How to weitght controls in dependency of a certain risk

MAKR
Tera Contributor

‎02-16-2022 06:53 AM

Hi GRC experts.

Controls are related to risks. To take into account the importance of different controls they may be weighted. So far so good.

Unforunately (in my understanding) the weighting will be taken into consideration for every related risk on the same way.
That means, if I weight a controls differently than the default weighting of 10, it will apply for all risks.

However, depending on the risk itself, the number of related controls and the "interaction" between these related controls, the same control may a have different impact on different risks.

Ex: Risk 1 and 2 are related to control XYZ.
Regarding risk 1 the control XYZ will rusult in a high impact when not compliant, whereas the impact on risk 2 is considered low.
Therefore the control shall be weighted with 10 for risk 1 and with 2 for risk 2.

I hope you get my point.

Is there any possibility to use this approach?

Thanks in advance!
Best regards
Mathias

Labels:
  • 1,321 Views
4 REPLIES 4

Ashish Shah
Kilo Contributor

‎02-16-2022 07:34 AM

This is a great question and if it is possible to weight controls differently based on risk impact & likelihood, then that would allow a more risk-based approach. 

0 Helpfuls

Sebastien Fix
Giga Guru
Giga Guru

‎02-17-2022 03:22 AM

To start I would add a field to the m2m table "sn_risk_m2m_risk_control". This is where the unique relationship between every controls and risks exists. 

There you can then add a weight specific for each and every risk<->control. If a control is used on 10 risks, there would be 10 rows in this table and you can then make a weight unique for each.

 

How you can then use this "Weight" field to impact the BRs handling "Calculated Risk" is a different story since it is based on the Calculated Risk Factor for Classic Risk - which itself depends on the Compliance Score

find_real_file.png

Preview file
127 KB

Mathias Kranig
Tera Contributor

‎02-18-2022 01:38 AM

Thank you Sebastian for your reply. I assume your approch as a good starting point as well. But as you mentioned the "magic" must be done within risk calculation, and therefore, I assume, quite a lot of customization has to be done with respect to BRs, script includes etc...and that is not what I usually prefer

I hoped the functionality exists ootb and I was just too blind to see 😉

Guess it might be a good topic for ServiceNow further developing the IRM.

0 Helpfuls

Sebastien Fix
Giga Guru
Giga Guru
In response to Mathias Kranig

‎02-20-2022 07:33 AM

If you were to use advanced risk, you can define Automated Factor (scripted) as part of the Control Assessment and include this new Weight field, without messing about with BR or Script Includes.
0 Helpfuls