Risk Management overview - Legacy

Risk ,management enables an organization to quickly identify and quantify the impact that loss events affecting various business processes and items (such as facilities, business services, and vendors) pose to the organization. A risk is a definition of the possible consequence of failing to comply with a policy.

Risks are rated on criteria that can be used to calculate a risk approach. The risk approach calculation is based on risk approach rules that typically use the values contained in the Significance and Likelihood fields in the Risk Criteria [grc_risk_criteria] table. This table contains a Display value field to allow for text values and a weighting, which can be used to define the risk approach rules. After the risks are defined, they can be associated with controls to identify how they are being mitigated.

By utilizing risk and profiles, organizations can coordinate the risk assessment process to prioritize the order and frequency of risk assessments, control testing, and periodic audits against each entity.

  1. Ensure that the settings for Risk Criteria, Risk Criteria Thresholds, and Properties are correct based on the needs of your organization. Modify if necessary.
  2. Create Profile Types to group common Profiles with similar risks together for easier assessment.
  3. Generate profiles from Profile Types, or create Profiles manually.
  4. Create Risk Definitions to define a set of baseline risks that should be assessed across the organization.
  5. Assign Risk Definitions to Profile Types, and Generate Risks from Definitions, or generate Risks manually.
  6. Determine the appropriate risk response (for example, Accept, Avoid, Mitigate, or Transfer), and document the justification for the response.
  7. Assign and complete Remediation Tasks to ensure that risk mitigation efforts are implemented.
  8. Utilize the Governance, Risk, and Compliance (GRC) application to track risk mitigation efforts by relating a risk to controls or policies which mitigate the risk.