Define risk statement hierarchy

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Risk managers establish parent and child relationships on the risk statement form.

    Before you begin

    Role required: sn_risk.manager

    Procedure

    1. Navigate to All > Risk > Risk Library > Risk Statements.
    2. Click New.
    3. On the form, fill in the fields.
      Note:
      When any of the following statement fields changes: Name, Description, Reference, Category, Type, Classification, and Attestation, all the associated controls and risks are updated, and their state is set back to Draft.
      Table 1. Risk Statement from
      Field Description
      Name Name of the risk statement.

      Parent * this field is visible only when Advanced Risk has been downloaded.
      Parent risk statement to this risk statement.
      • Users select the appropriate parent from the taxonomy structure.
      • If no parent is specified, the risk statement becomes the root of the tree.
      • It is possible to have several of these root-type risk statements within the organization.
      • A risk statement cannot be both a parent and a child of another risk statement.
      Framework Framework this risk statement is associated with.
      Category Choose a category.
      • Legal
      • Financial
      • Operational
      • Reputational
      • Legal/Regulatory
      • Credit
      • Market
      • IT
      Assessment Assessment associated with this risk statement.
      Issue group rule Issue group rule assigned to this risk statement for reporting and dashboard.
      Description Description of the risk statement.
      Additional information Additional information for this risk statement.
      Default Scores
      Inherent SLE Monetary value of a risk if it occurs before any mitigation strategies are in place.
      Residual SLE Monetary value of a risk if it occurs after all mitigation strategies are in place.
      Inherent ARO Probability that a risk occurs in any given year before any mitigation strategies are in place.
      Residual ARO Probability that a risk will occur in any given year after all mitigation strategies are in place.

      Risk Rollup and Tolerance * this tab is visible only when Advanced Risk has been downloaded.
      Expected ALE Enter currency and amount for the expected ALE.
      Note:
      This value must be less than or equal to the Maximum acceptable ALE.
      Maximum acceptable ALE Enter currency and amount for the maximum acceptable ALE.
      Note:
      This value must be greater than or equal to theExpected ALE.
      Sum of calculated ALE This is a calculation based on all the underlying risks or risk statements.
      Average calculated ALE This is a calculation based on all the underlying risks or risk statements.
      Maximum calculated ALE This is a calculation based on all the underlying risks or risk statements.
      Minimum calculated ALE This is a calculation based on all the underlying risks or risk statements.
      Tolerance Status Automatically calculated based on tolerance values.
      • If the Calculated ALE is less than or equal to the Expected ALE = Acceptable in green
      • If the Calculated ALE is greater than the Expected ALE, but less than or equal to the Max acceptable ALE = Needs Attention in orange
      • If the Calculated ALE is greater than the Maximum acceptable ALE = Unacceptable in red
      Calculated Score The corresponding score for the calculated ALE:
      • Low
      • Med
      • High
    4. Click Submit.
    5. To add children risk statements, click the Risk Statements related list, and click New.
    6. Fill in the fields on the form, as appropriate and click Submit.
    7. Repeat until you have added all the children risk statements related to this risk statement.