top of page
3einhalb logo

Asset und Risk Manager 

User Guide

1. Introduction

The Asset and Risk Manager (ARA) is a Jira Cloud app that helps organisations run structured asset and risk management directly inside Jira. It is designed with ISO 27001 requirements in mind and provides dedicated issue types, configurable risk assessments, and an interactive risk matrix — all without leaving your Jira environment.

What ARA provides

  • Five purpose-built issue types: Asset, Risk, Threat, Measure, and Process.

  • A dedicated Jira project with preconfigured screens, field layouts, and workflows tailored to asset and risk management.

  • A configurable risk assessment field that captures impact, probability, and automatically calculates a criticality score.

  • An interactive risk matrix dashboard with color-coded thresholds and drill-down to individual issues.

  • Project-level configuration so each team can define its own impact scales, probability scales, and evaluation thresholds.

Who this guide is for

This guide is intended for Jira administrators who install and configure the app, as well as project members who work with risk assessments and the dashboard on a daily basis.

2. Getting Started

Installation

Install the Asset and Risk Manager from the Atlassian Marketplace. When the app is installed on your Jira Cloud instance, the setup process starts automatically — no manual steps are required.

Automatic Setup

Upon installation, ARA automatically provisions everything it needs in your Jira instance:

  1. The five ARA issue types (Asset, Risk, Threat, Measure, Process).

  2. The required custom fields, screens, and field layouts for each issue type.

  3. A ready-to-use Jira project called "Asset and Risk Management" with all configurations already applied.

The provisioning runs in the background and typically completes within a few seconds. Once finished, the ARA project and all issue types are ready to use.

Note: The setup process is idempotent. If ARA detects that elements already exist (e.g. after a reinstall), they are skipped automatically.

Uninstalling

When the app is uninstalled from the Atlassian Marketplace admin page (Apps → Manage apps), ARA automatically removes all elements it created — issue types, screens, schemes, field configurations, and the ARA project — and clears its app storage.

Note: Uninstalling removes the project structure and configuration. Any issues that were created within the ARA project will follow standard Jira deletion behavior.

3. Configuring the Risk Assessment

ARA's risk assessment is fully configurable per project. To access the configuration, go to your ARA project, then open Project Settings → ARA Configuration.

The configuration page has three sections: Impact Options, Probability Options, and Evaluation Thresholds.

Impact Options

Impact options define the possible values for the "Potential Damage" dimension of a risk assessment. Each option has two properties:

Label – The display name shown to users when assessing a risk (e.g. "Negligible", "Critical").

Weight – A numeric value used to calculate the criticality score. Higher values represent greater impact.

Click Add to create a new option. Edit labels and weights inline, then click Save changes at the bottom of the page.

Probability Options

Probability options work identically to impact options but represent the "Likelihood of Occurrence" dimension. Each option also has a label and a numeric weight.

Tip: Define your scales to match your organisation's risk methodology. A common approach is to use scales of 1–5 or 1–10 for both dimensions.

Evaluation Thresholds

Evaluation thresholds define the criticality levels that result from the risk score. Each threshold has the following properties:

Label – The name of the criticality level (e.g. "Low", "High", "Critical").

Weight – The minimum score at which this threshold applies. The system picks the threshold with the highest weight that is still below the calculated score.

Role – An optional label for the responsible role (e.g. "CISO", "Risk Owner"). Displayed alongside the assessment.

User – An optional Jira user who is responsible for risks at this criticality level.

Color – A color token used to shade the corresponding cells on the risk matrix dashboard. Choose from the predefined color palette.

How threshold matching works

When a user selects an impact and a probability on an issue, the app calculates the criticality score:

Criticality Score = Impact Weight × Probability Weight

The app then selects the threshold whose weight is the highest value that is still strictly below the score. For example, if your thresholds are set at weights 1, 5, 10, and 20, a score of 12 would match the threshold at weight 10.

Tip: Order your threshold weights from low to high, matching the severity progression of your criticality levels.

Available threshold colors

The following colors are available for threshold configuration. They use Atlassian Design System tokens and render consistently across light and dark themes:

  • 1 – Uncritical: Neutral (grey)

  • 2 – Very low: Blue

  • 3 – Low: Teal

  • 4 – Guarded: Light green

  • 5 – Moderate: Green

  • 6 – Elevated: Lime

  • 7 – Significant: Yellow

  • 8 – High: Orange

  • 9 – Very high: Light red

  • 10 – Critical: Bold red

Saving Changes

After editing any of the three sections, click Save changes at the bottom of the configuration page. All changes take effect immediately for new assessments. Existing issue assessments retain their stored values; they will reflect updated labels and thresholds the next time they are viewed.

Removing Options

When you attempt to remove an impact or probability option, the app automatically checks whether that option is currently in use on any issue. If it is, removal is blocked and a warning message is displayed. This prevents accidental data loss.

4. Using the Risk Assessment Field

The risk assessment field ("Risikobewertung") appears on Risk issues. It allows users to evaluate a risk by selecting values for two dimensions: potential damage (impact) and likelihood of occurrence (probability).

Assessing a Risk

  1. Open a Risk issue.

  2. Locate the Risikobewertung field in the issue view.

  3. Select a value from the "Möglicher Schaden" (Impact) dropdown.

  4. Select a value from the "Eintrittswahrscheinlichkeit" (Probability) dropdown.

  5. The criticality score and the matching threshold level are displayed automatically below the dropdowns.

Changes are saved immediately when you make a selection — there is no separate save step.

What the Assessment Shows

Once both dimensions are selected, the field displays:

  • Criticality score: The numeric result of impact weight × probability weight.

  • Criticality level: The matching threshold label (e.g. "High", "Critical").

  • Responsible party: If a user or role is configured for the matched threshold, they are shown here.

Assessments on New Issues

When creating a new Risk issue, the assessment field shows a notice that it can only be filled in after the issue has been created. Simply create the issue first, then open it to complete the assessment.

5. Risk Matrix Dashboard

The ARA Dashboard is a project-level page that visualises all assessed risks in an interactive matrix. Access it via your ARA project's sidebar under ARA Dashboard.

Reading the Matrix

The matrix is a grid where rows represent impact levels and columns represent probability levels. Each cell shows the number of risk issues that have been assessed with that particular combination.

Cells are color-coded according to the evaluation thresholds you configured. The color of each cell corresponds to the threshold that matches the cell's score (row weight × column weight).

Drilling Down into Issues

Click any cell in the matrix to see the list of individual issues in that risk category. The detail table shows each issue's key (as a clickable link to the issue), summary, impact value, and probability value.

Filtering with JQL

By default, the dashboard scopes to the current project. You can enter a custom JQL query in the filter field to narrow down which issues appear in the matrix — for example, to focus on a specific component, assignee, or status.

Tip: Use filters like "assignee = currentUser()" or "status != Done" to create focused views of your risk landscape.

Refreshing Data

Click the Refresh button to reload issue data from Jira. The dashboard fetches up to 100 issues per query. If you have more assessed risks, use JQL filters to focus on specific subsets.

6. Issue Types and Fields

ARA creates five issue types, each tailored to a specific aspect of asset and risk management:

Asset – Track IT assets such as hardware, software, and services.

Risk – Document and assess identified risks. Includes the risk assessment field, protection goals, and treatment strategy.

Threat – Capture threat sources and scenarios that may affect your assets.

Measure – Define controls, countermeasures, and actions to mitigate risks.

Process – Describe business processes, including their type and protection goal requirements.

Custom fields provided by ARA

In addition to the risk assessment field, ARA provides the following custom fields on the relevant issue types:

Risikobewertung (Risk Assessment) (Risk) – Structured assessment with impact/probability selection and automatic score calculation.

Schutzziel C – Confidentiality (Risk, Process) – Select the confidentiality protection goal classification.

Schutzziel I – Integrity (Risk, Process) – Select the integrity protection goal classification.

Schutzziel A – Availability (Risk, Process) – Select the availability protection goal classification.

Prozessart (Process Type) (Process) – Classify the type of business process.

Umgangsstrategie (Treatment Strategy) (Risk) – Select the risk treatment approach (e.g. avoid, mitigate, accept, transfer).

7. Permissions

The Asset and Risk Manager requests the following permission scopes. Each scope is necessary for the app to provision and manage its Jira elements, and to read and write risk assessment data.

Read: Issue types, fields, screens, schemes, projects – Checking which elements already exist before provisioning; reading issue data for the risk matrix dashboard.

Write: Issue types, fields, screens, schemes, projects – Creating and configuring ARA's issue types, custom fields, screens, screen schemes, and the ARA project during setup.

Delete: Issue types, fields, screens, schemes, projects – Removing ARA-created elements during uninstall or cleanup.

Read/Write: Jira work items – Reading risk assessment field values from issues and saving updated assessments.

Read: Jira users – Resolving user accounts for threshold assignments and displaying responsible users on assessments.

Manage: Jira project and configuration – Applying field configuration schemes, issue type screen schemes, and project-level settings during setup.

App storage – Storing app configuration (impact options, probability options, thresholds) and tracking provisioned element IDs.

ARA operates as an app-level identity (not as the installing user). It does not access any data outside the scope of its own configuration and the issues it needs to read for the risk matrix.

8. Data and Privacy

What data does ARA store?

ARA stores two categories of data, both within the Atlassian Forge platform:

  • App configuration: Impact options, probability options, and evaluation thresholds (including any assigned Atlassian user account IDs). This data is stored in Forge App Storage and is scoped to your Jira Cloud instance.

  • Provisioning metadata: The IDs and names of Jira elements created by ARA (issue types, screens, schemes, etc.). This is used to manage the app's lifecycle (install/uninstall) and is stored in Forge's Custom Entity Store.

What data does ARA NOT store?

Risk assessment values (the impact and probability selections on individual issues) are stored as regular Jira custom field values on the issues themselves — not in any separate app database. ARA does not copy, export, or transmit issue data outside of your Jira Cloud instance.

Where is data stored?

All app data is stored within the Atlassian Forge platform infrastructure. ARA does not use any external servers, databases, or third-party services. No data leaves the Atlassian Cloud environment.

Personal data

The only personal data ARA stores is the Atlassian account IDs of users assigned as responsible parties in evaluation thresholds. This is optional and configured explicitly by the administrator. When a threshold user assignment is removed, the account ID is deleted from app storage.

Data removal

When the app is uninstalled, all provisioned Jira elements are automatically removed and all app storage is cleared. Removing the app from the Atlassian Marketplace admin removes the Forge app and its storage entirely.

9. Troubleshooting

Risk assessment field shows a notice about creating the issue first Cause: You are on the issue create screen. Solution: Create the issue first, then open it to complete the assessment.

No options appear in the impact or probability dropdowns Cause: No options have been configured yet. Solution: Go to Project Settings → ARA Configuration and add impact and probability options.

Dashboard shows a "Missing field context" warning Cause: The app could not identify the risk assessment custom field. Solution: Try reinstalling the app from the Marketplace admin page (Apps → Manage apps).

Dashboard cells have no color Cause: Evaluation thresholds are not configured, or all threshold weights are 0. Solution: Configure thresholds with meaningful weights in ARA Configuration.

Cannot remove an option from the configuration Cause: The option is currently used on one or more issues. Solution: Update or clear the assessment on those issues first, then retry removal.

10. Support and Contact

If you encounter issues or have questions about the Asset and Risk Manager, please reach out:

When reporting an issue, please include your Jira Cloud instance URL, the ARA app version, and a description of the steps to reproduce the problem.

bottom of page