Assessing risks and calculating risk scores
After linking a risk to its associated entities, such as assets, processes, or controls, you can begin assessing the risk and calculating the risk scores.
Risk assessment is essential for evaluating the potential threat a risk poses to your organization. By analyzing both the likelihood and impact of the risk, you can calculate the inherent risk score. This score serves as a foundation for prioritizing risks and mitigation strategies.
Through structured assessments, you can:
-
Determine the likelihood and impact of risk events.
-
Establish an inherent risk score.
-
Prioritize risks based on organizational thresholds.
-
Identify risks that require immediate mitigation.
Assess the risk
To assess a risk, send out a risk assessment using the risk assessment workflow.
Example
Scenario
You have identified a risk: Supply Chain Disruption, and associated it with the following entities:
- Asset: Primary manufacturing plant
- Control: Dual-sourcing strategy
You now want to trigger assessments to evaluate the potential impact and likelihood of this risk.
Process
In this example, you trigger both a risk assessment and a control assessment, to understand the full scope of exposure and mitigation.
For detailed steps, see Working with risks
Result
The risk and control assessments are successfully initiated.
Calculate the risk scores
After receiving the assessments responses, you can calculate the inherent risk scores. This can be done from within the Risk or Risk Event assessment records.
You can perform this by sending out the individual risk assessment or by using the scheduling functionality for scheduled assessments.
Example
Scenario
To calculate the inherent risk score, access the Impact and Likelihood of a risk, using the following matrix:
| Impact | ||||
|---|---|---|---|---|
| High | Medium | Low | ||
| Likelihood | High |
High |
High | Medium |
| Medium |
High |
Medium | Low | |
| Low |
Medium |
Low | Low | |
Process
Open the risk assessment record, select values for Impact and Likelihood, and trigger risk scores to calculate the inherent risk.
For detailed steps, see Working with risks
Result
The inherent risk score is successfully calculated.
What's next?
After assessing the risk, evaluate the effectiveness of the associated controls to determine the residual risk, the level of risk that remains after mitigation.
Residual Risk = Inherent Risk – Control Effectiveness
For more information, see Assessing controls.
