Risk analysis academy

Are the work tools and document templates received fully editable (e.g. in Excel format), or can we modify and apply them freely in our own organisation without additional licence fees after completing the course?

Yes, the tools you receive are fully editable and intended for long-term use in your organisation.

• Templates of tables and matrices (e.g. process mapping, initial and residual risk calculation) that you can complete with your own data.
• Ready document structures (e.g. report to management, risk plan, acceptance card) that you adapt to the specifics of your company.

The Academy model assumes that during the course you complete these tools while preparing documentation tailored to your organisation. After the training, your organisation may use the documents under a licence with no territorial or time limits, treating them as the foundation of its risk management system.

We're planning to send a full compliance team (3-4 people).

Yes, as standard for our open training courses we offer a 10% discount for each additional participant from the same entity

If there are significant changes to the guidelines of the Polish Data Protection Authority (UODO) or the European Data Protection Board, will Academy participants receive updated versions of the tools at no extra cost?

Yes, within 12 months of graduating from the Academy

Is the training on-premises, live online, or is it an e-learning course that we can access at any time?

The 'Risk Analysis Academy' training organised by ODO 24 takes the form of a series of meetings. It starts with an in-person opening session in Warsaw, followed by live online webinars.

Is it necessary to have specialized software to work with the working tools (spreadsheets) or is a standard MS Office package sufficient?

No, no specialised software is needed. A standard office suite, such as MS Office, is sufficient. Materials are available in PDF and editable formats (tables, matrices, document templates), ready for direct use.

The package contains, among other things:

• tables to map processes, resources and threats,
• risk assessment and calculation matrices,
• ready models of reports and action plans.

As a whole, it allows a full risk analysis to be carried out without the deployment of additional IT systems.

Is it possible to consult a trainer after graduation of the Academy for the first self-assessed analysis to make sure that we have properly applied the methodology we know in practice?

Yes, each participant has two hours of individual consultation with the trainer, which takes place during the course of the Academy, so that at the end of the course you have a ready risk analysis for your organisation.

Do ready-made risk catalogues take into account specific incidents related to remote working and the use of cloud services (SaaS), or do they focus on traditional local infrastructure?

Yes, the risk catalogues are fully adapted to a hybrid working environment.

The Academy's tools are not limited to traditional local infrastructure ('server in a cabinet'), but cover modern IT environments. You receive ready-made risk catalogues assigned to specific assets, allowing you to immediately analyse risks characteristic of cloud, SaaS services, and remote working, such as account takeovers, cloud environment configuration errors, or threats to endpoint devices.

Asset lists prepared on the basis of ISO 27005 treat external services and mobile equipment as key assets for which dedicated risk scenarios have been defined (e.g. loss of access to a cloud service or theft of an unsecured laptop).

The whole approach is based on a practical methodology and focuses on real threats occurring in modern organisations, including risks related to IT suppliers and the daily habits of remote workers.

How do the effect and probability scales provided help to eliminate the subjectivity of different resource owners so that the results of the analysis are comparable across the different departments of the company?

By replacing intuition ('it seems to me the risk is high') with precise mathematics and a uniform standard for the entire organisation.

The Academy provides ready-made assessment scales and risk matrix templates (heat maps) that act as a common ruler for all departments. The elimination of subjectivity occurs through three mechanisms built into these tools:

• Parameterised criteria: You receive scales that are not based on feelings, but on specific indicators. The tools specify how to assess consequences from the perspective of the rights and freedoms of natural persons, and how to realistically estimate probability based on specific vulnerabilities and context, rather than guessing.
• Combined assessment models: By using combined impact assessment models, each section from IT to HR assesses risk according to the same key that takes into account the requirements of the GDPR.
• Algorithm instead of opinion: Preliminary and residual risk calculation tables require a structured process, and the end result is a clear calculation that allows you to move from intuitive assessments to measurable and comparable management analysis.

In the context of the AI tools module – how to conduct analysis with their support without breaching the confidentiality of our organisation's data and without 'feeding' external models our secrets?

The Academy does not encourage the mindless pasting of documents into public chatbots. Instead, it provides a ready-made scheme for a safe AI working model that guarantees compliance with the accountability principle and PDPA expectations.

The safety of the process is ensured by three pillars discussed during the training:

• Abstraction instead of data: We teach you how to construct queries based on anonymous descriptions of processes and assets, without giving names, trade names, or unique data, which physically prevents leaks of secrets to the model.
• Expert verification (Human-in-the-Loop): We implement the principle where AI acts as a scenario generator and critical reviewer, but never makes decisions or processes real data. A human always approves the result, eliminating the risk of hallucinations or algorithmic bias.
• Tool awareness: You get a list of AI tools and ready-made risk scenarios for using LLM models, so you know which tools to use to work with internal data and which to avoid.

Does the management report template contain financial and business arguments that will help me justify the need to spend the budget on additional collateral?

Yes, the report has been designed precisely for the purpose of speaking the board's language.

The report template and its accompanying presentation are not limited to technical descriptions of threats. In accordance with the Academy programme, these tools help translate risk analysis results into the language of business impact, reputation and legal responsibility.

This documentation supports you in obtaining budget through:

• Risk visualization: Instead of tables with numbers, you get visual models (e.g. grid, traffic lights) that clearly show where the organization is exposed to losses.
• Rationale for Investment (ROI): The templates help to present the difference between inherent (current) and residual (post-deployment) risk, which is a direct financial argument justifying investment in security as a way to avoid specific losses.
• Clear decision-making options: The report structures decisions for the Management Board (acceptance, reduction, transfer) by forcing a conscious decision to finance the collateral or to formally assume liability for the risk.

Does your methodology require separate analysis for each IT system, or does it allow for a process approach where one sheet covers the entire customer service journey?

We analyse risk for specific assets, but always in close connection with the business processes they support, and our methodology avoids generalisations, going down to the level of specifics, but preserves the business context.

According to the mapping model adopted by the Academy, the work takes place in two stages:

• Process context: First, you define the process (e.g. order handling) and define the scope and sensitivity of the data processed in it.
• Resource analysis: You then assign specific resources to the process (e.g. ERP, email, employee laptop).

This allows you to accurately assess risks and security for each resource (according to ISO 27005). It also enables you to estimate the impact of an incident through the lens of the entire process and the importance of the data that could be compromised.

Do you have any signals from customers who have passed UODO checks or external audits (e.g. under ISO 27001 certification) that this particular methodology has been found to be correct and sufficient?

Yes. We receive confirmations that documentation prepared according to our standard effectively holds up during inspections and audits. When developing our methodology and tools, we analysed all decisions of the President of the Personal Data Protection Office concerning Art. 32 GDPR and current guidelines, to ensure that this model addresses exactly the elements verified by the supervisory authority (recently through the prism of 18 requirements contained in the January PDPA newsletter).

Do academy members have access to a closed group?/forum, Where, after training, they can exchange experience with other DPOs using the same methodology?

Yes, we're planning on launching a closed group on LinkedIn or Facebook that will serve as a platform for contact and exchange of experiences and thoughts between Academy members.

Will we receive descriptions of real (anonymised) 'fuck-ups' in the materials, showing how incorrect risk analysis led to real legal problems?

Yes, the analysis of the errors (fuck-ups) of other subjects is an essential part of the Academy's teaching process.

During meetings, we will cover extensively the mistakes made by other organisations, especially in the critical context of identifying threats and vulnerabilities. The Academy's programme is not based on theory, but on an analysis of the decisions of the Polish DPA President made over the past eight years.

• Already at the opening meeting, we're pointing out the most common mistakes that lead to administrative decisions.
• When discussing security, we show the gaps that are most often challenged by UODO controllers.

So you get knowledge based on real market cases, which will allow you to avoid repeating other people's mistakes.

If, after a month of training, I get stuck filling out a chart for a very specific process, can I count on a short email consultation for the price of the course?

Yes, all participants in our open training are subject to substantive training support. If you have any questions about specific processes, please contact us via our support platform:

If our company already has its own specific assessment scales, can your Excel tools be easily 'reprogrammed' for our existing corporate standards?

Yes, our tools are fully flexible.

The spreadsheets and matrices provided are open working tools, not closed applications. While you receive ready-made, proven scale propositions based on ISO 27005 and Polish DPA guidelines as part of the course, the tool design (Excel) allows you to modify them freely.

You can easily:

• Change our default definitions and numerical values to our own corporate standards.
• Adjust the risk acceptability thresholds in the matrix (heatmaps) to match your company's risk appetite.

The Academy's goal is to provide a universal methodology that you can apply to yourself, not a rigid scheme that would force you to change your existing, working standards.

What about catering at the Academy's inaugural meeting?

During the meeting, participants will be provided with tea and refreshments, Sweet snacks and lunch are served in the form of a buffet.//patathai.pl/lokale/powisle/Hanging in the Hangen Power Plant complex, rented exclusively.