Creating risks in GRC

dev_K · ‎04-29-2024

Hello,

I am following the GRC training and I find the explanation regarding risk creation quite unclear.

How the risks are created? What does it mean we can create risk automatically when we associate entity type with risk statement (but how those risks are linked to the statement? who creates them so later they can be linked to entities).

I imagine there is a person with a role that can look into eg. policy and see what are the potential risks if the company doesn't comply with requirements?

thanks!

Prasanna_Patil · ‎04-30-2024

@dev_K Yes these are OOB Risk, yes even you can customize the risk and tag them to the risk statement

Please hit like and Mark Helpful if you liked it
Regards,
Prasanna

View solution in original post

ShafrazMubarak · ‎04-30-2024

Creating Risks from Risk Statements can be applicable when the organization is decided to make sure their risk register is having the proper risk statements that are deriving from respective risk frameworks. In this case, there are 2 ways a risk can be created.

One option is by mapping the statement to entity type so that all the entities will inherit a risk. This is applicable when the organization is allowed to have risks whether they are being identified or not, they called them as risks in their risk register.

For an example when there is a data loss risk can happen for an application hosted in organization server, we can assume all similar applications too have that risk. In that case, mapping the risk statement with the entity type will create risks. This will endup in creating multiple risks register even though you just identify one risk

If the organization is saying that we will not add risks to risk register, then they can avoid this mapping mechanism on automatic risk creation and they can proceed with creating one single risk for what they have identified.

Moreover, you can create a risk without mapping the risk statement (custom risk statement) manually.