Question - How to factor in a control effectiveness in risk scoring ?
I have a scenario where I need to conduct a risk analysis, considering both probability and impact. However, I must use the current control effectiveness to calculate the inherent risk. Could someone please provide guidance on how to accomplish this?
Eg. My risk score is 33=9 which is High for me, and if the control effectiveness is 50%, then the risk score would become 9 * 50% = 4.5 –> making the inherent risk Medium
I am still getting accustomed to the platform, so any assistance would be greatly appreciated.
I am trying to copy the excel template that we use for IT risk assessment. it is as follows. if this is not possible then my inherent score will remain the same, during the next cycle too.
i understand, but eramba does risk management in a way that reflects the reality of an organization and simple equations applied to subjective variables simply result on amplified subjectivity.
just so you re-consider that excel logic, multiplying subjectives variables amplify the subjectivity in the order of squares (and more if you put more variables). let me make it simpler, the more math you use the worse it gets.
if you have a risk and you have solutions, using a human brain, experience, judgment will give you a much better (logical) result!
Hi, I would like to echo Kisero’s comment. When I first started working on developing risk matrix (heat map), I love the idea of using formula to “calculate” risk “automatically". Unfortunately, it is simply not possible to use x*y - m = z something simple and elegant to achieve the desire results. Like Kisero, it makes things worse. You end up trying to come up strange factors to fit the formula and still won’t work 100%.
If you must use formula, develop something that is conditions driven, for example, if the control is robust, the inherent risk will reduce two level, if adequate, it will only reduce by one level, etc. I don’t believe Eramba allow user to build conditional logic in its risk assessment feature. Something to consider in the future!
For now, in Eramba, you will need to assess both inherent risk and residual risk by evaluate likelihood and impact. It is actually a very good approach. It makes you think whether your control reduce the likelihood or impact of the risk. It will also come very handy when creating the risk heat map for both risks.
I would love to see the GRC application somehow can develop feature that connect inherent risk and residual risk via control effectiveness. From user perspecgive, this will allow automatically update the residual risk when completing the control testing/validation.