Home Orlando Governance, Risk, and Compliance Governance, Risk, and Compliance Risk Management Understanding Risk Management Manage risks, risk statements, and risk frameworks Create a risk manually

Create a risk manually

Risk administrators can create risk records when they see a potential for a gain or loss of value.

Before you begin

Role required: sn_risk.admin and sn_risk.manager

Procedure

Navigate to Risk > Risk Register > Create New.

On the form, fill in the fields.

Table 1. Risk form
Field	Description
Name	Name for the risk. Field is auto-populated if the risk is generated from a risk statement, but can be changed without affecting the relationship between the risk and risk statement.
Number	Unique identification number. This field automatically populated.
State	Risk state. Possible choices are: Draft In this state, all risk users can modify the risk. Only available when creating a one-off control. One-off controls are possible but not recommended. Attest When the risk is created from a risk statement, controls are in this state. Note: When a risk is set back to draft, the assessment is canceled. Review Risks are automatically moved to review from the assessment phase. Monitor In this state, all risk managers can move the risk from review to monitor. Retired Risk managers or administrators can move a risk from Monitor to Retired. Indicators do not run when the risk is in this state. Note: When a risk is retired, any assessment associated with it is canceled.
Owning group	Owning group for the risk.
Category	Category of risk which applies to the profile. Legal Financial Operational Reputational Legal/Regulatory Credit Market IT If the risk is generated from a risk statement, the field is automatically populated/
Owner	Owner for the risk. Note: The owner is always added as a respondent.
Risk Statement	Statement this risk is associated with.
Inherit from risk statement	Option to create a risk independent of risk statement.
Entity	Entity related to the risk. Note: Only active entities are shown.
Description	Description of the risk and how it is a threat to the organization.
Additional Information	Details that help others understand the risk record.

Click the Assessment Summary tab.
This tab is only visible if you have the Advanced Risk plugin activated. The scores of the risk assessment methodology selected as the primary are displayed in the risk scoring section.

On the form, fill in the fields.

Table 2. Risk Scoring Form
Field	Description
Assessment	Assessment to attach to this risk. Note: If you are defining this risk for a Data Protection Impact Assessment (DPIA), select GDPR DPIA Assessment.
Assessment respondents	Users assigned to the assessment of this risk. Note: Only a user with the sn_grc.user role can be added as a respondent.

When both the Assessment and Assessment respondents fields are set, assessments are created when you click Assess.

Click the Scoring tab.

On the form, fill in the fields.

Table 3. Risk Scoring form
Field	Description
Inherent SLE	Monetary value of a risk if it occurs before any mitigation strategies are in place.
Residual SLE	Monetary value of a risk if it occurs after all mitigation strategies are in place.
Inherent ARO	Probability that a risk occurs in any given year before any mitigation strategies are in place.
Residual ARO	Probability that a risk will occur in any given year after all mitigation strategies are in place.
Inherent ALE	Annualized loss expectancy `ALE = SLE x ARO` before any mitigation strategies are in place.
Residual ALE	Annualized loss expectancy `ALE = SLE x ARO` after all mitigation strategies are in place.
Inherent score	The score of the risk before any mitigation strategies are in place.
Residual score	The score of the risk after all mitigation strategies are in place.
Calculated ALE	Annualized loss expectancy based off all calculations.
Calculated score	The corresponding score for the calculated ALE.

Click the Response tab.

On the form, fill in the fields.

Table 4. Risk Response form
Field	Description
Response	Accept Avoid Mitigate Transfer
Justification	Enter a reasonable justification for the selected response

Click the Monitoring tab.

Table 5. Risk Monitoring form
Field	Description
Control compliance percentage	Percentage of compliant controls
Control non-compliance percentage	Percentage of non-compliant controls
Control failure factor	Sum of failed controls weighting divided by total controls weighting
Indicator failure factor	Uses the last result of each associated indicator. Number of last results failed divided by total number of indicators associated.
Calculated risk factor	This value is calculated from `(Indicator failure factor + Control failure factor) / 2`.

Click the Activity Journal tab.
Enter additional comments, as necessary.
Click Submit.

Previous topic

Next topic

Release version

Create a risk manually

Risk administrators can create risk records when they see a potential for a gain or loss of value.

Before you begin

Role required: sn_risk.admin and sn_risk.manager

Procedure

Navigate to Risk > Risk Register > Create New.

On the form, fill in the fields.

Table 1. Risk form
Field	Description
Name	Name for the risk. Field is auto-populated if the risk is generated from a risk statement, but can be changed without affecting the relationship between the risk and risk statement.
Number	Unique identification number. This field automatically populated.
State	Risk state. Possible choices are: Draft In this state, all risk users can modify the risk. Only available when creating a one-off control. One-off controls are possible but not recommended. Attest When the risk is created from a risk statement, controls are in this state. Note: When a risk is set back to draft, the assessment is canceled. Review Risks are automatically moved to review from the assessment phase. Monitor In this state, all risk managers can move the risk from review to monitor. Retired Risk managers or administrators can move a risk from Monitor to Retired. Indicators do not run when the risk is in this state. Note: When a risk is retired, any assessment associated with it is canceled.
Owning group	Owning group for the risk.
Category	Category of risk which applies to the profile. Legal Financial Operational Reputational Legal/Regulatory Credit Market IT If the risk is generated from a risk statement, the field is automatically populated/
Owner	Owner for the risk. Note: The owner is always added as a respondent.
Risk Statement	Statement this risk is associated with.
Inherit from risk statement	Option to create a risk independent of risk statement.
Entity	Entity related to the risk. Note: Only active entities are shown.
Description	Description of the risk and how it is a threat to the organization.
Additional Information	Details that help others understand the risk record.

Click the Assessment Summary tab.
This tab is only visible if you have the Advanced Risk plugin activated. The scores of the risk assessment methodology selected as the primary are displayed in the risk scoring section.

On the form, fill in the fields.

Table 2. Risk Scoring Form
Field	Description
Assessment	Assessment to attach to this risk. Note: If you are defining this risk for a Data Protection Impact Assessment (DPIA), select GDPR DPIA Assessment.
Assessment respondents	Users assigned to the assessment of this risk. Note: Only a user with the sn_grc.user role can be added as a respondent.

When both the Assessment and Assessment respondents fields are set, assessments are created when you click Assess.

Click the Scoring tab.

On the form, fill in the fields.

Table 3. Risk Scoring form
Field	Description
Inherent SLE	Monetary value of a risk if it occurs before any mitigation strategies are in place.
Residual SLE	Monetary value of a risk if it occurs after all mitigation strategies are in place.
Inherent ARO	Probability that a risk occurs in any given year before any mitigation strategies are in place.
Residual ARO	Probability that a risk will occur in any given year after all mitigation strategies are in place.
Inherent ALE	Annualized loss expectancy `ALE = SLE x ARO` before any mitigation strategies are in place.
Residual ALE	Annualized loss expectancy `ALE = SLE x ARO` after all mitigation strategies are in place.
Inherent score	The score of the risk before any mitigation strategies are in place.
Residual score	The score of the risk after all mitigation strategies are in place.
Calculated ALE	Annualized loss expectancy based off all calculations.
Calculated score	The corresponding score for the calculated ALE.

Click the Response tab.

On the form, fill in the fields.

Table 4. Risk Response form
Field	Description
Response	Accept Avoid Mitigate Transfer
Justification	Enter a reasonable justification for the selected response

Click the Monitoring tab.

Table 5. Risk Monitoring form
Field	Description
Control compliance percentage	Percentage of compliant controls
Control non-compliance percentage	Percentage of non-compliant controls
Control failure factor	Sum of failed controls weighting divided by total controls weighting
Indicator failure factor	Uses the last result of each associated indicator. Number of last results failed divided by total number of indicators associated.
Calculated risk factor	This value is calculated from `(Indicator failure factor + Control failure factor) / 2`.

Click the Activity Journal tab.
Enter additional comments, as necessary.
Click Submit.

How search works:

Topics are ranked in search results by how closely they match your search terms

Create a risk manually

Create a risk manually

On this page

Create a risk manually

Create a risk manually

Log in to personalize your search results and subscribe to topics