Overview
Risk management defines the hypothetical possibilities of events that may or may not occur, and is often conducted after problems have already occurred. But with a simple shift in perspective, resources spent putting out fires can instead be used to protect against threats to an organization and bottom line.
ZenGRC provides an end-to-end Risk Management solution that can be tailored to any risk management methodology. Setting up a program to manage risk is unique to each organization, but it may manifest as: security monitoring, training, continuous risk improvement, enterprise risk management, developing risk committees, and technical network monitoring.
IMPORTANT
Risk items in ZenGRC have a different set of permissions than other objects. To review those permissions and how they impact user access, please see Role-Based Permissions for Risk.
Risk Management Definitions
Risk - An event or condition that, if it materializes, could have a negative effect on business objectives. Risk is neither proactive nor reactive, it simply defines the hypothetical possibilities of events that may or may not occur. In the compliance sphere, controls are written to minimize risk to the organization. By mapping relevant controls to identified risks, an organization can identify controls that have been put in place to minimize risk. You will learn how to do this within ZenGRC in an upcoming lesson. You can track multiple stages of risk within your organization using ZenGRC, for example: Inherent risk, is a risk without controls, and Residual risk ,is the risk that remains after controls are implemented.
Threats - These objects identify potential exploitations of a vulnerability. A threat can be environmental (earthquake, snowstorm, flood), physical (hardware failure, building issues, people), or technical (virus, malware, software bug), or other categories as appropriate. It is critical to recognize that a threat is able to exploit a vulnerability. You can typically reduce the impact of the threat on the vulnerability, but it is very difficult to avoid the threat altogether. By creating and mapping relevant Issues to Threats within ZenGRC, a remediation plan can be identified and implemented to minimize or eliminate the threat; you will learn how to accomplish this within ZenGRC.
Vulnerability - A risk related object within ZenGRC and is defined as a weakness that causes or contributes to a riskexploited by a threat. It is a gap that increases the likelihood that something will happen. While a risk is theoretical, a vulnerability is real. Perhaps you’re easily distracted by your phone --a vulnerability--so you put it away while you drive: a control. Maybe you’re not a confident driver, so you take that driving class: a remediation.
Incident - Objects to track risks and/or vulnerability events. They can be used to monitor failures in patching processes, which could lead to a risk manifesting. Note that an incident is not a risk, nor is it a vulnerability. Oftentimes, these are confused and this confusion reduces the effectiveness of a risk management program.
Mapping these objects together within ZenGRC can give your organization a clearer picture of 1) how you currently approach risk, 2) your risk protection methods and/or gaps, 3) improvements to your risk management system.
These are common terms associated with risk management.
Mitigation - The steps taken to reduce adverse effects of risk incidents.There are four types of risk mitigation to remember: You may do one of the following:
- Accept the risk.
- Choose to Avoid the risk.
- Decide to Transfer the risk.
- Work to Reduce the risk.
Likelihood - The probability that Risk will materialize. These probabilities are reduced by controls
Severity - The effect that would be felt if the event did occur. Severity and impact are reduced by mitigation
Velocity - How fast a materialized risk will affect an organization. Velocity is slowed by mitigation.
Control Strength - Control strength is increased by mitigation.
Risk Calculations
A simple way to remember Risk score is a function of Vectors.
Risk Score = Fx(Vectors)
One example would be to calculate inherent risk by multiplying Impact with Likelihood
Inherent Risk = Impact * Likelihood .
Now, lets add another layer to find Residual Risk by using the product of impact and likelihood that made up your inherent risk, but then lets factor in your control strength as the divisor. Your residual risk is the remainder.
Residual Risk = Impact * Likelihood/Control Strength
As you can see, defining the scale you will use to calculate each of these objects is important before setting up a risk calculation (for a refresher on how to accomplish this, watch the previous lesson titled Risk Appetite Overview).
Let’s now look at how to calculate the vectors used in this illustration:The equation to calculate a standard Vector looks like this:
Risk Vectors = Fx(Factors) Remember that Risk Vectors are a function of Factors The Impact vector could be as simple as single score on a scale of 1-5, or it might be a combination of various scales you defined in the previous lesson, For example, Impact may equal the sum of financial impact, operational impact, and privacy impact together.
Impact = Financial Impact + Operational Impact + Privacy Impact
Another Vector might be Likelihood, which we can also choose to indicate with 1 score, or calculate the Likelihood Vector by considering two factors: Estimated Probability and strength. When you multiply them together, your product is the Likelihood score.Likelihood = Estimated Probability * Threat Strength
ZenGRC can handle risk score calculations with multiple factors and vectors, all you have to do is set up your formulas.
Here is an example of a full risk matrix setup, so you understand the variables that you may want to have ZenGRC help you track:
For demonstration purposes, we calculate Impact asImpact = Financial Impact * ImportanceLikelihood asLikelihood = Possibility * VelocityAnd Avoidance asAvoidance = Control Strength + ResponsivenessAnd used the original definitions of Inherent and Residual Risk.
Remember: You may Use whichever terms your organization prefers, but be sure to define it, make it measurable, and let ZenGRC help you track it.