Risk Management

Learn how to implement Asset, Third Party and Business Risk Management in eramba. Given the large number of relationships that Risks have with other modules, this course is probably the longest in our entire curricula.

  • Episodes11
  • Duration50m 14s
  • LanguagesEN
Episode 5

Configuring the Risk Module

Basic configurations such as Risk Classification, Appetite and Calculation

Introduction

There are four steps to set up the Risk module. Some of these steps are mandatory, while some are optional. Let's begin with the mandatory steps:

  • Create your Risk Classification Schema
  • Select a Calculation Method
  • Configure your Risk Matrix
  • Configure your Risk Treatment Options

All the configuration steps mentioned above are foundational. This means that once you define them, you will most likely try to avoid changing them as much as possible. If you upload 500 risks and suddenly realize that you want a different classification of risk calculation, you will need to reclassify every risk on the system. Inconvenient.

Risk Classification

You need to define a risk classification that will suit your risk calculation. Review the risk calculations documentation and choose the method that suits you best, then follow these steps on the Risk module (any of them):

  1. Go to Risk Module (Asset, Third Party or Business) / Settings / Risk Classifications
  2. Click on “Add New”
  3. Assuming that a fresh installation is used, you will first need to create a Type (first field). Click “Add” and create your first risk classification type. (For example: Likelihood, Impact, etc.)
  4. You can then create a classification for this type. (For example: High, Low, etc.) You will need a numeric value that will be used on the Risk Score.
  5. Create new classifications for the type created in step three. Once you are done, you can create a new classification type and continue the process.

Risk Calculation Method

You can now go and choose your Risk Calculation:

  1. Go to Settings / Risk Calculation Method
  2. Choose the Risk Calculation method (you need to select the checkbox option)
  3. Configure the Risk Calculation by choosing the Risk Classifications
  4. Save

Risk Appetite

With the exception of Magerit, all other risk calculations support matrixes configured at the “Threshold” tab. We strongly advise you to use Thresholds.

  1. Check the Threshold method.
  2. For every combination on the matrix, choose a title, description, and colour.
  3. Optional: if you have a default threshold, you can use the top left corner and avoid configuring all of the combinations. This is typically the case for the lower threshold of the matrix.

If you are using Magerit, you cannot use the Threshold method. You need to use the numerical method. Check the tab and choose a number at which risks will be considered higher than the organizational appetite.

Treatment Options

You will need to set for every risk what treatment strategy you wish to apply, your options are: Avoid, Transfer, Mitigate and Accept. You will also need to define what treatment objects you want to link: Controls, Policies, Projects and Exceptions.

On all three Risk modules, under "Settings > "Treatment Options" you can define for each treatment strategy which mitigation options will be mandatory or optional. This is useful to make sure treatment across your risks is done consistently.