Risk Calculation Methods
All Risk Calculations methods explained
Introduction
Eramba can automatically calculate Risk scores based on your own defined classification settings. In eramba, the Risk Calculation is closely related to the Risk Classification and the Risk Appetite. The process begins by deciding if you want to have one or multiple Risk matrices, then how those matrices look (size, etc) and what calculation you will use.
In this episode, we explain what settings you will need to define and how they interact with each other.
Risk Classification
You will need to tell eramba how you want to classify and display your Risks in a Matrix. A matrix is composed of the following attributes:
- Axis Name (For Example: Impact, Probability)
- Axis Classifications (For Example: high, medium, Etc)
- Classification Criteria (Never happened before, etc)
- Classification Value (1, 2, 3, Etc)
The classifications shown in the screenshot is an examples of how to classify risks.
Risk Calculation
Every Risk will have a Risk Score (a number) based on its classification and the Risk calculation method you choose. The process is as follows:
- You classify a Risk
- The calculation takes the values from your Risk Classification
- Applies the mathematical calculation
- A score is obtained
There are four fundamental Risk calculations available to you, remember they depend on the way you classify your Risks.
- Single Matrix - Addition: this method will do the sum of your two Classification Types. It will produce two Risk scores, at the Analysis and Treatment phases of your Risk.
- Single Matrix - Multiplication: this method will do the multiplication of your two Classification Types. It will produce two Risk scores, at the Analysis and Treatment phases of your Risk.
- No Matrix - Magerit: this is a very complicated method we suggest you do not use unless you are very familiar with the methodology.
- Multiple Matrices - Multiplication: this method assumes you want to use a single Likelihood classification against multiple and different impact types: Financial Impact, Reputational Impact, Etc. For every Impact type, this method will produce two Risk scores, at the Analysis and Treatment phases of your Risk.
Remember that the Risk calculation methods above depend on your Risk Classification:
Single Matrix with two dimensions | Multiple Matrix with two dimensions | Notes | |
Single Matrix - Addition | Required | Not Possible | None |
Single Matrix - Multiplication | Required | Not Possible | None |
No Matrix - Magerit | Not Possible | Not Possible | Not Recommended unless you know the methodology well. |
Multiple Matrices - Multiplication | Not Possible | Required | You will require a "Likelihood" methodology and multiple "Impact" ones. |
With one exception (Magerit methodology), you will classify every Risk twice:
- Analysis: when the risk is first identified
- Treatment: after you have applied some form of treatment
On each of these tabs, you will classify your risk (using your classifications) and then a calculation will be done by eramba.
Risk Appetite
The Risk Appetite is used to place the Risk in a classification schema based on the score or the classification it has been assigned. Eramba can produce a risk matrix based on your classification where every quadrant (cell) can be customised with:
- Title
- Description
- Colour
For example, Medium Impact and Medium Probability produce:
The screenshot below is an example of the Risk Treatment matrix you could obtain out of the classification example shown above:
The screenshot below shows how that matrix looks like once a report is pulled:
Typical Setup
If you are not sure what methodology is best for you then we recommend doing something simple yet functional.
- One Matrix
- Impact & Likelihood classifications
- Values 1 - 3
The important is the criteria you use to fit risks in the right classifications, for this, you need simple yet very clear criteria we recommend:
- Likeliky / Low: never happened before and is very unlikely to happen
- Likeliky / Medium: never happened before but could easily happen
- Likeliky / High: has happened before and could easily happen again
- Impact / Low: no one would care if it happens
- Impact / Medium: business partners will know if it happens
- Impact / High: penal consequences if it happens
As you see we stay away from things which are impossible to quantify and focus on scenarios anyone can answer directly. The matrix itself does not call risks "High", or "Low", etc but instead is used to define who needs to sign off risks.
- Risk Owner Sign-Off: this is typically the GRC department and the areas involved (IT, Finance, etc.)
- Requires Manager Sign-Off: this is the same departments as above plus their managers
- Requires Director Sign-Off: this is the same people as before plus the executives (C-levels, etc)
Remember that sign-off of risks is unlikely to matter much to anyone if the risk is being "mitigated" but it will definitely matter if the risk is not "mitigated" but rather "accepted, transferred or avoided".
Playlist
- Episode 1Introduction to Risk Management7 mins left
- Episode 2Problem vs. Solution Principle5 mins left
- Episode 3Typical Risk Questions8 mins left
- Episode 4Risk Calculation Methods4 mins left
- Episode 5Configuring the Risk Module2 mins left
- Episode 6Risk Management Related Modules1 min left
- Episode 7Identifying Risks Inputs7 mins left
- Episode 8Identifying Risk Solutions5 mins left
- Episode 9Creating Risks4 mins left
- Episode 10Threats & Vulnerabilities1 min left
- Episode 11Reviewing Risks7 mins left