Live Search spaceKey ZenGRCOnboardingGuide additional none placeholder Search our site type page
Benefits
ZenGRC provides an end-to-end Essential Risk management solution that can be tailored to any risk management methodology.
One of the primary purposes for a risk heatmap is to enable organizations to document, track, and manage risk. And it allows users to visualize the ranking of risk objects in relation to each other.
Risk heatmaps are especially valuable for executive level customers, as they can be used by decision makers to identify areas of the business where additional resources may be necessary (e.g. a software product with a high number of vulnerabilities or a business process that has unmitigated risks).| Note | ||
|---|---|---|
| ||
Risk items in ZenGRC have a different set of permissions than other objects. To review those permissions and how they impact user access, please see Role-Based Permissions for Risk. |
Overview
Overview
Risk is neither proactive nor reactive, it simply defines the hypothetical possibilities of events that may or may not occur. In the compliance sphere, controls are written to minimize risk to the organization. By mapping relevant controls to identified risks, an organization can identify controls that have been put in place to minimize risk. You will learn how to do this within ZenGRC in an upcoming lesson.
ZenGRC objects are flexible, so your main objective is to apply a definition to the workflows your organization will follow and make the objects relevant to the work you are doing.
Setting up a program to manage risk will be unique to your organization and risk posture, but may manifest as: security monitoring, training, continuous risk improvement, enterprise risk management, developing risk committees, and technical network monitoring.
Risk Intro/Overview Course (Jordan)
Lesson 1: Definitions of Objects
Unfortunately, Risk management is often conducted after problems have already happened.
With ZenGRC's Risk Management solution and a simple shift in perspective, resources spent putting out fires can instead protect against threats.
Overview
As the first of several enhancements for the ZenGRC Risk Management program, we're announcing the new Risk Heatmap. Now organizations can jump start a new risk program or incorporate a mature program through various customization options.
For additional information on this feature, please see Risk Heatmap.
Risk Management Terminology
Risk - An event or condition that, if it materializes, could have a negative effect on business objectives. Risk is neither proactive nor reactive, it simply defines the hypothetical possibilities of events that may or may not occur.
In the compliance sphere, controls are written to minimize risk to the organization. By mapping relevant controls to identified risks, an organization can identify controls that have been put in place to minimize risk. You will learn how to do this within ZenGRC in an upcoming lesson.
You can track multiple stages of risk within your organization using ZenGRC, for example:
Inherent risk, is a risk without controls, and Residual risk ,is the risk that remains
- Inherent Risk - A risk without controls.
- Residual Risk - The amount of risk remaining after controls are implemented.
Threats. - These objects identify potential exploitations of a vulnerabilityvulnerabilities. A threat can be environmental (earthquake, snowstorm, flood), physical (hardware failure, building issues, people), or technical (virus, malware, software bug), or other categories as appropriate. It is critical to recognize that a threat is able to exploit a vulnerability.
You can typically reduce the impact of the threat on the vulnerability, but it is very difficult to avoid the threat altogether. By By creating and mapping relevant Issues to Threats threats within ZenGRC, a remediation plan can be identified and implemented to minimize or eliminate the threat; you will learn how to accomplish this within ZenGRC.
Vulnerability - A vulnerability is another risk related object within ZenGRC and that is defined as a weakness that can cause causes or contribute contributes to a risk’s manifesting, or be risk exploited by a threat. It is a gap that increases the likelihood that something will happen. While While a risk is theoretical, a vulnerability is real. Perhaps you’re easily
For instance, those drivers who are distracted by your phone texting - - a vulnerability - -so you put it the phone away while you drivedriving: a control. Maybe you’re they're not a confident driverdrivers, so you they take that a driving class: a remediation.
Finally, incident objects Incident - Objects to track risks and/or vulnerability events. They can be used to monitor failures in patching processes, which could lead to a risk manifesting, or the fact that the actual risk has manifested. It must be clear, . Note that an incident is not a risk, nor is it a vulnerability. OftentimesOften, these are confused and this confusion reduces the effectiveness of the a risk management program.
Mapping these objects together within ZenGRC can give gives your organization a clearer picture of 1) how you currently approach risk, 2) your risk protection methods and/or gaps, 3) improvements to your risk management system. You will learn how to link objects together with ZenGRC in an upcoming lesson.
[Visual Options below:
Lesson 2: Definitions of Calculation Variables
AO Text: In this lesson we will discuss Factors, Vectors, and Scores, and some methods available to calculate risk within ZenGRC. To learn more, please reach out to a member of your Reciprocity team to discuss a unique setup for your organization.
To understand risk calculations with ZenGRC, let’s define some of the variables you may want to use for your own organization. Some will be included in out-of-the-box risk content within ZenGRC, but risk calculations in general should be customized to the workflows you are performing, the priorities of the organization, and overall risk appetite (discussed in the next lesson).
Throughout this course, you’ll hear some common terms associated with risk management. The goal of this lesson is to provide you with definitions for these terms so that you are well prepared to continue on to the following lessons.
[Visual: These definitions listed on the screen:]
Let’s begin with
Mitigation: The
Mitigation - The steps taken to reduce adverse effects of Risk risk incidents. There are four types of risk mitigation to remember: You may do one of the following:
- Accept the risk.
- Choose to Avoid the risk.
- Decide to Transfer the risk.
- Work to Reduce the risk.
| Info | ||
|---|---|---|
|
For a full list of ZenGRC risk statuses and how they're used, please see Risk Management Statuses. |
Likelihood - The probability that Risk risk will materialize. These probabilities are reduced by Controlscontrols.
Severity or Impact: refers to The - The effect that would be felt if the event did occur. Severity and Impact impact are reduced by MitigationsVelocity measures by mitigation.
Velocity - How fast a materialized risk will affect an organization. Velocity is slowed down by Mitigationsmitigation.
Control Strength shows the effectiveness of existing controls. Control strength is increased
by Mitigations.
[An example of a possible visual below - from the internet, want to create custom though:]
A couple more definitions that will be useful in the following lessons are:
Now that we have defined these terms we are ready to talk about how they can come together to form your Risk Management approach, or Risk Appetite. Follow along in the next lesson to find out more about this concept and how it applies to ZenGRC.
Lesson 3: Risk Appetite Overview
AO Text: Determining your organization’s risk appetite will help you decide how to calculate risk based on various factors and vectors. In this lesson we will define Risk Appetite and how it will apply to the work you are doing in ZenGRC.
KB Link: *TBD*
Script:
In this lesson we will define Risk Appetite and how it will apply to the work you are doing in ZenGRC.
Tracking risk, threat, vulnerability and incident objects within ZenGRC will give you an overall picture of the kinds of risks you want to mitigate. Your risk management posture (or appetite) will give you the prioritization to manage multiple incidents in your organization. Incidents (which are manifestations of threats and vulnerabilities) will give you objective data to feed the factors of risks you are facing.
[Visual: from webinar
First, we suggest you determine the scale of Factors that will be present in your risk calculation strategy. To get you started, ZenGRC Risk Management can populate 3 scales that you can use entirely or configure to fit your needs:
[Visual: Link to Risk Management Scale default setup
needs to be “prettier” for video]
The first set of default factors you will see within ZenGRC are Impact, Likelihood, Residual Impact, and Residual Likelihood. These factors have default options of Very Low (1), Low (2), Moderate (3), High (4), Very High (5). This scale will give you a simple method for scoring and calculating risk: risks that you deem as having a high impact to your organization (5) and Moderate Likelihood (3) will have a higher risk score than a Low residual impact (2) and Moderate Likelihood (3) risk object. You can configure the scale based on your desired risk calculation profile, and make them as complex or simple as your organization needs.
You can also choose to import other content, including the RISQ Simplified model which will prepopulate the following additional factors: Financial Impact, Velocity, Possibility, Importance, Control Strength, and Responsiveness. The scales for each of these default factors are displayed on the screen. Again, you can configure the scale based on your desired risk calculation profile, and make them as complex or simple as your organization needs:
CIS RAM (Center for Internet Security® Risk Assessment Method) is an information security risk assessment method that helps organizations implement and assess their security posture against the CIS Controls® cybersecurity best practices. You will have the option to populate content from this method in ZenGRC (follow along in the next course to learn how to do this. The CIS- RAM factors include Mission Impact, Obligation Impact, and Likelihood, and whose scale you will see then see included in your risk settings content:
After determining the scales of your calculation Factors, we suggest you configure the scale of the Vectors you will be using in your risk calculations. ZenGRC default options are Impact, Likelihood, Residual Impact, and Residual Likelihood. They have predetermined threshold ranges from very low to very high, which you can see here
Additional content available for you are the RISQ and CIS-RAM vectors you can see availble below:
Within Vectors you can also indicate which factors from the previous page you want to use to calculate a given vector. Use these factors and vectors as a starting point, or if you already have factors you are using to calculate risk now, you can add those into ZenGRC along with your custom scales and calculation thresholds dependent on your risk appetite. We will cover how to add and edit Factors, Vectors, and Calculations in an upcoming lesson.
By defining the scales of the factors and vectors you will use in your calculations, you can begin to shape the framework of a risk management program at your organization. In our next lesson, we will discuss the various calculation methods available in ZenGRC to help you accomplish this goal.
Lesson 4: Risk Calculations
AO Text: In this lesson you will be introduced to the calculation methods you can set up behind the scenes as a ZenGRC administrator.
KB Link: *TBD*
Script:
In previous lessons, we defined some risk objects, vectors, and factors you might be working with to set up risk calculations in ZenGRC. You can customize these formulas, but to get you started, we also include some baseline calculators you can easily import and/or modify to find the exact risk scoring method to fit your needs. In this lesson we will introduce the background behind the calculation methods you will learn to set up in an upcoming course.
Once you have determined the Risk Objects your organization will be tracking along with the factors and vectors crucial to your work, and their scale of severity for reference, you will be ready to calculate risk within ZenGRC.
Let’s take a look at some formulas used to calculate Risk
A simple way to think about it is that your Risk score is a function of Vectors.
Risk Score = Fx(Vectors)
One example would be to calculate inherent risk by multiplying Impact with Likelihood
Inherent Risk = Impact * Likelihood
You’ve seen this presented as a heatmap in previous videos.
Now, lets add another layer to find Residual Risk by using the product of impact and likelihood that made up your inherent risk, but then lets factor in your control strength as the divisor. Your residual risk is the remainder.
Residual Risk = Impact * Likelihood/ Control Strength
As you can see, defining the scale you will use to calculate each of these objects is important before setting up a risk calculation (for a refresher on how to accomplish this, watch the previous lesson titled Risk Appetite Overview).
Let’s now look at how to calculate the vectors used in this illustration:
The equation to calculate a standard Vector looks like this:
Risk Vectors = Fx(Factors)
Remember that Risk Vectors are a function of Factors
The Impact vector could be as simple as single score on a scale of 1-5, or it might be a combination of various scales you defined in the previous lesson, For example, Impact may equal the sum of financial impact, operational impact, and privacy impact together.
Impact = Financial Impact + Operational Impact + Privacy Impact
Another Vector might be Likelihood, which we can also choose to indicate with 1 score, or calculate the Likelihood Vector by considering two factors: Estimated Probability and strength . When you multiply them together, your product is the Likelihood score.
Likelihood = Estimated Probability * Threat Strength
Still with me? Great, Now here’s the best part! ZenGRC can handle risk score calculations with multiple factors and vectors, all you have to do is set up your formulas. I will be back to walk you through it in our next course where you will learn how to set up these objects and reveal risk heatmap reporting.
Here is an example of a full risk matrix setup, so you understand the variables that you may want to have ZenGRC help you track:
For demonstration purposes, we calculate Impact as
Impact = Financial Impact * Importance
Likelihood as
Likelihood = Possibility * Velocity
And Avoidance as
Avoidance = Control Strength + Responsiveness
And used the original definitions of Inherent and Residual Risk.
Remember: You may Use whichever terms your organization prefers, but be sure to define it, make it measurable, and let ZenGRC help you track it. Continue to the next course where you will follow along in configuring Risk Settings in your instance of ZenGRC.
Risk Configuration Course (Jordan)
Course Overview: Developing a risk management process can be a complex endeavor taken on by a compliance team. In this lesson you will learn about how you can set up out-of-the-box risk calculations within ZenGRC, or customize to the factors and vectors that are most important to your stakeholders. is increased by mitigation.