Risk details
Once your risk is created within the risk register, you can click on your risk ID to access the Details tab on a risk.
In this video tutorial, we'll focus on items you can change on your risk within the details tab and how you can leverage linking your controls within Hyperproof to offset the actual risk calculation and your risk health.
Note: Hyperproof has been updated since this video, so below are some older views of the risk details tab. In the next lesson, you'll learn about the changes.
The tutorial below is shown in the administrator role with organizational permission as a manager in Hyperproof. If you are in another role in Hyperproof or have a different permission, you may not have access to some of these areas shown, or they may be greyed out.
Risk health overview
Several factors play a part in how Hyperproof determines overall risk health. Below are some common terms associated with risk to understand risk health.
Click the arrows below to learn more:
Inherent
Inherent
Inherent Likelihood: The measure of a risk occurring without any preventative measures (controls) in place.
Example - There is a 3% chance of a data breach occurring this fiscal year.
Example - We expect 10,000 breach attempts with a success rate of 0.03 percent.
Inherent Impact: The measure of impact an event has on an organization when there are no preventative measures (controls) in place.
Primary loss - A direct impact from an incident, e.g. a contract breach penalty of $1M.
Secondary loss - The effects from stakeholders, e.g. prospect doesn’t sign due to fear of incident.
Inherent Risk: The level of risk if no mitigation is performed.
Example - An organization's customer data leaked because they did not take measures to properly store the data.
Example - An organization's network is hacked because they did not implement any software security protocols.
Residual
Residual
Residual Likelihood: The measure of a risk occurring after implementing risk mitigation measures and controls.
Example - There is still a 5% chance of a security vulnerability occurring in December.
Example - With risk mitigation in place, we still expect 1,000 breach attempts with a success rate of 0.01 percent.
Residual Impact: The final measure of impact an event has on an organization after mitigation measures have been implemented.
Primary loss - The organization is ordered to pay $1B in fines.
Secondary loss - The organization's reputation is tarnished.
Residual Risk: The level of risk after mitigation, taking into account the health of the controls. Residual risk matches the true state of controls by reducing the mitigation of At risk and Critical controls.
Example - An organization requires employees to change their passwords monthly. This reduces the risk of bad actors guessing passwords, but it also increases the risk of employees using new passwords that are similar to their old passwords.
Example - An organization has implemented an email security service to detect phishing and spam attacks. However, the organization may still receive phishing emails.
Tolerance
Tolerance
The level of risk that an organization is willing to bear.
Mitigation
Mitigation
Several factors determine how Hyperproof calculates the overall risk:
Likelihood and impact are factored into the inherent risk.
Inherent risk, control impact, and control health are factored into the residual risk. If used, the mitigation percentage is also factored into the residual risk.
The overall risk is determined by comparing the tolerance to the residual risk.
Risk health
Risk health is determined by comparing Tolerance to Residual risk and ensuring all evaluation fields are entered.
Several factors play a part in how Hyperproof determines Residual risk and therefore overall risk health. Likelihood and Impact make up a risk’s Residual risk. Depending on your organization’s configuration of the risk, a mitigation percentage can also affect a risk’s overall health.
Risk estimation method
The Inherent risk is found by multiplying the Impact weighting by the Likelihood weighting. This number then determines where the risk is placed on your organization’s risk level scale.
The Impact and Likelihood are determined based on your organization’s risk level scale. Hyperproof offers default Likelihood and Impact risk mapping based on a 5-point scale.
To determine the overall health of a risk, follow the steps below. Numbers are based on your organization’s risk mapping.
Below are steps recommended for calculating the overall risk in Hyperproof.
Step 1 -Determining the inherent likelihood and the inherent impact
Step 1 -Determining the inherent likelihood and the inherent impact
Both inherent likelihood and inherent impact are based on a five-point scale with qualitative and quantitative representations:
Very high (5)
High (4)
Moderate (3)
Low (2)
Very low (1)
Step 2 - Determine the Inherent Risk
Step 2 - Determine the Inherent Risk
The inherent risk is calculated as inherent likelihood x inherent impact.
Example: If the inherent likelihood of a risk is moderate (5) and the inherent impact is very low (1), the inherent risk is very high (5).
Step 3 - Set the mitigation
Step 3 - Set the mitigation
Mitigation is determined by the user on a control by control basis.
Step 4 - Determine the residual likelihood and the residual impact
Step 4 - Determine the residual likelihood and the residual impact
The residual likelihood is calculated as inherent likelihood x (1 - likelihood mitigation percentage).
The residual impact is calculated as inherent impact x (1 - impact mitigation percentage).
Step 5 - Determine the residual risk
Step 5 - Determine the residual risk
The residual risk is calculated as residual likelihood x residual impact. If a control isn’t healthy, it's not doing its job of mitigating the risk!
The control health discounts the mitigation factor according to the following schedule:
Healthy - 0%
At risk - 50%
Critical - 100%
For each control, the actual mitigation factor is calculated as (the mitigation factor that the user inputted) x (1 - the discount from the health).
Step 6 - Determine the overall risk
Step 6 - Determine the overall risk
The overall risk is determined by comparing the tolerance to the residual risk.
If the residual risk is less than or equal to the risk tolerance, the risk is Healthy.
If the residual risk is greater than the risk tolerance, the risk is Critical. The residual risk is not set if the likelihood or impact is not set.
If either the residual risk or the risk tolerance is not set, the risk is At risk.
Tolerance is set on a risk by risk basis and is determined by the risk owner (or organization administrator). Hyperproof's default tolerance scale is:
Very high (5)
High (4)
Moderate (3)
Low (2)
Very low (1)
Not set (i.e. no tolerance level)
Note, only administrators have the option to customize risk mapping. I.e. changing the point scale to better suit the organization.
To better understand the above steps for calculating risk health, let's take a look at some example risk calculations based on inherent and residual examples.
Example one: Inherit
In the calculation below, a risk is linked to two controls (Control A and Control B). Each control has a mitigation percentage of 40 percent. Both controls are healthy.
Using Hyperproof's default risk mapping, the calculation looks like:
The overall risk is Low because the residual risk is less than the tolerance. Refer to Calculating the overall risk for more information. (below in the documentation links)
Example two: Inherent
Using the example calculation above, both controls failed testing and became at risk, thus reducing the controls' mitigation percentages. The intended mitigation was 40% for each control, so after discounting the mitigation by 50%, the resulting mitigation is 20% for each control. The residual risk increases beyond the tolerance, so the risk becomes Critical.
Example three: Residual
In the calculation below, a risk is linked to two controls (Control C and Control D). Control C has a likelihood mitigation of 30% and Control D has a likelihood mitigation of 20 percent. Control C has an impact mitigation of 10% and Control D has an impact mitigation of 10 percent. Both controls are healthy.
Example four: Residual
Using the example calculation above, both controls failed testing and became at risk, thus reducing the controls' mitigation percentages.
The intended likelihood mitigation was 50%, so after discounting the mitigation by 50%, the resulting likelihood mitigation is 25 percent. The intended impact mitigation was 20%, so after discounting the mitigation by 50%, the resulting impact mitigation is 10 percent. The residual risk increases beyond the tolerance, so the risk becomes Critical.
Linking a control to a risk
While working in the Risk Register, you can either link an existing control to a risk or create a new control and link it to a risk. Linking a control can help to mitigate the risk of health, as you can set a likelihood and impact mitigation percentage.
Keep in mind, control health will also affect risk health. If certain mitigation percentages are chosen and the control is at risk or critical it'll lower the risk of health compared to a healthy control.
Unlinking a control to a risk
From the Details tab, mouse over the control you want to unlink, and then click the Unlink icon.
Click the arrow below to learn more:
Link a control to a risk
Link a control to a risk
From the left menu, select Risk.
Select the Risks tab.
Select the risk that you want to link the control to.
From the Details tab, click the arrow next to the Link button, and then select either Link new or Link existing.
If you selected Link new, the Create new control window opens. Enter a control ID (required), name, description, domain, and owner (required).
Click Create.
If you selected Link existing, the Link additional controls window opens. Select the checkbox next to the control you want to link. Optionally, use the filters in the right menu to narrow the scope of the listed controls.
Click Link selected controls.
Linking a task to a risk
When it comes to compliance management responsibilities, tasks help your team stay on track. By using tasks, you can plan, track, and delegate activities to ensure that your organization remains compliant. Tasks in Hyperproof are similar to tasks you create in project management tools such as Jira.
Select the risk that you want to link the task to
Click the task icon
Click the arrow below to learn more:
Linking a task to a risk
Linking a task to a risk
Click New Task
The Task window opens
Do any of the following:
Enter a name for the task (required)
Enter a description
Change any of the following by mousing over and clicking the Edit icon:
Assignee (by default, the task is assigned to the task creator)
Due date (this is the number of days out that you want the task to be due)
Priority
