How to set Risk Assessment Methodology on Risk ?

prashant_gadgil · ‎01-26-2024

Hello

I am trying out the Advanced Risk Assessment feature in IRM.

I have configured Risk Assessment methodology, tied it to Appropriate Entity class, sey default methdology on the entity class to the methodology I created.

But when I create a risk for an entity in that entity class, risk assessment methodology is still empty and read only field for that risk record. when and how does it get set on the risk or am I missing some step?

TIA

Prashant

Community Alums · ‎01-27-2024

Hi @prashant_gadgil ,

The path you are following to assess risk for an Entity is wrong.

You will need to create a Scope first by navigating to Risk Assessment Scope.

Navigate to All > Advanced Risk Assessment > Risk Assessment Scope > Create.

On form, fill in the fields.

Risk Assessment Scope form
Field	Description
Risk assessment methodology	Risk assessment methodology (RAM) that you use to assess risks.
Assessable Entity	Entities that are related to the entity classes that are selected in the Applicable entity classes field on the RAM. The value of this field changes based on the entity classes specified in your selected RAM. Only those entities that belong to the selected classes are displayed in this field.
Owner	Owner of the entity. This field is automatically set based on the entity owner.

Right-click and save the form.
(Optional) To view a summary of assessments, click the Summary section.
The Summary section has the following fields. These fields are populated only when you add risks to the assessment scope and when you initiate assessments:
- No. of risk assessments closed
- No. of risks not assessed
- No. of ongoing risk assessments
Right-click to save the form.
If you want to add existing risks, then do the following:
1. In the Risks related list, click Add to add existing risks.
2. From the Choose Risks window, select the risks that you want to add.
3. Click Add Risks.
4. To select control objectives that do not have a control for the entity, click Create from library.
5. From the Choose Risk Statements window, select what risk statements to apply and click Create From Library.
6. Click Initiate Assessments either for all the risk records or for the selected risk records.
  Ensure that the selected records are in either the Draft or Closed state.
7. To add new risks, click New, fill in the details, and click Submit.
  The newly added risks appear in the Risks related list.
To apply the new settings, click Settings.

On the form, fill in the fields.

Assessor, approver, and frequency form
Field	Description
Assessor type	User or group who is responsible for assessing the risk. Choices are the following: Same as risk owner Specify users Specify groups Same as entity owner
Assessor	User who is responsible for assessing the risk. This field appears only when Specify users is selected from the Assessor type field.
Assessor group	Group that is responsible for assessing the risk. This field appears only when Specify groups is selected from the Assessor type field.
Reassessment frequency	Frequency of assessment. Choices are the following: None Weekly Monthly Quarterly Semi-annually Annually Note: If you need to perform an unplanned risk assessment before the next reassessment date, then the next assessment date will be based on the frequency set in the previous assessment. For example, if your frequency is set as monthly and you perform your first assessment on January1, and then you perform an unplanned assessment on January 15, then the next assessment will still be based on the previous assessment date.
Days to overdue	Number that is used to calculate the due date of the assessment starting from the date the assessment is initiated. For example, if the value in this field is 10, then the due date of the assessment will be 10 days after the date the assessment is initiated. The default value is 5.
Approver type	User or group who is responsible for approving the assessment. Choices are the following: Same as entity owner Same as assessor's manager Specify users Specify groups None
Approver	User who is responsible for approving the assessment. This field appears only when Specify users is selected from the Approver type field.
Approver group	Group that is responsible for approving the assessment. This field appears only when Specify groups is selected from the Approver type field.

The settings that you select in this step apply to all the new risks that are added to this scope.

To save the form, click Submit.
To generate the assessments, click Initiate all assessments.
When you generate an assessment, the assessor receives an email notification stating that the assessment is assigned to the assessor or to the assessor's group.

Then, Simulate the Risk

Now, once yo are confident, then Assess risks and objects on an assessment instance

Gustavo Barbos1 · ‎07-23-2024

How Can I assignee the Risk assessment to a group? When I click in "Assess" is transfered to my user. Thank you

jaikishan1 · ‎07-23-2024

@Gustavo Barbos1
You can assign the assessor as a group while scoping the Risk assessment using "Risk assessment scope". In the assessor type, you will have to select "assessor group" and then provide the assessor group.

Once a user from the group start the assessment, the assessor field would be updated with that user for the specific assessment.

Please mark this as helpful if it solves your query.

Regards,
Jai

Gustavo Barbos1 · ‎07-31-2024

Got it! Thank you ...

I tried using Risk assessment scope but my Methodology is for object ... I did some changes to align and now it works... Thank you!