Can't edit Risk Description when inherit from Risk Statement

Go to solution
Carlos58
Tera Contributor

‎03-08-2022 10:44 AM

We just installed IRM. If I create a risk from a Risk Statement, the Risk inherits the description from the Risk Statement, but it doesn't let me edit that description for the risk. Is this the way it suppose to work? I would imagine that it should import the Risk Description from the Risk Statement, but it should let you edit it if necessary. Can anybody clarify for me why this happens?

Thanks for your help.

Carlos

0 Helpfuls
  • 1,273 Views
1 ACCEPTED SOLUTION

Go to solution
Sulabh Garg
Mega Sage
Mega Sage

‎03-08-2022 11:21 AM

Hello Carlos,

Its optional for you if you want to inherit Risk description from Risk statement or not using "Inherit from risk statement" checkbox. If you do not want to inherit Risk statement's description you can uncheck it.

If you do not want to make the 'Description' as Read only when you checked "Inherit from risk statement" checkbox, then you need to deactivate the UI policy named as "Make description, type, category, classification, assessment and name visible statement is not empty".

Please be aware if you deactivate the UI policy it will also make other fields as editable such as type, category, classification, assessment.

find_real_file.png

 

Please Mark ✅ Correct/helpful, if applicable, Thanks!! 

Regards

Sulabh Garg

Please Mark ✅ Correct/helpful, if applicable, Thanks!!
Regards
Sulabh Garg

View solution in original post

Preview file
30 KB
0 Helpfuls
7 REPLIES 7

Go to solution
Jakob V
Tera Contributor
In response to Carlos58

‎03-11-2022 07:35 AM

Hi,

Yes entities can be whatever you like. If i am going to perform risk assessment of this particular thing it needs to be an entity. This thing can be a database, server, process, organizational unit, Legal entity, applications, etc...

Jakob

0 Helpfuls

Go to solution
Carlos58
Tera Contributor
In response to Jakob V

‎03-11-2022 06:44 AM

Jakob,

In your example, does it mean that it will only aggregate those risks that maintain the same name as the Risk Statement? This would mean that it doesn't make too much sense to change the risk name that was inherited from the Risk Statement, correct?

0 Helpfuls

Go to solution
Jakob V
Tera Contributor
In response to Carlos58

‎03-11-2022 07:32 AM

Hi,

In my example i changed the name of two risks, both connected to a risk statement. One of the primary uses of using risk statements are that you create sevaral risks based on one risk statements, which means that you can look at aggregation / status on that one risk statement (based on several risks).

First question; No. Second; Yes. In my mind it does not make much sense to change the names of risks which are connected to a risk statement. This practically changes the risk statement to a category containing several risks, which are all different.

Example: You have a risk statement: "Loss of personal data due to email beeing sent to wrong recipient"

You tie this risk statement to entities which in-turn creates risks:

  • Loss of personal data due to email beeing sent to wrong recipient. (legal entity A).
    • Residual risk score is 2 (out of 5)
  • Loss of personal data due to email beeing sent to wrong recipient. (legal entity B)
      • Residual risk score is 4 (out of 5)
  • Loss of personal data due to email beeing sent to wrong recipient. (legal entity A)
      • Residual risk score is 1 (out of 5)

All these risks are tied to a legal entity, and comes from a standardized risk stament. Now we can for example see aggregated risk on this risk statement. If we use average this is (2+4+1)/3 = 2,33.


We now see that the risk of Loss of personal data due to email beeing sent to wrong recipient in our organization of 3 legal entities is 2,33.

Now imagine if you changes the name of each of the risks while they created from a risk statement. Does the aggregation then make sense? Most likely it will not.

0 Helpfuls