I’m just starting with using the risk management module in eramba. Just a very short question on how to manage risks the proper way in Eramba, for example:
There is a risk “incidental / negligent loss of confidential data by a user”. Within Excel I have split the risk for treatment purposes in different Risks: one for filesystem, one for mailbox, another one for printed information, and in the end I have consolidated it again for management reporting.
What is the preferred or suggested approach for Eramba? Should I create just one risk and add all the affected assets to this risk? Maybe then there are issues for mitigation documentation because one control is for filesystem, another for mails etc. Or should I create various risks for each asset resp. for each type of control?
In the end it should still be pragmatic and manageable with a minimum of time…
I recently went through this, and decided to use the same risk against similar types of assets based upon the likely mitigation strategy and controls.
The other thing I found in a similar manor is if you are using an “impact” as part of your risk score, is the “impact” of that risk being realised the same for each asset you assign to it?
So with some “theft of information” risks, I ended up have 8 or so instances, as different data assets had different “impact” levels, and so each risk had to be defined separately.
“I recently went through this, and decided to use the same risk against similar types of assets based upon the likely mitigation strategy and controls.”
We do the same … but there is one catch:
The point of creating a risk is to raise that issue to the individual (or leader of the group) that GENERATES that organisational risk. Since risks cost money (mitigating in particular) that cost needs to be offset by that individual (or group leader). Imagine something like going to HR and telling them, your current business practices generate this number of risks, which in turn cost the organisation this much to treat.
So, although we follow the rule of simplification we always make someone accountable for generating and paying the risk.