Page Comparison

Benefits

To streamline configurations, the ZenGRC Risk Heatmap provides out-of-the-box risk scores to instantly set up risk calculations for your organization. Or, with just a few clicks, you can create a more robust set of risks and scores to be used for identification and tracking.

Overview

ZenGRC offers a flexible framework that allows your organization to do the following:

1. Get started immediately with default, ready-made settings.

2. Incorporate a collection of industry-approved methods and registers for a more robust risk management program.

3. Customize risk settings to create your own program within ZenGRC

4. Employ a mix of default and customized elements to suit your organization's needs.

Accessing the Risk Settings Page

To access the area that allows customization of the risk heatmap, complete the following steps:

1. Click Settings | Risk Settings.
   
   Image Added
   
   

2. The Risk Settings home page displays.
   
   Image Added

   
   

   Info
   title NOTE
   The disabled tabs in the above screenshot show the upcoming functionality.

   
   

What Are Factors, Vectors and Scores?

ZenGRC provides components called "factors" and "vectors" to calculate your risk strategy.

• Factors - Term used in calculating vectors (i.e. Impact * Likelihood = Inherent Risk, where Impact and Likelihood are the factors contributing to the overall Inherent Risk score, which is a vector).
• Vectors - Term used to measure risk types within an organization (i.e. Inherent Risk).
• Scales - The combination of factors and vectors to rank risks.

Risk vectors are a function of factors as follows:

Risk Vectors = Fx(Factors)  

The Impact vector could be as simple as single score on a scale of 1-5, or it might be a combination of various scales already defined. For example, Impact may equal the sum of financial impact, operational impact, and privacy impact together.

A simple way to remember risk score is that it is a function of vectors as follows: 

Risk Score = Fx(Vectors) 

To calculate inherent risk, an option would be to multiply Impact with Likelihood:

Inherent Risk = Impact * Likelihood .

Then find the Residual Risk by using the product of Impact and Likelihood to made up your Inherent Risk, and then factor in the Control Strength as the divisor. The residual risk is the remainder as shown below:

Residual Risk = Impact * Likelihood/Control Strength 

ZenGRC Default Settings

To get you started, your instance already contains pre-set factors and vectors to use in their entirety or to configure as needed.

Factors

The default factors in ZenGRC are labeled as Impact, Likelihood, Residual Impact, and Residual Likelihood. You can configure the scale based on your desired risk calculation profile, and make them as complex or simple as your organization needs.These factors have default , and Residual Likelihood, with options of Very Low (1), Low (2), Moderate (3), High (4), Very High (5). This scale will give you , which provides a simple method for scoring and calculating risk: risks that you deem as having a high impact to your organization (5) and Moderate Likelihood (3) will have a higher risk score than a Low residual impact (2) and Moderate Likelihood (3) risk object.Image Removed

Utilizing Preset Calculations and Registers

Options to incorporate into your risk program are found on the Risk Settings page, under the Content tab.
Image Removed. However, you can make them as complex your organization needs.

Image Added

Vectors

ZenGRC default options for vectors include Impact, Likelihood, Residual Impact, and Residual Likelihood. As with the factors, vectors have predetermined threshold ranges from very low to very high, and can be customized as needed.

Image Added

Utilizing Calculations and Registers

Incorporating a Calculation Method

Making a selection under Calculation Methods automatically creates factors, vectors and scores needed to calculate risks.

The methods to chose from include the following:

• Basic Risk - A risk calculation method composed of two risk scores - Inherent and Residual. The former is used to calculate the initial risk score, and the latter is used to calculate the risk score after remediation processes.
• RISQ Simplified - This Enterprise Risk Management (ERM) assessment process has been developed by RISQ Management LLC to allow for scalable implementation of a Risk Management System.  The system is designed to start in a single department or organization, and then scale to cover the complete enterprise. The system uses three vectors (Impact, Likelihood, Avoidance) and six factors (Financial Impact, Velocity, Possibility, Importance, Control Strength, Responsiveness) to calculate inherent and residual risk. 
• CIS-RAM Simplified - This assessment method is based on the CIS-RAM model, published by the Center for Internet Security.  This system uses impact and likelihood to calculate residual (current) risk level. This model takes into account mission impact and obligation impact to determine the maximum risk score.
  Image Removed

To adopt a calculation method from one of the options, complete the following steps:

1. On the Risk Settings page, click the Content tab.
   
   Image Added
   
   
2. In the Calculation Methods section, select one of the methods.
3. Click Add.

Adding a Risk Register

These risk registers create a full list of risks for your organization to track. The categories available risk registers include the following:

RISQ Management Enterprise Risk Register - An enterprise/departmental risk register compiled by RISQ Management LLC from a comprehensive set of risk studies and standards including the North Carolina State Enterprise Risk Management study, the Verizon Data Breach Investigations report, NIST 800-53 and PWS Third-Party Risk Management report.

This register should be used as a basis to start identifying and tracking risks within their own organization. Not all risks will apply to an organization and typically, organizations limit the number of risks tracked and managed within a department or enterprise to 25-35 total risks.

Cybersecurity Risk Catalog - The Risk Catalog is a catalog of 32 unique risks, organized into 6 risk categories, based on the nature of the risk: Access Control (AC), Asset Management (AM), Business Continuity (BC), Exposure (EX), Governance (GV) and Situational Awareness (SA). Each risk has its own unique risk control # and description of the risk.

The intent of this risk catalog is to help standardize an understanding of legitimate cybersecurity and privacy risks across the organization to reduce Fear, Uncertainty and Doubt (FUD) that is all too common in risk discussions. The risk catalog will be applied so that each of the Secure Controls Framework (SCF) controls will be tagged with associated risks for either (1) a control deficiency or (2) understanding risks associated with a request to have an exception to a requirement.

The risk catalog is not authoritative. However, it is a starting point to have a rational discussion about the possible risks associated with a control either not being done at all or only partially. The idea is to look at risks with an “eyes wide open” approach to understand the potential ramifications in managing cybersecurity and privacy controls.
Image Removed

To adopt a risk register from one of the options, complete the following steps:

1. On the Risk Settings page, click the Content tab.
   
   Image Added
   
   
2. In the Risk Registers section, select one of the registers.
3. Click Add.

Anchor
customizing customizing

Customizing

Factors, Vectors and Scores

If you've utilized existing methods and registers as explained in the above sectionsections, you can still alter or create risk factors, vectors, and scores.

Setting Up Factors

Image Removed

factors, vectors, and scores. Customization options include the following:

• Unlimited risk factors with weights and options.

• Unlimited risk vectors (for risk programs involving more than two vectors, like impact, likelihood, and velocity).

• Unlimited risk scores (to capture multiple risk states in management workflow i.e. inherent versus residual risk).

Creating Factors

To create a new factor, complete the following steps:

1. On the Risk Settings page, click the Factors tab.
   
   Image Added
   
   
2. Click +Add Factor, and give it a title.
3. Click +Add Option and create options with values determined by your organization.
   Image Removedsuch as "Low" or "Very low."
4. Next to each option, click in the Values text boxes box and use the up or down arrows to provide numbered weights.. The higher the number, the higher the risk.
   
   Image Added
   
   
5. Add a number in the Weight text box. This number is then multiplied by each of the option values. If those values don't need to be changed, enter the numeral "1" in the Weight box.
6. Click Save.
7. Alternatively, click Cancel to close the dialog box without creating a factor.

The factors can now be used as part of an arithmetic equation in the Vectors and the Scores tabsto set up vectors and scores.

Setting Up Vectors

Image Removed

To create a new vector, complete the following steps:

1. On the Risk Settings page, click the Vectors tab.
   
   Image Added
   
   
2. Click +Add Vector, and give it a title.
3. Under Calculation, select from the list of factors and , vectors, and scores. These are specific to your instance. Then utilize the grid on the right to do the followingcreate a customized item. The options are as follows:
   1. Addition.
   2. Subtraction.
   3. Multiplication.
   4. Division.
   5. Average.
   6. Minimum.
   7. Maximum.
      Image Removed
      Image Added
      
      

4. Set ranges by adding a title in the Ranges text box and selecting a number in the UP TO (≤) numeral box. This is the highest value for that range.

5. Click +Add Range to create a new range. Each range determines the number of boxes displayed on the Risk Heatmap module.
6. Once all ranges are created, click Save.
7. Alternatively, click Cancel to close the dialog box without creating a vector.

These vectors populate selections in the X-Axis and Y-Axis dropdowns drop downs on the Risk Heatmap page as shown below. Both dropdowns drop downs display the same options. But if a selection is made in one dropdowndrop down, it is no longer available in the other.

Note
title IMPORTANT
the number of ranges created for the selected vector determines the number of boxes on whichever axis it's displayed.

Setting Up

Creating Scores

To create a new score, complete the following steps:

1. On the Risk Settings page, click the Scores tab.
2. Click +Add Scores and give it a title.
3. Under Calculation, select from the list of factors and , vectors, and scores. These are specific to your instance. Then utilize the grid on the right to do the followingcreate a customized item. The options are as follows:
   1. Addition.
   2. Subtraction.
   3. Multiplication.
   4. Division.
   5. Average.
   6. Minimum.
   7. Maximum.
4. Set ranges by adding a title in the Ranges text box. For example, "Low" or "Very low."

5. Click in the circle beside the Ranges text box.

    Select a color to represent the range on the heatmap.
   Image Removed
   Image Added
   
   

   Note
   title IMPORTANT
   The colors added here are the colors pulled into the Risk Heatmap display.

   
   

6. Select a number in the UP TO (≤) numeral box. This number is a weight that is multiplied by the option value. If the option value doesn't need to be changed, then enter the numeral 1 in this box.
   

7. Click Save.

8. Click +Add Range to create a new range.

9. Once all ranges are created, click Save.

10. Alternatively, click Cancel to close the dialog box without creating a score.

These scores populate selections in the Select Risk Score dropdown drop down on the Risk Heatmap page as shown below.

Editing an Existing Factor, Vector or Score

Once a factor, vector or score is created, the individual details are divided out into columns and available for editing.

To edit, complete the following:

1. On the Risks Settings page, select the appropriate tab.
2. Hover over over the option you want to edit.
3. Click the blue pencil.
   Image Removed
   Image Added
   
   
4. Make edits.
5. Click Save.

To delete an item, complete the following:

1. Click the ellipses in the Actions column.
2. Click Delete.
3. In the resulting dialog box, select Factor will be deleted.
4. Click Delete.

How

the

Heatmap Displays Risks

The number of vector ranges determines the number of the boxes on that axis. 

For example, if the following vectors are created and selected on the Risk Heatmap axes:

• Likelihood vector with ranges:
  • 0 <= 2 very low
  • 2 <= 4 low
  • 4 <= 6 moderate
  • 6 <= 8 high
  • 8 <= 10 extremely high
• Impact vector ranges.
  • 0 <= 10 low
  • 10 <= 40 medium
  • 40 <= 50 high

The heatmap will have 15 boxes, three for Impact and five for Likelihood.

Then, the Inherent Risk (Impact x Likelihood) ranges are as follows:

• 0 <= 100 insignificant
• 100 <= 400 concerning
• 400 <= 500 dangerous

Heatmap colors are determined by the highest risk values within the box. For example, if you have risks with the following values:

• L = 1, I = 5 => insignificant
• L = 1, I = 8 => insignificant
• L = 6, I = 20 => concerning
• L = 8, I = 25 => concerning
• L = 10, I = 45 => dangerous 

The heatmap is displayed as follows:

If there are three or more vectors, the same rules apply, even though we are showing two vectors at the same time. The highest risk score value in the box determines its color.

For example, if the following is set up:

• Likelihood (1-5)
• Impact (1-5)
• Velocity (1-5)
• Safeguard risk = Likelihood x Impact x Velocity

The risk threshold is defined as:

• 1 <= 25 weak
• 25 <= 100 reasonable
• 100 <= 125 insane

There would be five risks:

• I = 1, L = 5, V = 5 ==> 25 (reasonable)
• I = 1, L = 5, V = 1 ==> 5 (weak)
• I = 3, L = 3, V = 3 ==> 27 (reasonable)
• I = 1, L = 1, V = 5 ==> 5 (weak)
• I = 5, L = 1, V = 1 => (weak)

If the heatmap is filtered by Impact and Likelihood, the following displays:

There are two risks in the <1,5> box, and they are colored yellow because of the highest risk in the box.