Risk hierarchy and scoring

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Starting with New York, risk managers can create hierarchies that include different types of risk (operational risk, IT risk, or strategic risk). Once the underlying risks are assessed, the risk scores are automatically rolled up across the risk statement hierarchy, providing better tactical and strategic decision-making.

    Risk Hierarchy

    Risk managers and administrators create and view hierarchies on the risk statement form:
    • Define a parent risk statement using the Parent field
    • Add children risk statements using the Risk Statements related list
    Note:
    Risk users can view the hierarchies established by the managers and administrators.

    Depending on the risk areas, different people in the organization own and manage their own risks. However, top-level risk scores take into account the score of all the risks below it. Therefore, managing all the different risk areas in a central location provides an integrated view of your organizations total risk posture.

    Figure 1. Hierarchical risk taxonomy showing integrated view of risk
    Sara head of Operational Risk, Sophia head of IT risk and the taxonomies defined for IT risk, and the Chief risk officer are looking at all the roll up scores.

    Translate quantitative risk scores to qualitative values

    The Tolerance Status and the Calculated Score are based on the Calculated Annual Loss Expectancy (ALE) of the underlying risks:
    • Sum of calculated ALE
    • Average calculated ALE
    • Maximum calculated ALE
    • Minimum calculated ALE
    Note:
    Only risks in the Monitor state can contribute to the risk statement scores.
    Figure 2. Risk Rollup and Tolerance tab
    screen shows calculations on the Risk Rollup and Tolerance tab