How does 'Risk Assessment' result(s) affect Inherent & Residual impact/likelihood scores?

Valqe · ‎02-06-2024

Hi all,

A bit new in GRC Risk space.

I'm trying to understand how does Risk assessment process affects the Inherent & Residual risk scores, but I'm pretty mych confused:

This is what I've tried so far

1. Created dummy 'Risk Statement' record (associated random Inherent and Residual values)

2. Generated Risk records through 'Entity Type' (Windows Servers) and as a result got my 'Risk' records created:

3. I'm then completing 'Risk Assessment' process for individual 'Risk' records, but no matter what I'm puttin on risk assessment answers the Inherent & Residual impact/likelihood scores are remaining the same as on the risk statement above.

What am I missing?

I would prefer to see inherent and residual scores affected when risk assessment is negative.
I would prefer this assessment to change Risk Overview dashboard heatmap resutls (Inherent Risk Heatmap and Residual Risk heatmap) but it doesn't

P.S. When I fail associated control attestations then calculated score gets affected, but again not the inherent or residual impact/likelihood score.

I appreciate your comments and any guidance.

Thanks a lot

Community Alums · ‎02-07-2024

Hi @Valqe ,

Firstly, welcome to the risk world in IRM.

What you are using is the Classic Risk management, where the Risk Score Rollup doesn't happen, which means Inherent & Residual impact/likelihood scores will remain the same as on the risk statement.

Ratings are of three kinds: qualitative, semi-quantitative, and quantitative.

Qualitative rating

Qualitative risk assessments rely on the assessor's perceptions of the probability and impact of a risk. If the method is purely qualitative, then the ratings are based on the list values such as high, medium, or low. In this case, the risk scores do not roll up. Because this method has minimal mathematical dependency, qualitative risk assessment is easy and quick to perform. This method also enables an organization to take advantage of the assessor's experienced knowledge of the process or asset that is being assessed. Users who are new to risk assessments usually use this kind of rating.

Semi-quantitative rating

In a semi-quantitative rating, the qualitative ratings also have a corresponding numerical scale. For example, if the quantitative risk score is between 0-10, then the qualitative rating is low. Users who use this type of rating are not new to risk assessments. Most users belong to this category. In this category, the risk scores roll up and the risk appetite is qualitative in nature.

Quantitative rating

A quantitative risk assessment focuses on data that is fact-based, measurable, and highly mathematical. In a quantitative risk rating that uses advanced simulation techniques, the risk is quantified in purely numerical terms. In this category, the risk appetite is quantitative in nature. You can choose only one Scoring type for Classic risk.

The Risk Scoring Calculations for classic risk is as follows:

The inherent and residual scores for risk are calculated using the risk criteria, likelihood, and impact. Use the following calculations to score risks:

Qualitative Inherent ALE = Inherent ARO x Inherent SLE
Qualitative Inherent Score = Inherent Likelihood x Inherent impact
Quantitative Residual ALE = Residual ARO x Residual SLE
Qualitative Residual Score = Residual SLE

When scoring is set to qualitative, the quantitative values are updated in the background.

The Calculated Score for risk is a read-only field designed to quickly assess a risk affecting the organization, and identify threats and areas of non-compliance.

If controls are implemented to mitigate risk, then

Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)).
So: Calculated Score = Residual Score only if Compliance with the controls is 100%.

If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate risk.

Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score.

If controls are not implemented to mitigate risk, then Calculated Score = Residual Score.

If the Residual Score is not set, then Calculated Score = Inherent Score.

The calculated risk factor value is calculated as:

Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2

Control failure factor -> Sum of failed controls weighting divided by total controls weighting.

Indicator failure factor -> Uses the last result of each associated indicator. The number of last results failed divided by the total number of indicators associated.

If you want to see the scoring should gets affected based on Inherent, residual and control effectiveness, then you will have to move to Advanced Risk Management, Where the Risk Rollup happens, with the use of RAMs and Risk Statements has NO contribution.

Risk score rollup in Advanced Risk Assessment

View solution in original post

Community Alums · ‎02-07-2024

Hi @Valqe ,

Firstly, welcome to the risk world in IRM.

What you are using is the Classic Risk management, where the Risk Score Rollup doesn't happen, which means Inherent & Residual impact/likelihood scores will remain the same as on the risk statement.

Ratings are of three kinds: qualitative, semi-quantitative, and quantitative.

Qualitative rating

Qualitative risk assessments rely on the assessor's perceptions of the probability and impact of a risk. If the method is purely qualitative, then the ratings are based on the list values such as high, medium, or low. In this case, the risk scores do not roll up. Because this method has minimal mathematical dependency, qualitative risk assessment is easy and quick to perform. This method also enables an organization to take advantage of the assessor's experienced knowledge of the process or asset that is being assessed. Users who are new to risk assessments usually use this kind of rating.

Semi-quantitative rating

In a semi-quantitative rating, the qualitative ratings also have a corresponding numerical scale. For example, if the quantitative risk score is between 0-10, then the qualitative rating is low. Users who use this type of rating are not new to risk assessments. Most users belong to this category. In this category, the risk scores roll up and the risk appetite is qualitative in nature.

Quantitative rating

A quantitative risk assessment focuses on data that is fact-based, measurable, and highly mathematical. In a quantitative risk rating that uses advanced simulation techniques, the risk is quantified in purely numerical terms. In this category, the risk appetite is quantitative in nature. You can choose only one Scoring type for Classic risk.

The Risk Scoring Calculations for classic risk is as follows:

The inherent and residual scores for risk are calculated using the risk criteria, likelihood, and impact. Use the following calculations to score risks:

Qualitative Inherent ALE = Inherent ARO x Inherent SLE
Qualitative Inherent Score = Inherent Likelihood x Inherent impact
Quantitative Residual ALE = Residual ARO x Residual SLE
Qualitative Residual Score = Residual SLE

When scoring is set to qualitative, the quantitative values are updated in the background.

The Calculated Score for risk is a read-only field designed to quickly assess a risk affecting the organization, and identify threats and areas of non-compliance.

If controls are implemented to mitigate risk, then

Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)).
So: Calculated Score = Residual Score only if Compliance with the controls is 100%.

If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate risk.

Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score.

If controls are not implemented to mitigate risk, then Calculated Score = Residual Score.

If the Residual Score is not set, then Calculated Score = Inherent Score.

The calculated risk factor value is calculated as:

Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2

Control failure factor -> Sum of failed controls weighting divided by total controls weighting.

Indicator failure factor -> Uses the last result of each associated indicator. The number of last results failed divided by the total number of indicators associated.

If you want to see the scoring should gets affected based on Inherent, residual and control effectiveness, then you will have to move to Advanced Risk Management, Where the Risk Rollup happens, with the use of RAMs and Risk Statements has NO contribution.

Risk score rollup in Advanced Risk Assessment

Valqe · ‎02-07-2024

Hi @Community Alums

Thank you so much and I really appreciate your comprehensive response. This is very useful.

Before I close this post and accept the solution I came up with three questions, I hope you can help please:

1) Since heatmap reports depend only on "Impact" and "Likelihood" values, then from what I'm understanding "Inherent Risk Heatmap" and "Residual Risk Heatmap" are not so dynamic if you're not using advanced risk. They solely depend on initial 'Risk Statement' values rather than from assessed risk results. Am I correct on this statement?

2) If I continue utilizing non advanced risk, is there a way of creating "Assessment" records which once responded on "Risk Assessment" record they will affect risk's Impact and Likelihood values?

3) Is advanced risk (RAM) the only way to take (dynamic) advantage of Inherent/Residual Heatmap reports from "Risk Overview" dashboard? I ask this since such reports exist even before 'Advanced Risk' is enabled, yet so far, at leased based on my limited understanding, they solely depend on initial 'Risk Statement' values rather than from 'Risk Assessment' responses?

I appreciate your help 🙂
Thanks a lot.

Community Alums · ‎02-07-2024

Hi @Valqe ,

Thanks for your questions, but this calls for another question as your original question has been answered, request you to raise another question.