Industrial cyber-risk assessment increasingly requires more than asset inventories, vulnerability scores, or isolated safety analyses. In process control environments, a cyber event may disturb device states, distort task execution, weaken control constraints, and finally propagate into safety and business consequences. This article develops a database-centered causal graph construction framework for industrial cyber-risk propagation by translating BPM-STPA knowledge into an auditable graph repository and then into Bayesian inference models. Unlike model-first approaches that treat causal structures as diagrams produced after expert discussion, the proposed approach treats causal nodes, typed relationships, evidence sources, scenario assumptions, and review decisions as database objects. The study builds a structured schema for connecting business process tasks, unsafe control actions, hazards, failure effects, vulnerabilities, and losses. It further demonstrates how database rules improve graph completeness, reduce semantic drift, and support posterior risk updating under cyberattack evidence. A simulated pressure-control case is used to illustrate the analytical logic. Results show that cyberattack evidence shifts posterior risk from low and medium categories toward high-risk states, while sensitivity analysis identifies spoofed sensing, alarm-task omission, and safety-instrumented-system unavailability as dominant propagation drivers. The article contributes a reusable database design for causal graph governance, an operational procedure for constructing Bayesian networks from BPM-STPA knowledge, and a data-driven interpretation of industrial cyber-risk propagation that links safety engineering, business continuity, and computational discovery.