Hello community,
I am wondering if there is a possibility to calculate residual risk based on both inherent risk and control assessment, both qualitatively and quantitatively.
It looks like I am not able to define, using scripting, how the residual quantitative score should be mathematically influenced by the effectiveness of the control.
What I would like to achieve is the following:
- Inherent risk score calculated as 1M EUR
- Control effectiveness assessed as “Effective”
Based on this, I want to mathematically reflect how the effective control reduces the overall risk posture and the ALE calculated from the inherent risk.
At the moment, it seems that I can only influence the qualitative residual value, not the quantitative one.
Any thoughts or best practices on how to approach this?
