Feature - Auto-calculate residual risk


A common requirement that we have from some clients it’s to calculate automatically the residual risk level based on some parameters (e.g. status of the controls, characteristics/attributes of the controls).

Maybe it’s something that we could do in the future (we expect that near XD) with the triggers functionality.


we need more details here, what variables make the formula and what the formula would be … any ideas?

This would be something that’s helpful, though my mental concept of what to do here may be a bit different than the automated calculation of residual risk.

To make sure we’re using the same terms/synced with what the risk module uses → The analysis is what determines the inherent risk and then the Treatment is what declares the residual risk after mitigations (controls, policies, etc.) are contemplated.

For one of our major risk assessment projects that we do, we use a method very similar to Eramba Multiply, but it is done a little bit differently -

We first calculate IR by multiplying likelihood (using values between 0 and 1) and impact (values 1 to 100) (side note - we don’t use all the values, we have a 5 level choice, i.e. Low = .4 for likelihood). This method for calculating IR can be easily replicated in the analysis tab for each risk (including plotting it on the Risk Matrix).

Now, moving on to the RR, we then take the IR score and multiply it by our assessed Control Effectiveness (a 0-1 value). The value that we assign to Control Effectiveness is subjective based upon the linked controls and the design/operating effectiveness of those controls. We do not re-assess the likelihood and impact again at this stage, we simply multiply by the Control Effectiveness score which gives us our Residual Risk score that we can then plot into a risk matrix.

That being said - I would love to have the ability to use a third value in the “Treatments” tab to calculate the Residual risk - I thought I had found a solution when it seemed like the Eramba Multiply method might support more than 2 factors, but that’s not the case.

Now, as far as what was asked originally, I think it gets a bit more difficult to do this on an automated basis because the weight that is appropriate for each policy/control/etc. is subjective and relevant only to a single risk, but I think it might be possible but will end up being more work than simply re-assessing Control Effectiveness at a point in time (though, I would say that if you have an assessed risk level and then a Control goes from effective to ineffective, that risk should be re-assessed/bubbled up).

If you have a 1:1 risk to control mapping, the automation shouldn’t be too hard → If a control status goes from OK to Missing Maintenance, then that might automatically take control effectiveness from Very High down to Medium and impact the RR score immediately. However, if there’s a one to many relationship here, all controls are not going to be weighted evenly in the analysis. A relevant, but non-key control associated to a risk can go away without making a difference to the overall RR score, but a key control failing should majorly impact it. Thus, there would need to be some way to assess how much of the Control Effectiveness score is allocated to each of the mitigating factors (policy, controls, etc.) for each risk, but even then, that relationship is subject to change in a lot of cases.

So, with that sort of “solution” in mind, thinking from the practicality perspective of that, I think it may end up causing more problems for the risk practitioner involved than it will solve because risk assessment is such a subjective art. I don’t think that every control maintenance expiration needs to set a residual risk score on fire immediately - those should be identified and followed up on to get to a resolution, and depending on the root cause analysis of that particular failure, it may warrant re-assessing the risk based upon those findings. Was the failure bad enough to document an issue/apply a project or was someone just on vacation at the same time as their backup?

Hi David,

Your assumptions are correct. We also understand analysis as inherent and treatment as residual.

The way as you described (base on effectiveness) is one example, but no all the cases. Normally it begin more complex, and we cannot recommend 1:1 model.

A normal use case will be:

  • At the control level, calculate de % of mitigation factor with a formula (e.g. (design + effectiveness) / 2 * controlWeight. This calculation should be based on lists (eg. effectiveness: effective = 1, effective with issues = 0,5, ineffective = 0)
  • At the risk level aggregate (eg. average, maximum, sum…) the mitigation of the related controls and downgrade the inherit risk.