Offtopic - Risk Management keeping it realistic

When doing risk management in eramba you need to collect:

  • BU’s and their process
  • Their assets, third parties, liabilities and process
  • Their perceived risks (we call this problems)

Most people will do this over interviews. It makes sense, it makes the process more human and approachable. The interviews are done with experts on their respective BU’s - they know the stuff better than you. If you would know better than them what they do then you are probably Jesus Christ and do not need to continue reading any further.

We interview to understand in simple terms what they do and what problems they have. If you want to find problems anywhere (football, politics, environment or your employer) you will find a zillion of them. Finding problems is always easy. The first challenge is:

  • select a number of problems that really matter AND your organisation can deal with. Is simple just think how many problems you have and how many of those you can deal with! we are humans = limited!
  • understand WHAT THAT NUMBER IS !!!

Interviews so far have helped you collect the “Yellow” and “Blue” pieces (see below diagram). You see the pyramid shape? in eramba there is a known ratio (gradient if you will). The wider you start up the wider you end up down. The more magnanimous number of problems you document the more impossible it will become to realistically deal with them. Red decided to focus on less problems and pink!

Lets do numbers:

1- Say you start with 5 BUs (HR, IT, Sales, Etc)
2- Interview each BU and ask them what they do (processes) with what (assets) with whom (third parties) and under what rues (liabilities).
3- For each BU a reasonable starting point ratio is 3. This means, for each BU you will document up to 15 items (the total addition for each BU of assets, third parties, liabilities and processes).
4- Then ask each BU what problems they have. They know their risks better than you (unless you are the “Creator” !! … a reasonable ratio here is 2-3 … that is: 15 x 2 - 3 = 30 - 45 Risks. Some 6-9 risks per BU.

No lets take a break. So far this exercise should take, in theory, diligent 5-10 hours per BU. Your implementation time so far should be 50-100 hours up to a couple of weeks with full dedication (who has that?). This is the EASY PART - as we said anyone can find and document problems. The real challenge are solutions.

Now you and the person you interview (the expert on their matter) need to decide how to deal with those problems (Risks). In spreadsheets, %80 of the times this is reduced and simplified to “a cell with some text that says what we do and what we will do”. At most 3 sentences. In eramba this is a KEY piece and much more complex.

In eramba, for every problem you need to define “solutions”: Internal Controls, Policies, Procedures, Diagrams, Standards, Projects and Exceptions. You will most likely will need to implement and follow up on them as well. A normal ratio in between “Blue” and “Green” in the scope of Risk management (problems and solutions) is 3-4. Every risk will have a combination of the solutions mentioned above. That is … 35 - 45 x 3 - 4: 105 - 180 “solutions”.

Solutions must be reviewed, tested. Problems must be reviewed as well. In the end all of this must be reviewed otherwise you are not reflecting the reality of your organisation. We do not want that, auditors do not want that, customers do not want that, Etc.

Lets do spreadsheets with two scenarios, one conservative and one not so much. I apply the same ratios on both I just change the number of BUs, or the “top of the pyramid”.

Spreadsheet: Risk Calculation.xlsx (17.5 KB)

  • Being conservative, a single FTE will spend more than half a year JUST DOING REVIEWS.
  • If you go a little wacko with BU’s and stuff and you will spend more than a year JUST DOING REVIEWS.

If you consider this is just reviewing stuff. Not creating, implementing them and following up you can see how a single FTE can hardly do this job diligently unless it works like two wild horses.

Spreadsheets don’t work because is impossible to know if the “solutions” (the 2-3 sentences written there) to your BUs “problems” (risks) are working or not because is impossible to systematically test them. If you say there is solution and there is not one, that is %200 a big problem specially when you get hacked.


  • You want to do Risk Management? Do the math first on what you can chew.
  • You want to synchronise your CMDB (yellow piece) with super-duper API’s to eramba? Do the math first.
  • Are spreadsheet the solution? NO !!! Are you migrating from spreadsheet to eramba? expect big differences!
  • Is eramba or a GRC tool for anyone? NO !!!

Ref: Risk Management | Eramba learning portal

1 Like