Before an SSA is successfully reviewed and passed by both security and data protection, a risk review is conducted.
This goes through the now completed SSA, including all tickets that were created (for fixing or improving things), as well as information from security incidents if any, threat intelligence and other sources such as the various tests and tools described in the section Tools and Services, in order to identify potential sources of risks in the product within its own context; environment, data, customers, technology etc.
Please note that these are not narrowly defined or technical risks only, but also general and high level risk. If for example the Data Protection Officer is not satisfied with the privacy by design, he or she can also register a risk, and is indeed obligated to do so.
Risks are registered for processing in our risk management system: