Risk Statements vs. Individual Risks

Carlos58
Tera Contributor

Apologies for asking so many questions, but we just recently implemented IRM.  We are debating on the advantages or not of using Risk Statements vs. creating individual risks without inherit any information from the Risk Statements. We are wondering what approach have other organizations taken. Do you create Risks using Risk Statements or not? and why?

Thanks for your feedback,

Carlos

8 REPLIES 8

Sebastien,

Thanks very much for your answer. It definitely helps me understand how Risk Statements work.

 

there is also now the ability to have multiple risks for the same statement and entity! 

 

 

Phil Swann
Tera Guru
Tera Guru

scoping using entity type mapping to risk statement (top-down), may not always be the right thing 

 

organisations moving in the right direction should start to leverage the information objects, via business application/CSDM, and then map into citations, policies and risk statements... this will feed the risk identification workflow... 

 

furthermore, scoping via risk ID & advanced risk assessment provides a more focused approach 

 

but certainly.... use risk statements , and if you are not going to use risk statements to start with - make sure you have a plan for adopting them later, and avoiding the pollution you will create

Thanks Phil, appreciate your comments. Looks like going via Risk Statements is the best way to go.