Calculating assurance for risk
When you enable assurance, you aggregate testing results and issues for an active project or framework associated with multiple projects. This allows you to report on assurance for a single project, or across all projects associated with a framework.
This topic provides examples of assurance so that you can become familiar with the calculations associated with assurance.
Demonstrating assurance for a single project
Demonstrate assurance for a single project to show confidence that organizational risk is being effectively mitigated.
Example
Scenario
You are conducting an IT General Controls Review and need to quantitatively assess risk. You have one objective in your project (Physical Security), and two risks that associated with that objective. You enable assurance in the project, and begin conducting project work.
Scoring risks
You assess risk on two risk scoring factors, Impact and Likelihood, and use a 5-point scale to score risks:
Objective | Risk | Description | Scoring |
---|---|---|---|
Physical Security | Risk 1 | Unauthorized entry into secure server room. |
|
Risk 2 | Facilities storing sensitive data or company information are not adequately secured. |
|
Inherent Risk Score calculation
Based on your risk scoring, Projects automatically calculates the Inherent Risk Score of each risk, as well as the Total Inherent Risk Score:
- Risk 1 (5 x 3) = 15.0
- Risk 2 (2 x 2) = 4.0
Total Inherent Risk Score (15 + 4) = 19.0.
Defining controls, associated risks, and control weights
You define four controls that help to mitigate the two identified risks, including their associated risks, and the percentage of the risk that the control mitigates (Control Weight):
Control | Description | Associated Risk | Control Weight |
---|---|---|---|
Control 1 | A lock is in place at the facility entrance. | Risk 1 | 100% |
Control 2 | A security camera is in place to record suspicious activity. | Risk 1 | 20% |
Control 3 | All server facility entrances are protected by key card access system. |
|
|
Control 4 | All office facility entrances are monitored by administrative personnel. |
|
|
Testing controls
In your project, you do not have any testing rounds - instead, you have one walkthrough per control. You test each control and document the results:
Control | Testing Result | Pass or Fail? |
---|---|---|
Control 1 | Operating Effectively | Pass |
Control 2 | Exception(s) Noted | Fail |
Control 3 | Operating Effectively | Pass |
Control 4 | Operating Effectively | Pass |
Residual Risk Score
Based on your defined risk-control associations, specified control weights, and testing results, Projects automatically calculates the Residual Risk Score for each risk, as well as the Total Residual Risk Score.
Residual Risk Score is calculated by multiplying the Inherent Risk Score by the Control Weight for the associated controls that have failed:
- Risk 1 (15.0 x 0.2) = Residual Risk Score (3.0)
- Risk 2 Controls 3 and 4 are both passing, and collectively mitigate Risk 2 by 100%. The Residual Risk Score for Risk 2 is 0.0.
The Total Residual Risk Score is calculated by adding all Residual Risk Scores:
Risk 1 Residual Risk Score (3.0) + Risk 2 Residual Risk Score (0.0) = Total Residual Risk Score (3.0).
Overall Assurance
Overall Assurance, displayed within the project, is calculated as follows:
(Total Inherent Risk Score (19.0) - Total Residual Risk Score (3.0)) / Total Inherent Risk Score (19.0) = Overall Assurance (84%).
Demonstrating assurance across multiple projects
Demonstrate assurance across multiple projects associated with a framework to show confidence that organizational risk is being effectively mitigated.
Example
Scenario
You need to centrally manage five different projects and quantitatively assess risk across all five projects. In your framework, there is one objective that contains two risks.
Framework | Objective | Risk |
---|---|---|
Framework 1 | Objective 1 | Risk 1 |
Risk 2 |
Process
You import the risks into the relevant projects, enable assurance in both the framework and project, and test controls. You note any issues, where applicable.
Result
Testing results and issues are automatically aggregated from each project to the framework. Assurance calculations aggregate to the framework as follows:
Project level risk scores
Project | Inherent Risk Score | Residual Risk Score | Associated framework risk |
---|---|---|---|
Project 1 | 9.0 | 2.0 | Risk 1 |
Project 2 | 6.0 | 2.0 | |
Project 3 | 3.0 | 1.0 | |
Project 3 | 0.0 | 0.0 | Risk 2 |
Project 4 | 5.0 | 1.0 | |
Project 5 | 5.0 | 1.0 |
Framework level risk scores
Framework risk | Inherent Risk Score | Residual Risk Score | Associated projects |
---|---|---|---|
Risk 1 | 18.0 | 5.0 | 1, 2, 3 |
Risk 2 | 10.0 | 2.0 | 3, 4, 5 |
Assurance of Objective 1 75%
(Total Inherent Risk Score (28.0) - Total Residual Risk Score (7.0)) / Total Inherent Risk Score (28.0)
More examples
View additional scenarios that illustrate how assurance for risk is calculated within a single project.
A risk covered by a single control
Risk A --> Control A | Risk A --> Control A | Risk A --> Control A | Risk A --> Control A | Risk A --> Control A | |
---|---|---|---|---|---|
Risk ID | A | A | A | A | A |
Impact | 2 | 3 | 2 | 3 | 3 |
Likelihood | 5 | 3 | 5 | 3 | 3 |
Custom Risk Scoring Factor 1 (Velocity) Weight: 80% |
-- | -- | 5 | 5 | -- |
Custom Risk Scoring Factor 2 (Vulnerability) Weight: 50% |
-- | -- | -- | 5 | -- |
Inherent Risk Score | 10 | 9 | 40 | 90 | 9 |
Control Weight | 85% | 100% | 85% | 100% | 55% |
Control ID | A | A | A | A | A |
Operating Effectively? | Yes | Yes | Yes | Yes | No |
Residual Risk Score calculation | 10 x (1- 0.85) | 0 | 40 x (1- 0.85) | 0 | (9 x 0.55) + (9 x 1-0.55) |
Explanation |
|
|
|
|
|
A risk covered by two controls
Risk A --> Control A, B | Risk A --> Control A, B | |
---|---|---|
Risk ID | A | A |
Impact | 3 | 4 |
Likelihood | 3 | 3 |
Custom Risk Scoring Factor 1 (Velocity) Weight: 80% |
-- | -- |
Custom Risk Scoring Factor 2 (Vulnerability) Weight: 50% |
-- | -- |
Inherent Risk Score | 9 | 12 |
Control Weight |
|
|
Control ID | ||
Operating Effectively? | ||
Residual Risk Score calculation | 9 x 0.75 | 12 x 1 |
Explanation |
|
|
A risk covered by three controls
Risk A --> Control A, B, C |
Risk A --> Control A, B, C | |
---|---|---|
Risk ID | A | A |
Impact | 5 | 5 |
Likelihood | 3 | 3 |
Custom Risk Scoring Factor 1 (Velocity) Weight: 80% |
-- | -- |
Custom Risk Scoring Factor 2 (Vulnerability) Weight: 50% |
-- | -- |
Inherent Risk Score | 15 | 15 |
Control Weight |
|
|
Control ID | ||
Operating Effectively? | ||
Residual Risk Score calculation | 15 x (0.45 + 0.15) | 15 x (0.45 + 0.15) + 15 x (1- 0.85) |
Explanation |
|
|
Calculations
Learn about the calculations associated with assurance.
Term | Calculation | Remarks |
---|---|---|
Risk Scoring Factor Weight |
Values (1-1000%) that are input by the user to express the importance of the Risk Scoring Factor. |
The higher the value of the weight, the more important the risk scoring factor is to your organization, and the more the risk scoring factor will contribute to the Total Inherent Risk Score. The range of values enables full customization of your scoring. For example, you can weight a risk scoring factor five times more than another risk scoring factor (Vulnerability = 100%, Velocity = 500%). The sum of Risk Scoring Factor weights can add up to any number. Note
You cannot modify the weight of the default risk scoring factors (Likelihood and Impact), which is set at 100%. |
Inherent Risk Score (Risk) | (Impact x Likelihood) x (Custom Risk Scoring Factor x Weight) |
|
Inherent Risk Score (Objective) | SUM (Inherent Risk Scores for all risks in the objective)
|
|
Total Inherent Risk Score (Project) | SUM (Inherent Risk Scores per objective)
|
|
Total Inherent Risk Score (Framework) | SUM (Inherent Risk Scores in all projects containing the risk)
|
|
Control Weight |
Values (0-100%) that are input by the user to express the percentage of risk that is mitigated by the control. |
The sum of control weights can add up to any number. |
Residual Risk Score (Risk) | SUM (Inherent Risk Score x Control Weight <for associated controls that are not operating efficiently>) + (Inherent Risk Score x (1 - Sum of Control Weights <if Total Control Weight is less than 100%>)) |
The control is marked as "failed" and used in the Residual Risk Score calculation when:
Assurance decreases with the above scenarios. Projects calculates one Residual Risk Score per risk, not one Residual Risk Score per testing round. |
Residual Risk Score (Objective) | SUM (Residual Risk Scores for all risks in the objective)
|
|
Total Residual Risk Score (Project) | SUM (Residual Risk Scores per objective)
|
|
Total Residual Risk Score (Framework) | SUM (Residual Risk Scores in all projects containing the risk)
|
|
Overall Assurance (Project) | (Total Inherent Risk Score - Total Residual Risk Score) / Total Inherent Risk Score |
|
Overall Assurance (Framework) | (Total Inherent Risk Scores in all projects containing the risk - Total Residual Risk Scores in all projects containing the risk) / Total Inherent Risk Scores |