Create a risk - Legacy

Risks are the specific records used to document and assess the likelihood and significance of a risk.

About this task

Tracking risks that exist throughout your organization is vital to ensure appropriate action is taken to reduce operational risks, where possible.

Procedure

  1. Choose one of the following options.
    • Generate Risks from Definitions using the related link on the Profile Type form. For more information, see Create Risk Definitions.
    • Create Risks manually by navigating to Risk > Risk Register > Create New.
    • Navigate to My Risks or All Risks and select New
    • Select New in the Risk related list on the Profile form.
  2. Fill in the fields on the form, as appropriate.
    Table 1. Risk form
    Name Description
    Risk ID Read-only field that is automatically populated with a unique identification number.
    Name* Set the name of the Risk. Field is auto-populated if Risk is generated from a Definition, but can be changed without affecting the relationship between Risk and Risk Definition.
    Owned by* Set the owner of the Risk. The owner of the Risk can be different than the owner of the Profile.
    Definition Allows user to relate and auto-populate a Risk with information from a Risk Definition.
    State Sets the state of the risk. You have the following options.
    • Known—The existence of the risk is known.
    • Open—The risk has been analyzed. This is the default value.
    • Issue—The risk has occurred.
    • Closed—The risk is no longer valid. For example, the risk was related to mainframes, but the organization no longer uses mainframes.
    Category Choose a category of risk which applies to the Profile. You have the following options.
    • IT
    • Reputational
    • Operational
    • Financial,
    • Legal
    Field is auto-populated if Risk is generated from a Definition.
    Profile Relate the Risk to a specific profile.
    Applies to Select a table and a record from that table to identify the scope of the risk. Using this field will relate the risk to a profile for the record if one exists.
    Pertinent Indicator that shows if a risk document is relevant to your organization. By default, this check box is selected, and has a value of TRUE. Clear this check box to mark this risk as not pertinent to your organization, and to prevent it from appearing in compliance reporting. See Calculated links between GRC tables - Legacy.
    Pertinent Indicator that shows if a risk document is relevant to your organization. By default, this check box is selected, and has a value of TRUE. Clear this check box to mark this risk as not pertinent to your organization, and to prevent it from appearing in compliance reporting. See Calculated links between GRC tables - Legacy.
    Description Describe the Risk and how it is a threat to the organization.
    Additional Information Detail any additional information that should be included with the risk record.
    Inherent significance Define the significance of the risk before any corrective action or mitigating efforts are applied. Field is auto-populated if Risk is generated from a Definition.
    Inherent likelihood Define the likelihood of risk occurrence before any corrective action or mitigating efforts are applied. Field is auto-populated if Risk is generated from a Definition.
    Residual significance Define the significance of the risk after corrective action or mitigating efforts are applied.
    Residual likelihood Define the likelihood a risk occurs after corrective action or mitigating efforts are applied.
    Inherent Score
    Read-only field that is the calculated score of inherent risk.
    Inherent Score = Inherent Likelihood x Inherent Significance
    Residual Score
    Read-only field that is the calculated score of residual risk.
    Inherent Score = Inherent Likelihood x Inherent Significance
    Calculated Score Read-only field that is the calculated based on the inherent score, residual score, and the compliance score of the controls related to the risk. For more information, see Score Risks.
    Response Identify the response to a risk. You have the following options.
    • Accept—accept the risk as is.
    • Avoid—avoid the risk, for example, by retiring a business service.
    • Mitigate—mitigate the risk through the implementation of controls.
    • Transfer—transfer or outsource the risk to a third-party.
    Justification Detail, describe, and justify the Response.
    Compliance Read-only field that shows the percent compliance for the mitigation controls related to the risk. Only set if the Governance, Risk, and Compliance (GRC) plugin is activated.
    Non compliance Read-only field that shows the percent non-compliance for the mitigation controls related to the risk. Only set if the Governance, Risk, and Compliance (GRC) plugin is activated.
    Note: * indicates a mandatory field.
  3. Click Submit.
    Once a Risk is created, either manually or generated from a definition, it has a related list for Remediation that allows you to manage the remediation tasks associated with the risk. Additional related lists for Authority Documents, Controls, Policies, and Tasks appear on the risk record if the plugin Governance, Risk, and Compliance (GRC) is activated.