The stage of the assessment provides an overview of the threats and threat events that exceed the strength of your controls and pose a risk to your organisation. This will be your risk register.
The Risk Register is the final stage of the assessment. To begin, pull through all items into the register using the Import from Form to populate it with risks generated via the earlier stages. Be sure to import all using the check box in the top left most corner of the selection window. With the populated register, evaluate the likelihood and impacts to generate a Residual Risk.
The Residual Likelihood will be automatically calculated based on the Likelihood of Initiation and Likelihood of Success. If this value is not as anticipated, it is possible to override it via the override field.
The Residual Impact will not be initially calculated as it is reliant on choosing an Attribute to evaluate the risk by. Once chosen, the equivalent impact from the relevant Business Impact Assessment from Stage B will be pulled through to provide a calculated Residual Impact. This can be further adjusted by changing the scenario from Realistic to Worst Case. If this value is not as anticipated, it is possible to override it via the override field.
The Residual Risk will be calculated as soon as both the Likelihood and Impact have been evaluated. A gross risk is provided so as to indicate the pre-controls evaluation of the risk relative to this.
To treat the risk, it will be necessary to attribute an owner and evaluate whether the risk exceeds the set risk appetite for the organisation. Decide upon the Treatment decision, detailing options on how to proceed before enacting actions in the Actions List and relating them to each risk in the register.
|1||RFRT Calculations||This is a link to an Excel document which describes how SureCloud calculates fields, such as the residual risk.|
|2||Ref||This is an automatically generated number when a new row is added. This will be the reference for the risk being considered.|
|3||Threat||This is a reference field to the threats which are described in the Stage D4 – Control Mapping and Strength form.|
|4||Threat Details||These are the details associated to the threat selected, and are fields pulled from the Stage D4 – Control Mapping and Strength form.|
|5||Gross Risk||This is a reference field to the Impact Ratings, and the gross risk of the threat should be selected.|
|6||Controls||This is an information pop-up field where all controls implemented against the threat event are listed.|
|7||Threat Likelihood and Likelihood of Success||
The Threat Likelihood and Likelihood of Success are fields pulled through from the Stage D4 – Control Mapping and Strength form.The residual likelihood is the residual likelihood calculated for the threat – details as to how this is calculated can be found in the RFRT Calculations document. You can then use the override field to override the calculation and select a different option from a drop-down.
|8||BIA||This lists the highest impacts on confidentiality, integrity and availability – these defined in the BIA Assessment.|
This is a drop-down list where you can choose which type of impact you want to consider:
|10||Scenario||This is a checkbox field where you can choose whether to see the impact of the attribute chosen in the realistic or worst-case scenario.|
|11||Residual Impact||This is the residual impact calculated for the threat – details as to how this is calculated can be found in the RFRT Calculations document.|
|12||Override||The is a reference field to the Impact Ratings. Select an option to override the calculated residual impact.|
|13||Residual Risk||This is the residual risk calculated for the threat – details as to how this is calculated can be found in the RFRT Calculations document.|
|14||Scope||The Scope is a drop-down field where can select the scope of the threat to be “Project” or “Enterprise”.|
|15||Rationale||This is a free text field where you can input the rationale for the residual risk impact rating.|
|16||Owner||This is a user field where you can input the owner of the risk in the risk register.|
|17||Exceeds Appetite?||This is a drop-down field where you can choose “No” or “Yes” to whether the residual risk exceeds the risk appetite, as defined in the Risk Appetite Matrix.|
This is a drop-down field where you can choose how to treat the risk, from the 4 ways of risk treatment:
|19||Options||This is a free text field where you can input the options for treating the risk, for example how you will transfer the risk.|
|20||Actions||Actions is a reference form where you can select an action for the risk which you can input in the Action List. The Action Status field then shows what status the action selected is currently at.|