Risk details
Once your risk is created within the risk register, you can click on your risk ID to access the Details tab on a risk.
In this video tutorial, we'll focus on items you can change on your risk within the details tab and how you can leverage linking your controls within Hyperproof to offset the actual risk calculation and your risk health.
Note: Hyperproof has been updated since this video, so below are some older views of the risk details tab. In the next lesson, you'll learn about the changes.
The tutorial below is shown in the administrator role with organizational permission as a manager in Hyperproof. If you are in another role in Hyperproof or have a different permission, you may not have access to some of these areas shown, or they may be greyed out.
Risk health overview
Several factors play a part in how Hyperproof determines overall risk health. Before diving into the calculations, let's first define some common terms associated with risks.
Click on the arrows below to learn more:
Inherent
Inherent
Inherent Likelihood: The measure of a risk occurring without any preventative measures (controls) in place.
Example - There is a 3% chance of a data breach occurring this fiscal year.
Example - We expect 10,000 breach attempts with a success rate of 0.03 percent.
Inherent Impact: The measure of impact an event has on an organization when there are no preventative measures (controls) in place.
Primary loss - A direct impact from an incident, e.g. a contract breach penalty of $1M.
Secondary loss - The effects from stakeholders, e.g. prospect doesn’t sign due to fear of incident.
Inherent Risk: The level of risk if no mitigation is performed.
Example - An organization's customer data leaked because they did not take measures to properly store the data.
Example - An organization's network is hacked because they did not implement any software security protocols.
Residual
Residual
Residual Likelihood: The measure of a risk occurring after implementing risk mitigation measures and controls.
Example - There is still a 5% chance of a security vulnerability occurring in December.
Example - With risk mitigation in place, we still expect 1,000 breach attempts with a success rate of 0.01 percent.
Residual Impact: The final measure of impact an event has on an organization after mitigation measures have been implemented.
Primary loss - The organization is ordered to pay $1B in fines.
Secondary loss - The organization's reputation is tarnished.
Residual Risk: The level of risk after mitigation, taking into account the health of the controls. Residual risk matches the true state of controls by reducing the mitigation of At risk and Critical controls.
Example - An organization requires employees to change their passwords monthly. This reduces the risk of bad actors guessing passwords, but it also increases the risk of employees using new passwords that are similar to their old passwords.
Example - An organization has implemented an email security service to detect phishing and spam attacks. However, the organization may still receive phishing emails.
Tolerance
Tolerance
The level of risk that an organization is willing to bear.
Mitigation
Mitigation
Several factors determine how Hyperproof calculates the overall risk:
Likelihood and impact are factored into the inherent risk.
Inherent risk, control impact, and control health are factored into the residual risk. If used, the mitigation percentage is also factored into the residual risk.
The overall risk is determined by comparing the tolerance to the residual risk.
Risk health
Risk health is determined by comparing Tolerance to Residual risk and ensuring all evaluation fields are entered.
Several factors play a part in how Hyperproof determines Residual risk and therefore overall risk health. Likelihood and Impact make up a risk’s Residual risk. Depending on your organization’s configuration of the risk, a mitigation percentage can also affect a risk’s overall health.
Risk estimation method
The Inherent risk is found by multiplying the Impact weighting by the Likelihood weighting. This number then determines where the risk is placed on your organization’s risk level scale.
The Impact and Likelihood are determined based on your organization’s risk level scale. Hyperproof offers default Likelihood and Impact risk mapping based on a 5-point scale.
To determine the overall health of a risk, follow the steps below. Numbers are based on your organization’s risk mapping.
Note, only administrators have the option to customize risk mapping. I.e. changing the point scale to better suit the organization.
Below are steps recommended for calculating the overall risk in Hyperproof:
Step 1 - Determining the inherent likelihood and the inherent impact
Step 1 - Determining the inherent likelihood and the inherent impact
Both inherent likelihood and inherent impact are based on a five-point scale with qualitative and quantitative representations:
Very high (5)
High (4)
Moderate (3)
Low (2)
Very low (1)
Step 2 - Determine the Inherent Risk
Step 2 - Determine the Inherent Risk
The inherent risk is calculated as inherent likelihood x inherent impact.
Example: If the inherent likelihood of a risk is moderate (5) and the inherent impact is very low (1), the inherent risk is very high (5).
Step 3 - Set the migitation
Step 3 - Set the migitation
Mitigation is determined by the user on a control by control basis.
Step 4 - Determine the residual likelihood and the residual impact
Step 4 - Determine the residual likelihood and the residual impact
The residual likelihood is calculated as inherent likelihood x (1 - likelihood mitigation percentage).
The residual impact is calculated as inherent impact x (1 - impact mitigation percentage).
Step 5 - Determine the residual risk
Step 5 - Determine the residual risk
The residual risk is calculated as residual likelihood x residual impact. If a control isn’t healthy, it's not doing its job of mitigating the risk!
The control health discounts the mitigation factor according to the following schedule:
Healthy - 0%
At risk - 50%
Critical - 100%
For each control, the actual mitigation factor is calculated as (the mitigation factor that the user inputted) x (1 - the discount from the health).
Step 6 - Determine the overall risk
Step 6 - Determine the overall risk
The overall risk is determined by comparing the tolerance to the residual risk.
If the residual risk is less than or equal to the risk tolerance, the risk is Healthy.
If the residual risk is greater than the risk tolerance, the risk is Critical. The residual risk is not set if the likelihood or impact is not set.
If either the residual risk or the risk tolerance is not set, the risk is At risk.
Tolerance is set on a risk by risk basis and is determined by the risk owner (or organization administrator). Hyperproof's default tolerance scale is:
Very high (5)
High (4)
Moderate (3)
Low (2)
Very low (1)
Not set (i.e. no tolerance level)
To better understand the above steps for calculating risk health, let's take a look at some example risk calculations based on inherent and residual examples.
Example one: Inherent
In the calculation below, a risk is linked to two controls (Control A and Control B). Each control has a mitigation percentage of 40 percent. Both controls are healthy.
Using Hyperproof's default risk mapping, the calculation looks like:
The overall risk is Low because the residual risk is less than the tolerance. Refer to Calculating the overall risk for more information. (below in the documentation links)
Example two: Inherent
Using the example calculation above, both controls failed testing and became at risk, thus reducing the controls' mitigation percentages. The intended mitigation was 40% for each control, so after discounting the mitigation by 50%, the resulting mitigation is 20% for each control. The residual risk increases beyond the tolerance, so the risk becomes Critical.
Example three: Residual
In the calculation below, a risk is linked to two controls (Control C and Control D). Control C has a likelihood mitigation of 30% and Control D has a likelihood mitigation of 20 percent. Control C has an impact mitigation of 10% and Control D has an impact mitigation of 10 percent. Both controls are healthy.
Example four: Residual
Using the example calculation above, both controls failed testing and became at risk, thus reducing the controls' mitigation percentages.
The intended likelihood mitigation was 50%, so after discounting the mitigation by 50%, the resulting likelihood mitigation is 25 percent. The intended impact mitigation was 20%, so after discounting the mitigation by 50%, the resulting impact mitigation is 10 percent. The residual risk increases beyond the tolerance, so the risk becomes Critical.
Risk mitigation
Mitigation is the action or actions your organization takes to reduce a risk from actually happening. If you choose to mitigate a risk, you need to provide a mitigation percentage for each control linked to the risk. Essentially, you’re stating that you want to mitigate “this much of the risk” by using the control.
For example, 30% mitigation on a control reduces the risk by 30%. The amount mitigated will be reduced when the control is At risk (by half) or Critical (completely; the applied mitigation will be 0% despite whatever percentage was entered until the risk is no longer in this state).
How mitigation works in Hyperproof
Hyperproof allows you to specify a likelihood mitigation percentage and an impact mitigation percentage. The mitigation percentage for each option can be a whole number or a number with up to two decimals, and must not exceed 100 percent. A control can be a linked to multiple risks and have different mitigation factors for each.
Click the arrows below to learn more:
Likelihood mitigation
Likelihood mitigation
The percentage of the control that goes towards preventing a negative outcome from occurring.
Impact mitigation
Impact mitigation
The percentage of the control that goes towards reducing the impact of a negative outcome.
No mitigation
The mitigation percentage for a linked control can be 0%, which poses no effect on the overall risk score. If there’s no mitigation, then the inherent risk and the residual risk will be exactly the same.
Linking a control to a risk
While working in the Risk Register, you can either link an existing control to a risk or create a new control and link it to a risk. Linking a control can help to mitigate the risk of health, as you can set a likelihood and impact mitigation percentage.
Keep in mind, control health will also affect risk health. If certain mitigation percentages are chosen and the control is at risk or critical it'll lower the risk of health compared to a healthy control.
Unlinking a control to a risk
From the Details tab, mouse over the control you want to unlink, and then click the Unlink icon.
Click the arrow below to learn more:
Link a control to a risk
Link a control to a risk
From the left menu, select Risk.
Select the Risks tab.
Select the risk that you want to link the control to.
From the Details tab, click the arrow next to the Link button, and then select either Link new or Link existing.
If you selected Link new, the Create new control window opens. Enter a control ID (required), name, description, domain, and owner (required).
Click Create.
If you selected Link existing, the Link additional controls window opens. Select the checkbox next to the control you want to link. Optionally, use the filters in the right menu to narrow the scope of the listed controls.
Click Link selected controls.
