Adding Controls to Risk Assessment when Assesing Control Environment

taylordupre · Wednesday

I understand that controls cannot be added to a risk assessment when the RAM is configured to assess risk based on the existing control environment. However, I would like to better understand the rationale behind this limitation. Ideally, we would want the ability to incorporate controls during the risk assessment and evaluate control effectiveness only once. Is there a consideration or constraint I may be overlooking that prevents this approach? If there is a way to support both, I would appreciate your guidance. Thank you.

Marek Remi_ · 5 hours ago

Usually, what I see is that during the first risk assessment, when no controls are in place, the inherent and residual values are the same. When choosing reponse, if a mitigate reponse is selected and controls are created as part of the mitigation tasks, users need to go back and reassess the risk since at that point, the risk is already in the Monitor state, but it does not really reflect the current situation with the newly implemented controls.

So you either wait until the scheduled reassessment of the risk, or perform a second assessment immediately after the first one, where the residual score is typically reduced to reflect the effect of the controls that have been put in place.

Would be great to hear about a better approach where we do not have to rely on immediately reassessing the risk in order to have the current exposure visible.

I’d appreciate any thoughts on this.