A day or so someone in the community asked me about how VA’s worked , they went trough the documentation and were able to sort it (well, so far). Then i got this question:
“How do people use eramba to do an Enterprise Risk Assessment/ Questionnaire (see the attached basic sample from online)? I’m sure I can create risks for each of these, but that means someone is going in there 1-by-1 to answer them. That is tedious.”
In all fairness, we got this question several times. If i understand the output of the VA (the responses based on the questions) should or could become risk items on the risk module. If that understanding of mine is right, eramba does not have this.
Can someone describe what would you like to have here? is it that for every question on the VA , depending on the response, you get a risk automatically created? or a finding (VA has findings) automatically created?
If yes - risks have many mandatory fields (controls, classification of risk, assets input, third parties, etc)…we would still need to know the answer to those fields to automatically create them.
Perhaps the approach is not to have them “automatically” created by manually the user clicks on the VA question and a risk window opens as completed as possible?
When i built eramba i used it to record the output of my risk assessment , not to guide me trough the analysis and the recording of this risks. My analysis was (and still) is done with interviews, many notes, etc, etc and I only needed a place to record that output.
Do i understand that need points at linking teh analysis of VAs to the recording of risks?
Thanks Esteban. To clarify what I wrote, think about a Compliance-based questionnaire where the exercise would be bigger than just asking them what keeps them up at night. In these cases, a mechanism to collect multiple people’s responses would be VERY handy. Then I need to combine all the responses to get basically the worst answers to review. From that analysis and comparison, then YES I would definitely log Findings (or Gaps) to what needs to be remediated. I also would likely log (or update) some Risks for major uncovered areas.
Hope that makes sense. If there’s a better way in eramba to do this than using the VA tool against a Third Party Supplier I set up that is our company, please let me know.
This sounds like you are asking for a way for Eramba to conduct a Delphi Method for Risk Analysis. There are whole systems that do just that. While this would be a very useful tool, this is probably a significant undertaking. It involves
Sending out initial requests for Risks from identified experts
Sorting through all of the identified risks, populating a new notification to the experts with a list of all of the risks with the request to rank order them and add any new risks that they may now think of based upon the ideas from others.
Continue this x times until you are satisfied you have all of the risks that you think may significantly affect you
Responses also need to be kept confidential to prevent bias or poor response percentages (people are self-conscious)
It is also not always the most accurate method of risk analysis. Other forms of analysis include Monte Carlo simulation which is used in the FAIR Quantitative Risk analysis methodology. A combination of the Qualitative (Delphi) and Quantitative (Monte Carlo Simulation) will probably give you the best of both worlds in determining your risk exposure.