If I want to switch from a single risk matrix (impact/likelihood) to multiple matrix, other than the work of adding risk scores to each risk are there any other considerations? I’m trying to keep it simple to begin with but I’m aware that we currently have a spreadsheet that has multiple risk ‘types’, likelihood, financial impact, reputation impact, security impact etc
Can I even import risks from a spreadsheet and have each risk matrix score for each risk item automatically imported? Eg our spreadsheet has rating scores for likelihood, financial, reputation, data security, service but the ‘import from csv’ spreadsheet template only has likelihood and impact columns. My thoughts at the moment are to keep it simple with a single impact/likelihood matrix but import it with tags for the above ‘types’ so we can still filter by tag to show, for example all the financial risks or service risks
i’m assuming you are talking here of the european banking method (which will be soon renamed to something easier btw)
i would not, this is my personal opinion, call using multiple matrix a simple way of doing risk mgt in the scope of IT.
IT risk is subjective, there is no statistical data of likelihoods of any kind because is circumstantial. the likelyhood of pishing for you and for me will be different and impossible to calculate because there is no statistical input behind. this is not the car insurance business when they know how many car accidents happen in central london any given thursday at 5pm.
impact is impossible to financially quantify it, so you (and all of us) end up guessing again. just like with likelihood. you will then apply these subjective inputs to a simple mathematical equation. the output will, without doubts, be subjective.
in a single matrix, two subjective variables produce subjective outputs.
in a multiple matrix, adding more subjective variables, make outputs even more subjective.
sorry i write “you”, i of course do not mean you are alone on this.
yes. the risk import template will adjust its columns to the risk method you use
the csv import will be automatically constructed based on your current settings, if you change settings the csv import will adjust.
more data does not translate in more information, i guess that is my point.
any of these changes should be TESTED on a dev license, you will have a lot of clicking ahead of you if you already have input risks!