← back to site
← back to site

// Governing Document · 2026

R1SK.IO
Founding Manifest

Managing cyber risk is neither a legal discipline for lawyers to checkbox nor a technical discipline for tools to automate. It is a business reality — genuinely complex, and owned by those who run the organisation. R1SK.IO accepts that complexity. We impose methodological consistency on it — so the output is always a decision, never an excuse.

// Cyber Risk Management // Critical Infrastructure

// the governance failure — why risk stays trapped between layers

layer 01
Top management
risk appetite · governance · budget decisions
CEO CFO Board Legal
Sees compliance reports.
Has no risk metric to own.
Decisions made on instinct.
strategy without metrics
reporting? maybe
layer 02
Security & risk org
second line · risk owners · operational leads
CISO Risk managers Compliance IT security
Speaks technical language.
Cannot bridge to board.
No shared metric exists.
decisions without context
technical findings untranslated
layer 03
Operations
IT · OT · factories · procurement · sales
IT engineers OT / ICS teams Factory ops Procurement
Owns the risk reality.
Has no language upward.
Accountability absent.
consequence — board
Risk stays abstract. Nobody owns the number. Decisions made on fear, compliance, or gut — not metrics.
consequence — risk org
Technical findings cannot reach the board in a form that produces decisions. Risk avoidance replaces risk management.
consequence — operations
Operational reality — actual exposure in IT and OT — never reaches the people who control the budget.
// R1SK.overlay( ) — consistent measurement + communication across all layers
layer 01 · R1SK enabled
Top management
risk appetite · governance · budget decisions
CEO · owns the number CFO · budgets the risk Board · decides on metrics Legal · maps to compliance
Receives one risk figure.
Confidence intervals attached.
Decision is possible.
structured risk reporting
strategy + metrics
layer 02 · R1SK enabled
Security & risk org
aggregator · common language · escalation design
CISO · translates risk Risk managers · own scenarios Compliance · by-product IT security · feeds model
Common language established.
Escalation pathways designed.
Risk travels upward.
quantified risk data
mitigation decisions
layer 03 · R1SK enabled
Operations
IT · OT · factories · procurement · sales
IT engineers · feed metrics OT teams · weakness assessed Factory ops · impact mapped Value chain · anchors impact
Operational reality captured.
Value chain impact measured.
Risk is now ownable.
result · board
One risk figure with confidence intervals. A business decision is possible. Accountability is assigned.
result · risk org
Common language across legal, C-suite, IT, and OT. Risk escalates accurately. Compliance follows automatically.
result · operations
Control room data reaches the boardroom. Data that cannot travel is a technical report, not a business decision.
Without consistent measurement R1SK.IO overlay applied Risk travels · decisions possible

There is a principle so widely known that it has become background noise. It is repeated in boardrooms, printed in frameworks, and quoted in audit reports. It is true. And it is not enough.

// Peter Drucker
"You can't control what you don't measure."
True. The starting point for every risk framework, compliance requirement, and security programme ever written.
// R1SK.IO founding position
"You can't control what you don't measure consistently — and communicate continuously."
Consistent measurement alone is not sufficient. A risk that is measured but not communicated will not be owned. Risk that is not owned will not be managed.

The distinction matters. Organisations across critical infrastructure have risk measurements. What they lack is a consistent measurement that produces a shared understanding of exposure across every function.

ownership = comprehension
// risk not communicated cannot be owned
// comprehension requires consistent measurement
management = ownership
// risk not owned will not be managed
// abstract risk is nobody's problem

Consistency is necessary. Consistent measurement and consistent risk communication is what makes risk governable.

R1SK.IO founding position · 2026

Data that cannot travel from the control room to the boardroom is not business-relevant information. It is a technical report.

on compliance

Every compliance requirement exists because someone identified a category of risk that needed to be controlled. There exists no meaningful argument for compliance without risk control. R1SK.IO works from the logic underneath the requirement — not from the surface of the checklist.

"Personal risk avoidance is natural — but it is destructive for cyber risk management. Managers avoid taking responsibility for matters they do not fully understand and that carry career risk. The result is absent decision-making at every level of the organisation. Only by implementing consistent measurement and communication are leaders forced to lead."

Cyber risk is complex by nature. The environments where its consequences are most severe compound this: they span engineering, process control, IT, and security disciplines simultaneously.

The industry's response has been to retreat into two comfortable failures: technical reductionism — treating every risk as an engineering problem to be solved with another product — and compliance theatre — performing risk management for auditors rather than for genuine risk control.

Energy
Grid operators, oil & gas, renewables
Compliance frameworks completed annually, disconnected from the operational reality of the control environment and the societal impact at stake.
Manufacturing
Process & discrete manufacturing
Security investments driven by IT procurement cycles, not production risk profiles. Production impact absent from every risk conversation.
Transport
Rail, maritime, logistics
Fragmented risk ownership across IT, OT, and safety functions with no shared metric. Each domain speaks a different language. No one owns the number.

The governance failure underneath both patterns is the absence of real metrics. Risk without metrics cannot be owned. Risk that cannot be owned cannot be managed.

Cyber risk quantification has matured significantly as a discipline. Capable platforms and consulting practices now exist that translate technical exposure into financial terms. This is a positive development for the industry.

R1SK.IO does not position itself in competition with these platforms. We operate from a fundamentally different set of assumptions about what a client needs — and what a consulting engagement should leave behind.

"The question is not which platform computes your risk. The question is who owns it, who understands it, and who can defend it — without a subscription."

// Platform-led CRQ
Automated, continuous, SaaS-delivered
Ingests telemetry. Continuously updates risk posture. Produces board-ready financial metrics. Valuable for organisations that need scale and speed across large asset portfolios.
// R1SK.IO methodology
Consulting-led, client-controlled, sovereignty-first
Establishes the metric definitions, data points, and analytical framework the client owns and operates independently. For organisations where risk data must not leave the controlled environment.
// Why data sovereignty matters in critical infrastructure
  • Asset data, network topology, and control system states represent operational intelligence that must remain within a strictly controlled environment.
  • Clients must be able to understand, validate, and defend their own risk metrics — without relying on a vendor to interpret the output.
  • The risk baseline should not be contingent on a third-party subscription, a vendor remaining solvent, or a proprietary model changing without notice.
  • Regulatory frameworks increasingly require demonstrable governance of risk data — not merely access to a risk score.
// What automated models provide
Statistical threat frequency
Derived from cybercrime incident databases. Useful for ransomware and opportunistic attacks where historical base rates are meaningful.
// What R1SK.IO adds
Strategic Threat Intelligence
Produced through military intelligence tradecraft. Geopolitical context, state-actor profiling, and conflict-scenario forecasting as first-class quantified inputs to every risk scenario.

R1SK.IO does not sell software. We do not sell a dashboard. We do not sell a subscription to a risk score that requires our continued involvement to remain meaningful.

We sell a methodology. A precisely defined set of data points, metrics, and analytical relationships that, once established for a client, belongs entirely to that client — to run, to extend, to challenge, and to own.

Format A
Out-of-the-box risk suite
A ready-to-operate set of tools and data structures, deployable within the client's own environment. Typically established within 3–4 weeks.
Format B
Tailored model development
A collaborative engagement to build and refine a risk model reflecting the client's specific value chains, threat environment, and structure. Months to years.
Format C
Annual process governance
A structured annual assessment process the client manages internally, with R1SK.IO providing methodology governance and threat intelligence updates.

Implementation may take the form of spreadsheets, databases on segregated networks, automated pipelines, or structured SharePoint processes. The form follows the client's infrastructure. What does not vary is the underlying methodology — because consistent data collection is the hard problem.

Before a cyber risk can be measured, it must be defined precisely.

Cyber risk is the product of a threat actor exploiting a weakness to cause a negative impact on a business value chain. All three conditions must be present. Remove any one of them and you are dealing with a different problem entirely.

R1SK framework · core definition

Condition 01
A threat actor
A deliberate, malicious actor with intent and capability to exploit the organisation's environment. Without one, the problem is operational, not adversarial.
If absent: Misconfiguration and human error causing downtime are operational risk — a different discipline, a different budget line.
Condition 02
A weakness exploited
The full stack of exploitable conditions: technical vulnerabilities, procedural gaps, human factors, governance failures, physical access, supply chain.
If absent: Weakness is always present somewhere. The question is whether a threat actor can exploit the alignment of conditions.
Condition 03
A value chain impact
A measurable negative consequence to what the organisation produces — lost production, lost revenue. Damage confined to auxiliary systems does not constitute risk.
If absent: A breach of an HR portal with no production consequence is a data incident — it warrants response, but does not enter the risk model.
manageable risk
Production loss · Revenue impact
Enters the R1SK model. Can be quantified, balanced, and managed. The organisation may accept some, mitigate some, and transfer some.
red flag — outside the model
Safety incidents · Regulatory violations
Do not enter the risk balancing model. When identified, the response is categorical: stop. No organisation can weigh the cost of a fatality against a mitigation budget.
R1SK framework · scenario structure
Cyber Risk=Threat×Weakness×Impact
Threat: actor capacity, motivation, and attack capability (MITRE ATT&CK ICS + Enterprise)
Weakness: mitigation implementation degree across IT, OT, and sub-environments
Impact: lost production and lost revenue, mapped to each value chain

Each scenario is Monte Carlo simulated across its probability distribution. The collective risk figure is the product of all scenarios — the logic behind the name. R1SK.IO. One risk.

"Not a list of findings. Not a heat map. A number the board can own."

These are not aspirations. They are the operational principles by which every R1SK.IO engagement is governed.

// C1 — Transparency over dependency
  • The methodology is open. We document every assumption, every data point, every analytical relationship. Clients who understand their own risk metrics are the point.
// C2 — Quantification over narrative
  • We do not deliver fear. We deliver numbers with confidence intervals, mitigation roadmaps tied to every metric, and a clear line from finding to business decision.
// C3 — Intelligence-led threat assessment
  • Threat actors are assessed on intent, capacity, and geopolitical context — not just historical cybercrime statistics. We bring military intelligence discipline to the threat component of every risk scenario.
// C4 — IT/OT integrated by design
  • IT and OT environments are deeply interconnected. A breach that begins in IT routinely traverses into operational technology, and vice versa. Our methodology is designed for this reality from the ground up.
// C5 — Cross-functional communication
  • A risk metric is only useful if it travels. Our outputs are designed to be understood by legal, C-suite, sales, IT-technical, and process-technical audiences simultaneously.
// C6 — Accountability, not abstraction
  • We exist to make risk ownership possible. When risk is quantified, repeatable, and communicable, it can be assigned. We build the conditions under which an organisation can take genuine responsibility for its own security posture.

R1SK.IO serves organisations where the consequences of a cyber incident extend beyond data loss — where a successful attack means halted production, failed safety systems, or disrupted critical services. Energy. Water. Manufacturing. Transport. Maritime. Defence supply chains.

We serve clients who are ready to treat cyber risk as a business problem. Not those looking for a report that satisfies an auditor. Not those seeking a technology vendor to outsource the thinking to. Organisations willing to understand their risk — and to own it.

We also serve the ecosystem around those organisations: regulators and authorities who need a credible, comparable risk language across sectors; insurers and financial partners who need defensible exposure assessments; and industry peers building toward a shared standard for critical infrastructure cyber risk measurement.

Compliance is not R1SK.IO's primary offering. It is a consequence of doing the work properly.

When an organisation collects consistent, structured, risk-actionable data — the weakness assessments, mitigation implementation degrees, procedural reviews, and structured interviews that form the backbone of the R1SK framework — that data is also the raw material of every major compliance framework. The audit trail is a by-product of rigorous risk governance, not a separate exercise.

ISO 27001 / 27019Information security
NIST CSF 2.0Cybersecurity framework
IEC 62443OT / ICS security
NIST SP 800-82OT security guide
NIST SP 800-53Security controls
NIS2 / CEREU critical infrastructure

There exists no meaningful argument for compliance without risk control.

R1SK.IO founding position · 2026

"The standard of cyber risk management in critical infrastructure is not good enough. The gap between technical reality and board-level understanding remains dangerously wide. R1SK.IO exists to close it — with rigour, transparency, and the conviction that those responsible for keeping society running deserve a clear answer to the question: how exposed are we?"

R1SK.IO Founding Manifest· 2026·
// [email protected] — let's have the conversation →