We get a lot of clients asking about ‘Top level risks’ and granular or specific Asset Risks. They may have say 5-10 ‘top level’ risks that feed into their enterprise risk process for instance to calculate an overall ‘Cyber Risk’ to the business for instance. These specific top level risks are then influenced by specific detailed risks that are generally managed within the CISO/Infosec teams and not reported on directly to the board as this would be too much detail. I know you cannot link risks to risks either in a specific module or across the three modules at present so I am trying to figure out the best way to advise on how to do this. I think at present the only realistic option is to create a custom field for the top level risk ID (as these will be relatively static) and add the reference number (for instance maybe a multiple choice) of the top level risk which it would be associated with. So essentially we then have a relationship that can be reported on if necessary. I know there is work in the pipeline to add custom relationship fields 3.28? If this would resolve the issue, we could then have possibly 2 choices - Top level risks go in business risks, asset and third party risks can then be linked to business risks as necessary, or you have the top level risks in each of the modules mixed in with the detailed risks but linked to each other as necessary. Sorry for the long post but hopefully this resonates with others. Thoughts?
Hi
I would definitely support some sort of risk hierarchy. In my case it would be best to have the top level risks like a kind of “collection” which considers all the relations of the risks contained in it.
For the moment we have also solved it with a custom field at asset risk level, I have created a “dropdow multiple select” with the top level risks. So I could at least us it in reports.
Hi Simon, I had a similar problem. We solved this by creating a custom field to determine whether risks are related to the Enterprise risk register (those visible at board level) or to the CISO/IT risk register (those that are more detailed). The custom field helps to create separate views for different users.
Note we also took the decision to maintain all risks under Asset risks - the main reason is that if there were separate Asset/Business/Third party risks, there’s no easy way to show them all in a single view / report so that would be messy for us. I know we’re losing some specific fields related to Business and Third party risks this way, but we opted for the option I described.
Another nice to have feature, which is still in the works, is an updated risk matrix in the dashboard to be able to see the Enterprise and IT risks separately and to be able to drill down. We miss this especially during risk management committee meetings. We work around by using saved views instead.
I hope my feedback helps.
I agree - I think the term ‘collection’ sums up what I am trying to say quite nicely. Granted this can be done to an extent with the custom fields but more functionality in this area would be useful for sure rather than a workaround.