Risk Management

Introduction

No matter if you are planning to use CSV imports or APIs we still recommend you try the web interface on your first Assets to get used to the interface and adjust custom fields as needed.

This episode describes how a Risk is created and which fields are key.

Actions

To create a Risk (any of the three Risk modules), click on “Actions” and then “Add.” (“Import” can be used for importing multiple Risks at once.) 

A form will then appear. Most of the fields are pretty obvious, but some might not be straightforward, so we’ll cover them in more detail in this guide.

Risk Roles

Every Risk has two roles, “Risk GRC Contact” and “Risk Originator Contact.” These must be assigned to an eramba user or group (System > Settings > User Management), we recommend you use Groups.

• Risk Originator Contact: the person who performs an activity that creates a Risk. For Example: If Finance wants to use Banks all around the world without defined roles and account provisioning procedures, potentially raising the likelihood of abuse of access then “Finance” would be the stakeholder for this risk.
• Risk GRC Contact: the person that has an interest in the Risk to be documented and treated. Typically, this role falls under the GRC team. The Risk Owner by default will be assigned the initial reviews for any new risk.

Is very important you have a consistent approach to these roles because you will be using notifications and you want the right people to receive them. We also typically advise using groups (as opposed to users, as shown in the screenshot above). Groups contain more than one user which ensures more chances of getting feedback.

Risk Review

You will need to provide a Review Date. This means a date in the future when the first Risk review will take place (the review will be assigned to the Risk Owner).

Analysis Tab

The Analysis tab is where the Risk is described as it was initially found and classified based on your settings. This form changes depending on which Risk module you are using.

In the “Asset Risk” module you will need to provide an asset (one or more) from the Asset Module. This means you need to create your Assets beforehand for your Risks. We sometimes recommend creating a “Generic Asset” in case you want to quickly create a Risk and later create the right asset.

Threats and Vulnerabilities (from a database you can find in “Settings”)  will be automatically suggested to you based on the Asset “Type”. You can add or remove threats and vulnerabilities as you wish.

In the “Business Impact Analysis” module you will need to provide a Business Unit from the BU module and one or more Processes from those selected BUs. This means you need to create Business Units and Processes beforehand for your Risks.

Based on your Processes continuity settings eramba will calculate the summarized Revenue Per Hour, MTO and RTO figures.

Treatment Tab

On the treatment tab is where you describe what the organization wants to do in regards to your Risks. You will provide eramba with one of the following four options: Accept, Transfer, Avoid and Mitigate.

For each one of these options and based on the settings defined under “Settings” / “Treatment Options” you will need to provide: Internal Controls, Policies, Exceptions and Projects.

In the Business Impact module, you also have the option to link Continuity Plans. After you have defined your Treatment strategy you need to classify the risk once again assuming the risk treatment selection you did.

Response Plan

So you have agreed and documented that a problem exists and despite its low likelihood, it can still happen. It makes sense to draw a plan you will follow if this happens. You can choose here a procedure from the Policy Module to follow when a Risk materializes.

Custom Tabs

We recommend you create a custom field/tab where you can document the status of your Risks. We typically use a single-select dropdown to which Dynamic Status is applied.