Risk management enables an organization to quickly identify and quantify the impact that
loss events affecting various business processes and items (such as facilities, business services,
and vendors) pose to the organization. A risk is a definition of the possible consequence of
failing to comply with a policy.
Risks are rated on criteria that can be used to calculate a risk approach. The risk approach
calculation is based on risk approach rules that typically use the values contained in the
Significance and Likelihood fields in the Risk Criteria [grc_risk_criteria] table. This table
contains a Display value field to allow for text values and a weighting, which can be used to
define the risk approach rules. After the risks are defined, they can be associated with controls
to identify how they are being mitigated.
By utilizing risk and profiles, organizations can coordinate the risk assessment process to
prioritize the order and frequency of risk assessments, control testing, and periodic audits
against each entity.
- Ensure that the settings for Risk Criteria, Risk Criteria Thresholds, and Properties are
correct based on the needs of your organization. Modify if necessary.
- Create Profile Types to group common Profiles with similar risks together for easier
- Generate profiles from Profile Types, or create Profiles manually.
- Create Risk Definitions to define a set of baseline risks that should be assessed across the
- Assign Risk Definitions to Profile Types, and Generate Risks from Definitions, or generate
- Determine the appropriate risk response (for example, Accept, Avoid, Mitigate, or Transfer),
and document the justification for the response.
- Assign and complete Remediation Tasks to ensure that risk mitigation efforts are
- Utilize the Governance, Risk, and Compliance (GRC) application to track risk mitigation
efforts by relating a risk to controls or policies which mitigate the risk.