A risk scenario is an event that can lead to a business impact. All risk scenarios relevant for a contract can be added, either by creating a new risk scenario or adding a new (pre-defined) risk scenario to the relevant field.
Example scenario: In the contract ‘Hosting agreement with AWS’, a relevant risk scenario could be ‘Confidential and personal information is leaked due to a hacking attack on AWS’s cloud platform’.
Adding a pre-defined risk scenario and assess inherent risk
Pre-defined risk scenarios are added to the Process by taking the following actions:
- Click ‘Add risk scenario’.
- Choose the relevant scenario from the list under the risk category and risk scenario selection.
- Set the inherent risk by clicking on the button in each row. The inherent risk is the risk assessed without taking into account any implemented controls or security measures.
- Set business and privacy risks by clicking on the edit icon.
- You can get help in defining impact and probability by clicking on ”View definitions”. The definitions are set by your system Admin.
- Add a reasoning description and impact effects for each – in the case of business risk, you may also add an estimated financial impact.
- You can open and assess the residual risk by clicking “open residual risk” in the lower right corner. The residual risk is the risk when you take into account all implemented controls or security measures that may affect the impact or probability.
- You can see implemented controls or security measures linked to the risk scenario by clicking on “Inherent risk & mitigation factors” at the bottom of the pop-up box. (controls or security measures are the actions taken to manage the risk.)
Creating a new risk scenario
As an admin you can create a new risk scenario which is needed when a correct pre-defined risk scenario does not exist. To create a new risk scenario:
- Click ‘New risk scenario’.
- Fill in the relevant data and set the inherent risk by clicking on the button in each row. The risk category is defined by the admin in settings and determines the definitions of the impact and probability criteria. The risk type indicates if the risk affects the organization (Business) or individuals like customers or employees (Privacy).
At the top of the page, there is a dashboard bar showing various contextual information related to the linked elements to help with determining the inherent risks.
It is the Admin who can decide if each risk scenario is to be assessed as a single risk, or if each risk scenario should be assessed for loss of confidentiality, loss of integrity and loss of availability. The admin can change this through ‘Client profile’ and the ‘Risk and control settings’ tab.