Skip to main content
All CollectionsAll Articles
Risk Scoring in Risk Details Screen
Risk Scoring in Risk Details Screen

Everything you need to know about risk scoring in Essential ERM

J
Written by Jason Doel
Updated over a week ago

The image below shows the default view of the scoring section on the Risk Details screen in Essential ERM. Please note that there are optional features that may be configured by your system administrator or that appear under certain conditions (e.g. when sub-risks are attached to a risk). For this reason, your view may look different than the view pictured below.

This section is used to perform a simple qualitative assessment of the risk. The User first selects the value of Likelihood and Impact that they believe are appropriate. If the Users is unsure of how to make this determination, they may click on the icons to view additional instructions.

Normally, the score is calculated as the product of likelihood times impact. Likelihood and impact are each rated from 1 to 5, resulting in risk scores of 1 to 25. Note that your system administrator may have changed how risk scores are determined, such that risk scores are not a simple product of likelihood and impact. For example, your administrator may choose to give a higher score to risks with an extreme impact and a low probability.

Your administrator may also have changed the labels that appear in these drop-downs and for the titles in this section. Even if the labels are different, the intent and meaning stay the same as described here.

If the Inherent Risk feature is enabled in your account, then the values of Likelihood and Impact represent the level of risk if the organization had no controls in place whatsoever. It is the raw risk before any steps are taken to lessen, transfer, or avoid it.

Once a User selects inherent likelihood and impact values, the Inherent Risk Score will be automatically determined and populated. By default, Essential ERM is configured to determine the Residual Risk automatically, based on the Control Effectiveness value that is selected. Residual Risk (including Residual Likelihood and Residual Impact) represents the level of Risk after all of the organization’s existing risk management activities have been taken into account. For example, an organization may take steps to reduce (mitigate) risk, transfer risk to a third party, avoid risk by ceasing related activities, or accept risk (no steps to mitigate). The degree to which the risk management steps are able to reduce the Inherent Risk is referred to as Control Effectiveness.

When a Risk is assessed for the first time, and there is no Control Effectiveness value set, the Residual Risk values will be automatically set to be the same as the Inherent values. This makes sense, as Residual Risk and Inherent Risk are the same when there are no efforts to reduce or manage it.

When a User sets the Control Effectiveness value, the Residual Likelihood and Residual Impacts will drop, with higher drops related to higher levels of Control Effectiveness. This is configured by default in Essential ERM, but may be adjusted or disabled by your system administrator.

If a User wishes to adjust the level of Residual Risk, they may manually adjust the values of Residual Likelihood and Impact. A User may do this if they feel the Residual values set by the system do not match the unique situation of the risk. Once the User makes this adjustment, a blue “reset” link will appear. Clicking reset will revert the Residual values to the standard values generated by the system configuration.

From a practical perspective, many Users find it helpful to set initial values for Likelihood, Impact, and Control Effectiveness, and then to revisit these scores once they have reviewed / completed the Risk Bow Tie diagram. This is because the Bow Tie diagram will provide them with additional context and insights that can be helpful to refine and complete the risk analysis.

Finally, the scoring section includes a dynamic chart labeled “Thresholds”. The Risk’s Residual Score is plotted as a gray dot on a scale that ranges from 1 (bottom) to 25 (top). Gray bars represent the upper and lower Risk Appetite Thresholds, as set by the administrator.

Standard Risk Appetite Thresholds are set at a Risk Category level. For example, an organization may have a strong balance sheet and may be able to accept higher levels of Financial Risk, while at the same time having a lower threshold for Health and Safety Risks.

A User can click the blue “Override” link to override the standard category-based appetite thresholds and set unique thresholds for the individual Risk. Note that Risks with custom thresholds will not be plotted in the chart in the Risk Appetite Console, described later in this User Guide.

Users can also click the blue “Suppress” link to remove the Risk from the Risk Appetite Dashboard. Note that you can easily filter the Enterprise Risk Console to identify Risks that have had their thresholds overridden or that have been suppressed from the Appetite Dashboard.

Your administrator may have disabled the Inherent Risk feature. If so, those elements will be removed from the scoring section in the Risk Details screen, as shown below.

Note that, in this scenario, the ratings of Residual Likelihood and Impact will always be set directly by the User (no adjustment based on Inherent values) and the blue Reset link will not appear.

Inherent Risk can be re-enabled by your administrator at any time in the future without impacting / changing existing Residual Risk values.

While the two views shown are most common, there are other features available in Essential ERM, and more options may appear in the Risk Scoring Section. The example below shows every possible option displayed.

Percentages and currency impact amounts may appear below the various values of likelihood and impact. These are determined based on settings controlled by your system administrator.

Drop-downs for Target Risk Likelihood and Impact may also appear, along with a Target Risk Score, if this feature has been enabled by your Administrator. Target Risk represents the levels of Likelihood, Impact, and Target Residual Risk that the User believes the organization should strive to achieve for this particular risk.

Sub-risk averages may appear in small gray font under the Risk scoring elements. These will only appear when Sub-Risks have been associated with the Risk in the Sub-Risk Section of the Risk Details screen. The small font in the scoring section shows the User the weighted averages of the same values for all of the attached Sub-Risks. This does not automatically affect the overall risk score, but can be used as informational guidance to the User when setting the overall Risk Scores. For example, if several Sub-Risks are considered to contribute to the overall Risk and have an average close to a level 4 Likelihood, then the User may set the overall Parent Risk Likelihood as level 4 as well.

Total Mitigation Effectiveness is the weighted average of individual mitigation scores from the Risk Bow Tie diagram. This value will show up in small gray font only when at least one individual Mitigation has been scored in the Bow Tie diagram. If no Mitigations are scored, then the weighted average will not appear. The User may find this weighted average helpful when assessing the overall Control Effectiveness for the Risk.

Note that when there is a large difference between the weighted average of the individual Mitigation scores from the Bow Tie diagram and the overall Control Effectiveness for the Risk from the Risk Scoring Section, a yellow warning color may appear in the Enterprise Risk Console. When and if this warning appears will be based on settings managed by your administrator.

Did this answer your question?