CC3.1 · D5 · f1
evidence/risk-policy.md — Zenith Cloud enterprise risk management framework defining risk appetite, 5x5 assessment matrix, assessment frequency requirements, and governance structureevidence/risk-register-q4.csv — Q4 2025 risk register containing 22 risks with likelihood/impact ratings, treatment strategies, and change historyevidence/sgc-meeting-minutes-q4.md — Security Governance Committee Q4 2025 quarterly meeting minutes documenting risk review, rating changes, and emerging risk discussionevidence/compliance-calendar-2025.md — Annual compliance activity calendar showing scheduled activities for 2025 — not directly relevant to risk assessment effectiveness [noise]| ID | Type | Severity | Finding |
|---|---|---|---|
| F-001 | gap | medium | Risk rating downgrades without documented justification in the register Two risks were downgraded from High to Medium during Q4 2025: ZC-RISK-002 (cloud misconfiguration) and ZC-RISK-015 (phishing attack). The risk register's change_justification field is blank for ZC-RIS... |
| F-002 | gap | medium | Risk register comprehensive update approaching staleness The risk policy Section 4.2 requires a comprehensive risk assessment 'conducted annually, typically in Q1.' The risk register shows the last comprehensive review was February 15, 2025 — 10 months prio... |
| F-003 | gap | medium | SGC reviewed only top 10 of 22 risks The risk register contains 22 risks. The SGC Q4 meeting minutes show the committee reviewed only the 'top 10 risks by residual risk rating.' Twelve risks received no governance committee review during... |
| F-004 | gap | medium | Risk matrix may understate catastrophic-impact risks ZC-RISK-007 (insider threat — malicious data exfiltration) has likelihood=2 and impact=5. Per the 5x5 matrix in the risk policy, this maps to 'Medium.' However, impact=5 is defined as 'Catastrophic — ... |
| F-005 | gap | low | No formal emerging risk assessment conducted The risk policy Section 7 describes an emerging risk identification process that includes 'quarterly threat landscape briefings,' 'industry peer benchmarking,' 'technology horizon scanning,' and 'regu... |
| Model | Provider | Score | Recall | Prec. | F1 | Gaps | Reported |
|---|---|---|---|---|---|---|---|
| Sonnet 4.6 | Anthropic | 55% | 60% | 50% | 55% | 3/5 | 6 |
| Opus 4.7 | Anthropic | 40% | 60% | 30% | 40% | 3/5 | 10 |
| GPT-5.5 | OpenAI | 33% | 40% | 29% | 33% | 2/5 | 7 |
| GPT-4.1 | OpenAI | 0% | 0% | 0% | 0% | 0/5 | 10 |
| Haiku 4.5 | Anthropic | 12% | 60% | 7% | 12% | 3/5 | 46 |
| GPT-4o | OpenAI | 0% | 0% | 0% | 0% | 0/5 | 5 |