FORLAS CRQ v0.2.0 is out. The theme of this release is defensibility: a risk number is only as good as the reasoning behind it, and this version makes that reasoning a first-class part of the tool.
Analysis & Evidence
The headline feature. Every scenario now has a dedicated Analysis & Evidence area where you capture the thinking behind the numbers: an analysis narrative with an overall confidence rating, the data and evidence you relied on, the assumptions you made, the gaps and limitations you know about, and a short rationale for each FAIR input.
When an auditor or a board member asks "where did this number come from", the answer now lives beside the number. Saves are recorded in the audit log, and the workspace links straight to the selected scenario's analysis.
Segregation of duties on approvals
The person who submits a scenario for review can no longer approve it; a separate approver is required. It's a basic governance control that most enterprise workflow tools charge extra for, and it's on by default. Single-user installs can turn it off under Settings, Governance.
Alongside it, the approval panel now shows a clear Draft, Submitted, Approved stepper, so a scenario's position in the review pipeline is visible at a glance.
Customisable layouts
Dashboard cards and the workspace side panels can now be dragged into whatever order suits how you work, using the grip handle on each card. Cards reorder live under the pointer while you drag, the arrangement is saved per machine, and a Reset layout control restores the default.
Scenario type picker
Scenario type is now a dropdown of pre-canned categories (Ransomware, Insider Threat, Cloud Misconfiguration, and more), and you can add your own categories, which persist for future scenarios.
FORLAS branding
The sign-in and first-run screens and the executive and board report covers (HTML/PDF and Word) now carry the FORLAS brand tile, so the reports you hand upward look as considered as the numbers inside them.
Also in this release
A handful of fixes and smaller changes shipped too, including some solid quality-of-life work on shutdown behaviour and account management. The full detail is in the changelog on GitHub.
Get it
FORLAS CRQ remains free, open source, and in beta: github.com/RiskByDesign/forlas-crq. As always, it's local-first: one executable, one database file you own, no cloud, no telemetry.
If you're using it, I'd love to hear what works and what doesn't; the contact links are on the home page.