Hello dear community,
as i am lookint into eramba online demo, i have identified a topic i would like to ask you about.
Is it possible to create a risk from a finding, assessment, analysis etc.?
Or is the only way to create a risk from the risk module and have no link to a finding or assessment as source for the risk?
thanks in advance, best regards
Well, that’s not exactly how risks work in the GRC space. I usually see technical security folks define a finding as a risk, but in the GRC world it’s not that simple. Risks do not go away when they are “fixed” - they continue to exist, but just happen to have a lower residual/post treatment risk level to the organization.
Take a look at the problems vs solutions chapter and video in the compliance management module - this will help get your frame of thinking aligned.
In short, a risk is a problem, a compliance requirement (that you’re audited against) is a problem. A solution is a control or policy. If a set of “solutions” are not sufficient (by design, or because they do not work) to to satisfy a problem, that itself is not a new risk, but either a risk that has a residual risk that is greater than the acceptance threshold or a compliance requirement that is not achieved.
Note that risk and compliance package items are somewhat mutually exclusive as they are two different types of problems - yes, you may have a risk identified about not meeting compliance requirements, but not necessarily a risk about every single compliance item…
Hopefully this isn’t too abstract…
you might want to review online assessment feature.
https://www.eramba.org/learning/courses/24/episodes/277
you can create risk questionaires and those can be used as input to your risk analysis