Clear owners - Assign specific people to each treatment
Set deadlines - Concrete timelines for implementation
Regular check-ins - Quarterly reviews of treatment progress
Escalation process - Management involvement for delays

Technical Problems

Risk status is not updated

Problem: Changes in risk information don't reflect in the status.

Troubleshooting:

Clear browser cache - Hard refresh (Ctrl+Shift+R)
Save changes - By using the 'Update' button regularly
Don't ignore the 'Discard changes?' popup - If you navigate away from a screen without updating, you'll get the question to discard changes or go back to the risk (cancel). Go back to the risk and save changes first with the 'Update' button.

Come across an issue we haven't covered?

Send an email to support@tidalcontrol.com, and we'll get in touch as soon as possible.

Info

Gathering support info: Note which browser you're using, exact error messages, which steps you've already tried, and screenshots of the problem. This significantly speeds up the solution.

Preventive Tips

Regular maintenance

Monthly tasks:

Identify new risks - Have threats been added?
Check status updates - Are all active risks still relevant?
Treatment progress - Are planned measures being executed?

Quarterly reviews:

Risk assessment updates - Are likelihood/impact scores still current?
Asset links - New systems or changed exposure?
Effectiveness assessment - Do chosen treatments work as expected?

Annual review:

Complete portfolio review - Go through complete risk inventory
Framework updates - New compliance requirements or standards?
Stakeholder feedback - Input from asset owners and management

Maintaining data quality

Consistent input:

Use attributes - Standard categories for filtering
Avoid duplicates - Check existing risks before adding
Clear descriptions - Understandable for all stakeholders
Periodic cleanup - Archive outdated or irrelevant risks

Tip

Proactive risk management: Invest time in preventive measures. Regular maintenance prevents most problems and keeps your risk management current and effective.