Working with risks
A risk can be an uncertainty or an opportunity that may arise from business decision-making. There are risks that may affect the day-to-day functioning of your organization. These risks must be identified and mitigated for a smooth flow of operations in your organization.
What are the different types of risks?
There are many categories of risks, including but not limited to:
- Compliance and regulatory risk e.g., introduction of new rules or legislation
- Financial risk e.g., interest rate rise on business loan or a non-paying customer
- Operational risk e.g., breakdown or theft of key equipment
Each risk needs to be identified, associated to related entities, and assessed. Then, your organization can decide the best methods to prioritize and mitigate those risks.
Adding a risk
To add a risk in the Risk Manager, perform the following steps:
- Open the Risk Manager app.
The Risk Manager homepage opens.
- Click + Add Risk.
- In the Add Risk panel, enter a name for your risk.
- Add any other details necessary and click one of the following:
- Add Risk to save the risk and close the panel.
- Save & Add New to save the risk and add another one.
Result After adding, your risks are created.
- Optional. Click on the risk name to view the detailed risk page and add more details.
Add or change the owner of a risk
To add or update the owner of a risk, perform the following steps:
- Open the Risk Manager app.
The Risk Manager homepage opens.
-
From the Risk list, click on the name of the risk where you want to add or update the owner.
The Details tab opens.
- In the Risk Owner field, select a user and click Save Changes.
Result The risk is assigned to the user selected, and an email notification is sent to the assigned user.
Moving a risk through different workflows
After creating a risk, you can advance it through different workflow states based on your needs and requirements. Some workflow states may require some fields to be filled in, ensure to meet the criteria to advance the risk.
To move a risk from Draft to Identification and then Analysis state, perform the following steps:
- Open the Risk Manager app.
The Risk Manager homepage opens.
-
Click on the name of the risk you want to work with.
The detailed risk page opens with the Details tab.
- Enter the information about the risk, including the ID, description, owner and click Save Changes.
- In the top right, click Identify.
Result The workflow status changes to Identification.
- After verifying that your risk has all the required details, click Validate.
Result The workflow status changes to Analysis.
Note
You can follow the steps mentioned above to advance the risk through the rest of the workflow states according to your needs.
Linking a risk to different entities
A risk is related to different entities across your organization, such as assets, business process, etc. It is important to capture this relationship and link the risk with these entities, so that you can accurately calculate the impact of a risk on these entities.
To link a risk to different entities, perform the following steps:
- Open the Risk Manager app.
The Risk Manager homepage opens.
-
Click on the name of the risk you want to work with.
The detailed risk page opens with the Details tab.
- Go to the Relationship tab and do the following:
- To link an asset, click Link Assets.
The Link Assets dialog box opens.
- Select the type of asset and the asset.
- Click Link Assets.
Result The asset is linked to the risk.
- To link a control, click Link Controls.
The Link Controls dialog box opens.
- Select the type of control and the control.
- Click Link Controls.
Result The control is linked to the risk.
- To link a risk assessment, click Link Risk Assessments.
The Link Assessments dialog box opens.
- Select the type of risk assessment and the assessment.
- Click Link Risk Assessments.
Result The risk assessment is linked to the risk.
- To link an asset, click Link Assets.
Note
- You can follow the same steps as above to link a risk to additional entities such as other risks, processes, and objectives, if these entities are configured in your Risk Manager.
- You can quickly link to entities from the home page also by expanding the risk row and clicking Add Relationship. This is applicable only if you have not yet linked the risk to any entity.
- When you link entities with each other, a two-way link is created. For example: When you link your risk to a control, the linked risk is displayed in the Relationship tab of the control and the control is displayed in the Relationship tab of the risk. If the links are not working both the ways, contact Support for assistance.
Unlinking the risk from other entities
You can unlink relationships of a risk with different entities such as assets, controls, and assessments.
To unlink a risk relationship, perform the following steps:
- Open the Risk Manager app.
The Risk Manager homepage opens.
-
Click on the risk you want to work with.
The detailed risk page opens with the Details tab.
- Go to the Relationship tab and click the unlink icon
on the object that you want to remove the link from.The Unlink relationship dialog box opens.
- Click Unlink Object.
Result The link is removed from the risk.
Assessing a risk
Once your risk is identified, validated, and associated to different entities, you can assess the risk and calculate the risk scores. You have to assess your risk to evaluate the potential threat level of the risk towards the organization. You can do this by triggering assessments.
To assess a risk, perform the following steps:
- Open the Risk Manager app.
The Risk Manager homepage opens.
-
Click on the risk you want to assess.
The detailed risk page opens.
- In the top right, click Assess.
Result Assessments are generated, based on entities linked to the risk. To learn more, see How are assessments generated?
Note
You can also add risk assessments manually from the Risk Event Assessment tab.
How are assessments generated?
Assessments are generated based on your risk's association with other entities such as assets and controls.
- If the risk is associated to only an asset, then only a risk event assessment is generated.
- If the risk is associated to both an asset and a control, both risk event assessment and control assessment are generated.
- If the risk is associated to only a control, then too both risk assessment and control assessment are generated, but with a few differences such as naming convention.
For example: You have a risk called Virus Threat added, and it is associated to both an asset and a control as follows:
- Asset - Laptop
- Control - Anti-virus Software
Now, you trigger to generate assessments by clicking Assess, the following things happen:
- The workflow status changes to Assessment.
- A risk assessment is generated, with the naming convention: <Risk name> - <Asset name>. For example, Virus Threat - Laptop.
- The risk assessment is associated to both the risk and the asset. You can view the risk assessment from the Risk Event Assessment tab of the Risk page and in the Assessments tab of the asset in the Asset Manager app.
- The following fields from the risk are copied to the risk assessment: Risk ID, Risk Description, and Risk Owner.
- A control assessment is generated, with the naming convention: <Control name> - <Risk name> - <Asset name>. For example, Anti-virus Software - Virus Threat - Laptop.
- The control assessment is associated to the control, the risk, and the asset. You can view the control assessment from the Control Assessments tab of the Control page.
- The following fields from the control are copied to the control assessment: Control ID, Control Description, and Control Owner.
Calculating risk scores
There are two ways of calculating the risk scores:
- Using default configuration Default configuration is used to calculate the risk score. For example: The likelihood and impact fields are set at a 3 x 3 matrix (low, medium, and high). You can calculate the risk score of one risk (or a risk assessment) at a time using this method. For more information, see Using default configuration.
- Using custom configuration You can customize the formula to calculate the risk and assessment scores. You can calculate scores of multiple risks (or risk assessments) at a time using this method. For more information see, Risk and assessment scoring configuration in Risk Manager.
Using default configuration
After triggering assessments, you can calculate the risk scores. You can do this by calculating the inherent risk score in both the risk and the risk assessment records.
To calculate the inherent risk score, you will need to know the Impact and Likelihood of a risk. See the table below for reference.
| Likelihood | High |
Medium |
High | High |
|---|---|---|---|---|
| Medium |
Low |
Medium | High | |
| Low |
Low |
Low | Medium | |
| Low | Medium | High | ||
| Impact | ||||
To calculate the risk scores of a risk assessment using the default configuration, perform the following steps:
- Open the Risk Manager app.
The Risk Manager homepage opens.
-
Click on the risk you want to work with.
The detailed risk page opens.
- Go to the Risk Event Assessment tab and click the name of the risk assessment to open it.
- Ensure you have filled in the necessary information, and in the top right, click Assess.
Result The workflow status changes to Assessment.
- Now, in the top right, click Score.
Result The risk score is calculated and displayed in the Inherent Risk Score field.
Note
Ensure the Impact and Likelihood fields are filled in and saved before clicking Score.
- Click Approve to finalize the risk score.
Result The risk score is finalized and the workflow status changes to Monitoring.
- Optional. You can begin the assessment again by clicking Reassess.
Deleting a risk
To delete a risk, perform the following steps:
- Open the Risk Manager app.
The Risk Manager homepage opens.
-
Click on the risk you want to delete.
The detailed risk page opens.
- In the upper right, click More options
and then Delete. - In the confirmation dialog box, click Delete again.
Result The risk is deleted.
What's next?
You can begin working with controls to mitigate the risks. For more information, see Working with controls.
