Risks Registry

The various risks to which corporate data assets may be subject must be recorded in the appropriate registry. A category must be associated with each risk; the categories are used to visually organize the risks and make it easier to navigate.

The interface allows the definition of a risk in a simple way by filling in the following form.

The pieces of information required for the creation of a risk, as can be seen from the figure, are:

• Code (required): unique code of the risk we are defining
• Name (required): the name of the risk
• Category (required): the risk category
• Description: a textual description of the risk

Scoring Matrices

The platform leaves the freedom to configure, in addition to the risk master data, also the domains relating to inherent risk, effectiveness of controls and residual risk - both in terms of cardinality and nomenclature (which is then reused throughout the platform interface). These configurations are summarized in the “Scoring” section of the Quality Assessment module.

The figure below summarizes how the inherent risk, the effectiveness of the controls, and the residual risk are calculated and shows an example of a configuration.

The figure shows how:

• the inherent risk is calculated starting from an assessment of the probability and magnitude of the impact upon the occurrence of a risk
• the effectiveness of the controls is calculated starting from an assessment of the reduction in the frequency and magnitude of the impact that the control is able to generate
• the residual risk is calculated by crossing inherent risk and control effectiveness according to the matrix shown in the figure