How to add Multiple Risk Assessment Methodologies to a single entity?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-07-2025 12:28 AM
I need to perform a task to create three risk records with single entity and three RAM's should be added to each risk record to perform assessment.
Any solution ?
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-07-2025 05:50 AM
But the above approach is not automated. @Raviteja24 is looking for some kind of automation I guess . And what do you mean exactly by scoping ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-07-2025 05:52 AM
I'm looking for automation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-08-2025 12:06 AM
Technically you can do anything, the BR sounds like a plan, but before you start, really interrogate the WHY you want this.
I look at this from a Risk Management point of view rather than a Technical feasibility view, and a few questions come to mind:
- Firstly; You have an entity and it belongs to a class, therefore you want to assess the entity in a specific manner that the organisation sees fit -
- company, business unit, department seems like you will assess it using an operational or enterprise RAM that speaks to the Risk Management Framework you adopt as a company. You follow ISO 31000 in your business practices
- if it looks like an IT asset you possibly want to assess it in another manner - maybe more focused through a cyber security risk lens, you are probably following ISO 27001
So if you have an entity (Entity A) why do you want to assess it in 3 different ways? what do aim to achieve?
- Secondly; If you want to assess 3 aspects of the entity to determine the risk, why are you not including it as 3 grouped factors in the RAM, each contributing to the risk in some manner.
- Thirdly; are the 3 RAMs contributing to assessing the risks from the same risk framework? if they form part of different frameworks then the Risk Managers job is to scope risk assessments for the risks in a framework.
- Lastly; why would you trigger risk assessments automatically and remove the Risk Managers primary business function to - consider risks that the company may be exposed to, and have them assessed? The Risk Manager has the ability to use scoping to select an appropriate RAM (if the one linked to the Entity class is not sufficient) to further assess the risk.
So my question is really: Why do you want to do this? Why is one entity being assessed based on a Risk statement rather than the class it belongs to?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-08-2025 12:23 AM
Part of what a Risk Manager does is to determine the relevance of a risk within context. So lets say you have 2 RAMs
- Cyber Security Risk
- Asset Risk
Let's say the Entity is Red Hat Server (Entity Class: IT Hardware)
Since an Entity class may have only 1 Primary RAM associated (lets say; 1 Cyber Security Risk) then the OOTB functionality will assess the Risk with this RAM when I select Assess on the risk record.
But as an IT Risk Manager I also want to assess the risk from the 2 Asset Risk view;
Then I would go to (within Workspace) to
LIST > Risk assessment planning > Scoped entities
Add a new scope (the OOTB playbook will guide you)
- Select the RAM
- Select the Entity
- Select the risks that you want to assess under this scope
- complete the assignment
- Complete the frequency.
- initiate the assessments
Now you have a risk assessed under 2 different risk assessment RAMS. you can view the risk from either viewpoint.
