Field

Instructions

ID

The ID for each enterprise risk is generated automatically when the spreadsheet is imported to the system. When existing risks are exported for editing, their IDs will be displayed in this field as read-only values. This field should not be completed or edited, and any changes made to it will be ignored by the system.

*Type

This field lists the available enterprise risk types. Select a type for the risk being created from the drop-down list displayed when the cell is clicked. Default types as well as any custom types created in the Object Types section of the Administration module will be listed. Note that when the list of existing risks is exported for editing, deleted types will be displayed if there are still risks of the type registered in the system. However, new risks cannot be created with these deleted types, nor can the type be edited through the spreadsheet.

*Name

The name is used to identify the risk being created. Enter a value for this attribute by inserting plain text using 1 to 200 characters.

*Inherent Impact

The impact quantifies the consequences to the organization should the risk materialize assuming that none of the associated controls are implemented, and is used in the default formula for calculating the Risk Score. Enter a value for this attribute by inserting a positive number.

*Inherent Probability

The probability quantifies the chances of the risk occurring assuming that none of the associated controls are implemented, and is used in the default formula for calculating the Risk Score. Enter a value for this attribute by inserting a positive number.

*Category

The category is used to classify the risk. Select a category for the risk being created from the drop-down list displayed when the cell is clicked.

Inherent Risk Score

This field displays the Inherent Risk Score for a single risk, which is calculated by multiplying the inherent impact by the inherent probability. The fields for this type of attribute are read-only and cannot be edited. The final value will be updated once when the spreadsheet is imported back to the system.

*Description

The description is used to provide additional details on the risk. Provide a value for this attribute by entering plain text.

Associated Controls

This field is used to list the controls associated with the risk in order to minimize the impact or the probability of the risk materializing. This type of attribute is multiple-selection and should be completed with the numeric identifiers or the names of the controls being associated. If more than one control is registered in the system under the same name, an alert will be displayed and no association will be created. However, this will not prevent the spreadsheet from being imported. The names or identifiers of the controls should be semicolon delimited (";") without spaces. The identifier of each control should be preceded by "id:" with no spaces after the tag.

*Risk Owner

This field is used to assign a person to the Risk Owner role. This attribute is single-selection and should be completed with the name of the person being assigned. If more than one person is registered in the system under the same name, an error will be displayed and the spreadsheet cannot be imported. In this case, the alphanumeric identifier of the person should be used, which can be found by entering the name of the person in the general search field of the system and clicking on the corresponding result. The identifier will appear at the end of the URL.

Residual Impact

The impact quantifies the consequences to the organization should the risk materialize assuming that all the controls associated with the risk are implemented, and is used in the default formula for calculating the Risk Score. Enter a value for this attribute by inserting a positive number.

Residual Probability

The probability quantifies the chances of the risk occurring assuming that all the controls associated with the risk are implemented, and is used in the default formula for calculating the Risk Score. Enter a value for this attribute by inserting a positive number.

Enterprise Risk Attributes

Any enterprise risk attributes displayed in the spreadsheet were previously created and published in the Objects and Attributes section of the Administration module. When an attribute does not apply to a certain type of enterprise risk, an alert will be displayed when importing the spreadsheet and any information entered in the field will be ignored. If the attributes are marked as required in the system, they must be completed for the spreadsheet to be imported.

These fields should be completed according to the type of attribute, as follows:

•    Attachment: Files cannot be uploaded or deleted through the spreadsheet, although any files attached through the system will be listed. These will be displayed within brackets separated by semicolons. For example: [file name.pdf];[file name 2.doc].

When creating an enterprise risk through the spreadsheet, this field will be imported blank, even if it is marked as required.

•    Date/Time: The date format should be the same as that configured for the attribute. If the attribute is registered as "Date", the field should contain only the date; if "Time", the field should contain only the time; and if "Date/time", it may contain either one. If only the date will be included, the time will be 0:00; if only the time will be included, the date will be the import date. The date may be in two formats: MM/dd/yyyy or yyyy-MM-dd. The time should be in 24-hour format: HH:mm.

•    E-mail: E-mails should be entered using a maximum of 100 characters in the following format: username@domain.com.

•    Formula: This is a read-only field, so it is not possible to insert or edit values. These values will be re-calculated once the spreadsheet is imported.

•    Georeference: Specify a value for this attribute by providing the coordinates in the following format:

To define a point:

{"type":"Point","coordinates":[-0.09046,51.51095]}

To define a set of points:

{"type":"LineString","coordinates":[[-0.09046,51.51095],[0,07446,44.51095]]}

The coordinates for the points must be entered between brackets, in the "Longitude,Latitude" order.

•    Image: Image files are attached through the system and cannot be added through the spreadsheet. The files attached through the system will be displayed in brackets and separated by a semicolon, for example: "[image.jpeg];[image2.jpeg]".

When creating an enterprise risk through the spreadsheet, this field will be imported blank, even if it is marked as required.

•    Link: Links should be entered as: http://www.domain.com or \\server\path.

•    List of Options: Attributes of this type should be completed with the options available for the attribute, separated by semicolons if more than one value is accepted.

•    Number: This type of attribute uses the decimal separator (“.”) and optionally the comma separator (“,”) to separate thousands. For example, the number 1200 should be filled in as 1,200.00.

•    Outline: This type of attribute should be completed with the entries using a maximum of 100 characters with each separated by semicolons. For example: Entry 1;Entry 2.

•    Paragraph: This type of attribute should be completed with normal text.

•    Relationship: This type of attribute can be single or multiple selection and should be completed with the alphanumeric identifier or the path of the objects being associated. If more than one object with the same name has been registered in the system, the paths of the objects cannot be used to create relationships and the system will not allow the spreadsheet to be imported. Note that for multiple selection attributes, the paths or identifiers of the objects must be separated by semicolons (";") and no spaces when completing the cells. The identifier of each object should be preceded by "id:" with no spaces after the tag. The identifier is available through the API and can also be found by inserting the name of the object in the general search field and clicking on the corresponding entry, which will then display the identifier at the end of the URL.

For business components, the path is specified as follows: business component level > business component type > business component name.

For perimeters, the path is specified as follows: parent perimeter name > perimeter name.

For assets, the path is specified as follows: parent perimeter name > subperimeter name > asset name.

For other objects, simply enter their names.

When the spreadsheet is exported, the list of related objects might be truncated if the maximum number of characters allowed in the cell is exceeded. If the cell is not edited, the spreadsheet will be imported and all existing relationships will be kept. To edit the relationships, the ellipses and brackets must first be removed. Note that, in this case, the new relationships will be imported and any previous ones will be deleted.

•    Text: This type of attribute should be completed with normal text within any maximum or minimum limits set for it and according to the mask of regular expression if one was set for the field.

For details on creating attributes, see Chapter 17: Administration -> Customizations -> Objects and Attributes.

Author

This field lists the name and username of the person who registered the risk. It should not be completed or edited, and any changes made to it will be ignored by the system.

Date Created

This field lists the date on which the risk was registered. It should not be completed or edited, and any changes made to it will be ignored by the system.

Updated By

This field lists the name and username of the person who updated information on the risk. It should not be completed or edited, and any changes made to it will be ignored by the system.

Date Updated

This field lists the date on which information on the risk was updated. It should not be completed or edited, and any changes made to it will be ignored by the system.