Objective:
- Simplify risk configuration settings and unify the three risk modules into one
- Improve the form look & feel, if possible simplify the creation of a risk
- Update Views based on Risk Calculation / Appetite Settings
- Consider enabling risk templates
- Facilitate the identification of risks, not jus recording risks
- Improve reporting, but this is not linked to this migration but to the report module migration
- Document how eramba meets most risk frameworks
Simplify Risk Configuration
The objective is to keep eramba flexible in terms of risks and stay away from quantitative methods which we know are used in very few scenarios and including them into eramba would make things terribly complicated.
New Installations:
- Remove Magerit option all together (leave multiplication and addition)
- Remove risk appetite / integer option
- Force all three risk modules to have the same classification, calculation and appetite settings
Existing Installations:
- If they don’t use the module, enforce the rules above
- If they use these modules and they do not follow the rules above, trigger a warning that these features will be sooner or later migrated
New Configuration Wizard
(missing images)
The new Wizard needs to handle changes on its parameters when Risks already have been created. This is important because some changes must trigger a reconfiguration for all or some Risks.
- Changes on “Treatment Rules”, then do this: TBD
- Changes on “Configure Matrices”, then do this: TBD
- Changes on “Calculation”, then do this: TBD
- Changes on “Define Classification”, then do this: TBD
- Changes on “Setup Type”, then do this: TBD
Threats & Vulnerabilities
We don’t see the need to change this for now, the UI/UX could integrate these two things into one feature (today they are two separated items under settings). We could later on explore how to make an extensive non-fixed database (using LLMs, etc)
Improve Form UX/UI
The form is different based on the settings the user has, so here we need to work on each one of these possibilities: Single Matrix (numerical or threshold appetite), Multiple Matrix and Magerit.
Single Matrix (numerical & threshold appetite)
Treatment Tab
The Treatment tab has a set of fixed options, we want them to be customisable on the Configuration Wizard so more options can be setup. The wizard should allow to choose the “default” one (pre-selected when a risk is created) and that one will be a new option called “Undefined”.
In addition, the treatment options which today can be configured based on the dropdown mentioned above, should include the option to “Hide”. For example, if “Treatment” is “Mitigate” the “Projects” can be “Hidden”. We need for the newly created “Undefined” option that all treatment options will be “Hidden” by default.
We also need a better way to show the threshold values, something that looks nicer from a UX perspective:
Analysis Tab
This tab is different depending the type of Risk you are creating, so we will describe what changes must be done depending on which type of risk you are working on:
Asset Risk Management
The main issue is the UX/UI for assets and threats and vulnerabilities. When you create a risk you add assets, that reflect in threats being pre-selected directly into the form. these should be suggestions underneath the form. When you remove assets that list of suggestions must be updated based on the assets selected.
By default we will hide the “Threat” and “Vulnerability” description fields, we will only leave tags (this of course only applies to new installs or existing installs that have not yet used the risk module). It would be nice to be able to add “Tags” on the fly, i think we miss an “Add” button.
Third Party Risk Management
Same as above, nothing else needs to be removed.
Logic Issue: here we need to update the “Type” field on the Third Party for this to work. The “Type” must be a setting where the user define them. The settings should NOT ALLOW predefined fields (existing ones) to be edited or deleted, it should only allow CRUD on new types. Deleting types should not be possible if the type is used on an item.
Business Risk Management
The top two fields “Business Units” and “Process” must follow hte “suggestion” logic used on Threats and Vulnerabilities (described above). You can only suggest processes that relate to the business units selected.
The information above needs to be shown in a much better way, for example:
- EUR 67000 is the highest revenue per hour ($process name) and 8700000 is the total revenue per hour for the selected processes
- 45 is the minimum RTO ($process name)
- 10 is the minimum MTO ($process name)
The information above must be optional, so on the customisation feature we need a way to show or hide this widget “Process Revenue, MTO and RTO Calculation”.
The threat and vulnerability fields must follow the same standards defined for Asset Risk Management.
Logic Issue: here we miss a “Type” of business unit for this to work. This will be a new field, mandatory, same logic as Third Parties and Assets.
Multiple Matrix (threshold)
The likelihood/impact selector UX/UI is horrible, it needs to be simplified in a way that looks more compact.



