Create a risk using the GRC Workbench

Risk managers can create risks directly from the GRC workbench.

Before you begin

Role required: sn._risk.admin or sn.risk.manager

Procedure

  1. Navigate to Risk > GRC Workbench.
  2. Select the Risk Dependencies tab at the top, then select the Relationships tab below it.
  3. On the left, in the Risks section, click Create Risk.
  4. Fill in the fields on the form, as appropriate.
    Table 1. Risk
    Field Description
    Name Enter a name for the risk. Field is auto-populated if the risk is generated from a risk statement, but can be changed without affecting the relationship between the risk and risk statement.
    Number Read-only field that is automatically populated with a unique identification number.
    State The risk state is a read-only field. Possible choices are:
    • Draft In this state, all risk users can modify the risk. Only available when creating a one-off control. One-off controls are possible but not recommended.
    • Attest When the risk is created from a risk statement, controls are in this state.
      Note: When a risk is set back to draft, the assessment is canceled.
    • Review Risks are automatically moved to review from the assessment phase.
    • Monitor In this state, all risk managers can move the risk from review to monitor.
    • Retired Risk managers or administrators can move a risk from Monitor to Retired. Indicators do not run when the risk is in this state.
      Note: When a risk is retired, any assessment associated with it is canceled.
    Owning group Select an owning group for the risk.
    Category Choose a category of risk which applies to the profile.
    • Legal
    • Financial
    • Operational
    • Reputational
    • Legal/Regulatory
    • Credit
    • Market
    • IT
    Field is auto-populated if risk is generated from a risk statement.
    Owner Select an owner for the risk.
    Note: The owner is always added as a respondent.
    Statement Select the statement this risk is associated with.
    Profile* Relate the risk to a specific profile.
    Note: Only active profiles are shown.
    Description Describe the Risk and how it is a threat to the organization.
    Additional Information Include any details which will help others understand the risk record.
    Note: * indicates a mandatory field.
  5. Click the Assessment tab.
  6. Fill in the fields on the form, as appropriate.
    Table 2. Risk Scoring
    Field Description
    Assessment The assessment to attach to this risk.
    Assessment respondents Users assigned to the assessment of this risk.
    Note: Only a user with the sn_grc.user role can be added as a respondent.
    When both the Assessment and Assessment respondents fields are set, assessments are created when you click Assess.
  7. Click the Scoring tab.
  8. Fill in the fields on the form, as appropriate.
    Table 3. Risk Scoring
    Field Description
    Inherent SLE Monetary value of a risk if it occurs before any mitigation strategies are in place.
    Residual SLE Monetary value of a risk if it occurs after all mitigation strategies are in place.
    Inherent ARO Probability that a risk will occur in any given year before any mitigation strategies are in place.
    Residual ARO Probability that a risk will occur in any given year after all mitigation strategies are in place.
    Inherent ALE Annualized loss expectancy ALE = SLE x ARO before any mitigation strategies are in place.
    Residual ALE Annualized loss expectancy ALE = SLE x ARO after all mitigation strategies are in place.
    Inherent score The score of the risk before any mitigation strategies are in place.
    Residual score The score of the risk after all mitigation strategies are in place.
    Calculated ALE Annualized loss expectancy based off all calculations.
    Calculated score The corresponding score for the calculated ALE.
  9. Click the Response tab.
  10. Fill in the fields on the form, as appropriate.
    Table 4. Risk Response
    Field Description
    Response
    • Accept
    • Avoid
    • Mitigate
    • Transfer
    Justification Enter a reasonable justification for the selected response
  11. Click the Monitoring tab.
    Note: The fields on the Risk Monitoring tab are read-only.
    Table 5. Risk Monitoring
    Field Description
    Control compliance Percentage of compliant controls
    Control non-compliance Percentage of non-compliant controls
    Control failure factor Sum of failed controls weighting divided by total controls weighting
    Indicator failure factor Uses the last result of each associated indicator. Number of last results failed divided by total number of indicators associated.
    Calculated risk factor This value is calculated from (Indicator failure factor + Control failure factor) / 2.
  12. Click the Activity Journal tab.
  13. Enter additional comments, as necessary.
  14. Click Submit.
    The risk is created and centered in the middle of the page. Additionally, the risk is selected on the right.