We’re currently using a single risk matrix with 5x5 classifications. Management has requested that we adopt a different classification methodology with a 4x4 matrix. Are there any options and best practices to transition from one matrix to another? Ideally we don’t break anything on existing risks, until these are reclassified properly by the respective risk owners and mapped to the new 4x4 matrix. Thanks for any feedback!
1 Like
I like this question. This implies that you have already implement the risk register with at least first round of assessment completed!
I don’t believe Eramba has ability to keep both 5x5 and 4x4 in the system today, at least not under the specific risk area(e.g, business risk mgmt). Once you change the original 5x5 to 4x4, the user will start using 4x4 matrix.
Based on what I see, the existing risk assessment will not be impacted by the matrix change - meaning the 4x4 matrix new rating can only be effective when the risk owner update the risk assessment for each risk register.
If I am not mistaken, the only way you can find two version of risk assessment for one risk register is through the “history”. Hope someone from Eramba can confirm my understanding.
Based on my past experience, changing risk matrix is a big effort in the company. I would recommend you do the following and then plan your transition plan.
- do an impact analysis to see how final risk rating would be impacted by shifting from 5x5 to 4x4. this is critical steps because risk owners will scream when the distribution of risk rating change in an unfavored direction. watch out for the risk rating shifting more than one grade. this will help to better position your transition plan without surpise.
- your idea of keeping original risk assessment is the right way to do it and most of the GRC system will not allow you to “edit” the risk assessment once it is finalized. You must conduct another risk assessment which based on the new defined matrix.
- If you have desire to monitor risk change trend, you may want to add a converted risk assessment. Meaning risk rating based on original likelihood /impact selection but convert to the new rating based on 4x4 matrix.
Hope you find this helpful.
1 Like
Thank you for the tips. Yes I confirm we do have a risk register with many rounds of assessments having been done around our 5x5 matrix for a number of years. So for us this is a huge change.
I agree on the suggested transition plan steps, what I’m missing is information about how we can do this in steps without breaking anything. @kisero can you or someone from the team please confirm if there are any best practices we should follow?
if you have a dev environment, test what im about to write before you do it:
- change classifications to whatever you need
- adjust the risk matrix colours (thresholds)
- save, you will get a warning telling you that since you change your risk classifications, all your risks must be re-classified (i dont remember the code exactly, perhaps those risks that were not affected by your change wont need to be re-classified)
- edit each risk, classify them again, save
that should be it … is a painful change but there is no other way around
1 Like
Thank you @kisero, that is what I was considering. We’ll have to do it carefully and within a ‘maintenance window’ where everyone will be informed that information about risks is not guaranteed to be correct until all risk assessments are redone.