Risk Management

Learn how to implement Asset, Third Party and Business Risk Management in eramba. Given the large number of relationships that Risks have with other modules, this course is probably the longest in our entire curricula.

  • Episodes11
  • Duration50m 14s
  • LanguagesEN
Episode 4

Risk Calculation Methods

All Risk Calculations methods explained

Introduction

Eramba can automatically calculate Risk scores based on your own defined classification settings. In eramba, the Risk Calculation is closely related to the Risk Classification and the Risk Appetite. The process begins by deciding if you want to have one or multiple Risk matrices, then how those matrices look (size, etc) and what calculation you will use.

In this episode, we explain what settings you will need to define and how they interact with each other.

Risk Classification

You will need to tell eramba how you want to classify and display your Risks in a Matrix. A matrix is composed of the following attributes:

  • Axis Name (For Example: Impact, Probability)
  • Axis Classifications (For Example: high, medium, Etc)
  • Classification Criteria (Never happened before, etc)
  • Classification Value (1, 2, 3, Etc)

The classifications shown in the screenshot is an examples of how to classify risks.

Risk Calculation

Every Risk will have a Risk Score (a number) based on its classification and the Risk calculation method you choose. The process is as follows:

  • You classify a Risk
  • The calculation takes the values from your Risk Classification
  • Applies the mathematical calculation
  • A score is obtained

There are four fundamental Risk calculations available to you, remember they depend on the way you classify your Risks.

  • Single Matrix - Addition: this method will do the sum of your two Classification Types. It will produce two Risk scores, at the Analysis and Treatment phases of your Risk.
  • Single Matrix - Multiplication: this method will do the multiplication of your two Classification Types. It will produce two Risk scores, at the Analysis and Treatment phases of your Risk.
  • No Matrix - Magerit: this is a very complicated method we suggest you do not use unless you are very familiar with the methodology.
  • Multiple Matrices - Multiplication: this method assumes you want to use a single Likelihood classification against multiple and different impact types: Financial Impact, Reputational Impact, Etc. For every Impact type, this method will produce two Risk scores, at the Analysis and Treatment phases of your Risk.

Remember that the Risk calculation methods above depend on your Risk Classification:

  Single Matrix with two dimensions Multiple Matrix with two dimensions Notes
Single Matrix - Addition Required Not Possible None
Single Matrix - Multiplication Required Not Possible None
No Matrix - Magerit Not Possible Not Possible Not Recommended unless you know the methodology well.
Multiple Matrices - Multiplication Not Possible Required You will require a "Likelihood" methodology and multiple "Impact" ones.

With one exception (Magerit methodology), you will classify every Risk twice:

  • Analysis: when the risk is first identified
  • Treatment: after you have applied some form of treatment

On each of these tabs, you will classify your risk (using your classifications) and then a calculation will be done by eramba.

Risk Appetite

The Risk Appetite is used to place the Risk in a classification schema based on the score or the classification it has been assigned. Eramba can produce a risk matrix based on your classification where every quadrant (cell) can be customised with:

  • Title
  • Description
  • Colour

For example, Medium Impact and Medium Probability produce:

The screenshot below is an example of the Risk Treatment matrix you could obtain out of the classification example shown above:

The screenshot below shows how that matrix looks like once a report is pulled:

Typical Setup

If you are not sure what methodology is best for you then we recommend doing something simple yet functional.

  • One Matrix
  • Impact & Likelihood classifications
  • Values 1 - 3

The important is the criteria you use to fit risks in the right classifications, for this, you need simple yet very clear criteria we recommend:

  • Likeliky / Low: never happened before and is very unlikely to happen
  • Likeliky / Medium: never happened before but could easily happen
  • Likeliky / High: has happened before and could easily happen again
  • Impact / Low: no one would care if it happens
  • Impact / Medium: business partners will know if it happens
  • Impact / High: penal consequences if it happens

As you see we stay away from things which are impossible to quantify and focus on scenarios anyone can answer directly. The matrix itself does not call risks "High", or "Low", etc but instead is used to define who needs to sign off risks.

  • Risk Owner Sign-Off: this is typically the GRC department and the areas involved (IT, Finance, etc.)
  • Requires Manager Sign-Off: this is the same departments as above plus their managers
  • Requires Director Sign-Off: this is the same people as before plus the executives (C-levels, etc)

Remember that sign-off of risks is unlikely to matter much to anyone if the risk is being "mitigated" but it will definitely matter if the risk is not "mitigated" but rather "accepted, transferred or avoided".