This topic explains how to export the spreadsheet templates used to import risks and controls to the system and includes details on how to complete the spreadsheets correctly to ensure that no errors occur when importing them.
1. Access the ERM solution.
2. In the Risk Register section, click Export/Import Risks or Export/Import Controls.
The system displays a page where enterprise risks or controls can be exported and imported.
3. In the Export section, click Export Template (see figure below).
4. Save the file to your computer and open it.
When the file is opened, the template is displayed in Microsoft Excel.
When accessing the spreadsheet for the first time after it is exported, the macros must be enabled, otherwise, you will not be able to edit any information in it. In the 2010 Microsoft Excel version, a banner appears so that they can be enabled. For further details on enabling macros, access http://office.microsoft.com/en-us/excel-help/?CTT=97. Select the version of Excel you are using and locate the topic on macros.
The file includes two tabs: Instructions, which details how the spreadsheet should be completed and Objects, where the properties and attributes of the objects can be provided (see figure below).
The tables below explain how each field from the Objects tab should be completed. Fields marked with an asterisk are required.
• Enterprise Risks:
Field |
Instructions |
ID |
The ID for each enterprise risk is generated automatically when the spreadsheet is imported to the system. When existing risks are exported for editing, their IDs will be displayed in this field as read-only values. This field should not be completed or edited, and any changes made to it will be ignored by the system. |
*Type |
This field lists the available enterprise risk types. Select a type for the risk being created from the drop-down list displayed when the cell is clicked. Default types as well as any custom types created in the Object Types section of the Administration module will be listed. Note that when the list of existing risks is exported for editing, deleted types will be displayed if there are still risks of the type registered in the system. However, new risks cannot be created with these deleted types, nor can the type be edited through the spreadsheet. |
*Name |
The name is used to identify the risk being created. Enter a value for this attribute by inserting plain text using 1 to 200 characters. |
*Inherent Impact |
The impact quantifies the consequences to the organization should the risk materialize assuming that none of the associated controls are implemented, and is used in the default formula for calculating the Risk Score. Enter a value for this attribute by inserting a positive number. |
*Inherent Probability |
The probability quantifies the chances of the risk occurring assuming that none of the associated controls are implemented, and is used in the default formula for calculating the Risk Score. Enter a value for this attribute by inserting a positive number. |
*Category |
The category is used to classify the risk. Select a category for the risk being created from the drop-down list displayed when the cell is clicked. |
Inherent Risk Score |
This field displays the Inherent Risk Score for a single risk, which is calculated by multiplying the inherent impact by the inherent probability. The fields for this type of attribute are read-only and cannot be edited. The final value will be updated once when the spreadsheet is imported back to the system. |
*Description |
The description is used to provide additional details on the risk. Provide a value for this attribute by entering plain text. |
Associated Controls |
This field is used to list the controls associated with the risk in order to minimize the impact or the probability of the risk materializing. This type of attribute is multiple-selection and should be completed with the numeric identifiers or the names of the controls being associated. If more than one control is registered in the system under the same name, an alert will be displayed and no association will be created. However, this will not prevent the spreadsheet from being imported. The names or identifiers of the controls should be semicolon delimited (";") without spaces. The identifier of each control should be preceded by "id:" with no spaces after the tag. |
*Risk Owner |
This field is used to assign a person to the Risk Owner role. This attribute is single-selection and should be completed with the name of the person being assigned. If more than one person is registered in the system under the same name, an error will be displayed and the spreadsheet cannot be imported. In this case, the alphanumeric identifier of the person should be used, which can be found by entering the name of the person in the general search field of the system and clicking on the corresponding result. The identifier will appear at the end of the URL. |
Residual Impact |
The impact quantifies the consequences to the organization should the risk materialize assuming that all the controls associated with the risk are implemented, and is used in the default formula for calculating the Risk Score. Enter a value for this attribute by inserting a positive number. |
Residual Probability |
The probability quantifies the chances of the risk occurring assuming that all the controls associated with the risk are implemented, and is used in the default formula for calculating the Risk Score. Enter a value for this attribute by inserting a positive number. |
Enterprise Risk Attributes |
Any enterprise risk attributes displayed in the spreadsheet were previously created and published in the Objects and Attributes section of the Administration module. When an attribute does not apply to a certain type of enterprise risk, an alert will be displayed when importing the spreadsheet and any information entered in the field will be ignored. If the attributes are marked as required in the system, they must be completed for the spreadsheet to be imported.
These fields should be completed according to the type of attribute, as follows: • Attachment: Files cannot be uploaded or deleted through the spreadsheet, although any files attached through the system will be listed. These will be displayed within brackets separated by semicolons. For example: [file name.pdf];[file name 2.doc].
When creating an enterprise risk through the spreadsheet, this field will be imported blank, even if it is marked as required. • Date/Time: The date format should be the same as that configured for the attribute. If the attribute is registered as "Date", the field should contain only the date; if "Time", the field should contain only the time; and if "Date/time", it may contain either one. If only the date will be included, the time will be 0:00; if only the time will be included, the date will be the import date. The date may be in two formats: MM/dd/yyyy or yyyy-MM-dd. The time should be in 24-hour format: HH:mm. • E-mail: E-mails should be entered using a maximum of 100 characters in the following format: username@domain.com. • Formula: This is a read-only field, so it is not possible to insert or edit values. These values will be re-calculated once the spreadsheet is imported. • Georeference: Specify a value for this attribute by providing the coordinates in the following format: To define a point: {"type":"Point","coordinates":[-0.09046,51.51095]} To define a set of points: {"type":"LineString","coordinates":[[-0.09046,51.51095],[0,07446,44.51095]]} The coordinates for the points must be entered between brackets, in the "Longitude,Latitude" order. • Image: Image files are attached through the system and cannot be added through the spreadsheet. The files attached through the system will be displayed in brackets and separated by a semicolon, for example: "[image.jpeg];[image2.jpeg]".
When creating an enterprise risk through the spreadsheet, this field will be imported blank, even if it is marked as required. • Link: Links should be entered as: http://www.domain.com or \\server\path. • List of Options: Attributes of this type should be completed with the options available for the attribute, separated by semicolons if more than one value is accepted. • Number: This type of attribute uses the decimal separator (“.”) and optionally the comma separator (“,”) to separate thousands. For example, the number 1200 should be filled in as 1,200.00. • Outline: This type of attribute should be completed with the entries using a maximum of 100 characters with each separated by semicolons. For example: Entry 1;Entry 2. • Paragraph: This type of attribute should be completed with normal text. • Relationship: This type of attribute can be single or multiple selection and should be completed with the alphanumeric identifier or the path of the objects being associated. If more than one object with the same name has been registered in the system, the paths of the objects cannot be used to create relationships and the system will not allow the spreadsheet to be imported. Note that for multiple selection attributes, the paths or identifiers of the objects must be separated by semicolons (";") and no spaces when completing the cells. The identifier of each object should be preceded by "id:" with no spaces after the tag. The identifier is available through the API and can also be found by inserting the name of the object in the general search field and clicking on the corresponding entry, which will then display the identifier at the end of the URL.
For business components, the path is specified as follows: business component level > business component type > business component name.
For perimeters, the path is specified as follows: parent perimeter name > perimeter name.
For assets, the path is specified as follows: parent perimeter name > subperimeter name > asset name.
For other objects, simply enter their names.
When the spreadsheet is exported, the list of related objects might be truncated if the maximum number of characters allowed in the cell is exceeded. If the cell is not edited, the spreadsheet will be imported and all existing relationships will be kept. To edit the relationships, the ellipses and brackets must first be removed. Note that, in this case, the new relationships will be imported and any previous ones will be deleted. • Text: This type of attribute should be completed with normal text within any maximum or minimum limits set for it and according to the mask of regular expression if one was set for the field. For details on creating attributes, see Chapter 17: Administration -> Customizations -> Objects and Attributes. |
Author |
This field lists the name and username of the person who registered the risk. It should not be completed or edited, and any changes made to it will be ignored by the system. |
Date Created |
This field lists the date on which the risk was registered. It should not be completed or edited, and any changes made to it will be ignored by the system. |
Updated By |
This field lists the name and username of the person who updated information on the risk. It should not be completed or edited, and any changes made to it will be ignored by the system. |
Date Updated |
This field lists the date on which information on the risk was updated. It should not be completed or edited, and any changes made to it will be ignored by the system. |
• Enterprise Controls:
Field |
Instructions |
ID |
The ID for each control is generated automatically when the spreadsheet is imported to the system. When existing controls are exported for editing, their IDs will be displayed in this field as read-only values. This field should not be completed or edited, and any changes made to it will be ignored by the system. |
*Name |
The name is used to identify the control being created. Enter a value for this attribute by inserting plain text using 1 to 1,000 characters. |
*Description |
The description is used to provide additional details on the risk. Provide a value for this attribute by entering plain text using a maximum of 5,000 characters. |
Enterprise Control Attributes |
Any control attributes displayed in the spreadsheet were previously created and published in the Objects and Attributes section of the Administration module. If the attributes are marked as required in the system, they must be completed for the spreadsheet to be imported.
These fields should be completed according to the type of attribute, as follows: •Attachment: Files cannot be uploaded or deleted through the spreadsheet, although any files attached through the system will be listed. These will be displayed within brackets separated by semicolons. For example: [file name.pdf];[file name 2.doc].
When creating an enterprise control through the spreadsheet, this field will be imported blank, even if it is marked as required. •Date/Time: The date format should be the same as that configured for the attribute. If the attribute is registered as "Date", the field should contain only the date; if "Time", the field should contain only the time; and if "Date/time", it may contain either one. If only the date will be included, the time will be 0:00; if only the time will be included, the date will be the import date. The date may be in two formats: MM/dd/yyyy or yyyy-MM-dd. The time should be in 24-hour format: HH:mm. • E-mail: E-mails should be entered using a maximum of 100 characters in the following format: username@domain.com. •Formula: This is a read-only field, so it is not possible to insert or edit values. These values will be re-calculated once the spreadsheet is imported. •Georeference: Specify a value for this attribute by providing the coordinates in the following format: To define a point: {"type":"Point","coordinates":[-0.09046,51.51095]} To define a set of points: {"type":"LineString","coordinates":[[-0.09046,51.51095],[0,07446,44.51095]]} The coordinates for the points must be entered between brackets, in the "Longitude,Latitude" order. •Image: Image files are attached through the system and cannot be added through the spreadsheet. The files attached through the system will be displayed in brackets and separated by a semicolon, for example: "[image.jpeg];[image2.jpeg]".
When creating an enterprise control through the spreadsheet, this field will be imported blank, even if it is marked as required. •Link: Links should be entered as: http://www.domain.com or \\server\path. •List of Options: Attributes of this type should be completed with the options available for the attribute, separated by semicolons if more than one value is accepted. •Number: This type of attribute uses the decimal separator (“.”) and optionally the comma separator (“,”) to separate thousands. For example, the number 1200 should be filled in as 1,200.00. •Outline: This type of attribute should be completed with the entries using a maximum of 100 characters with each separated by semicolons. For example: Entry 1;Entry 2. •Paragraph: This type of attribute should be completed with normal text. •Relationship: This type of attribute can be single or multiple selection and should be completed with the alphanumeric identifier or the path of the objects being associated. If more than one object with the same name has been registered in the system, the paths of the objects cannot be used to create relationships and the system will not allow the spreadsheet to be imported. Note that for multiple selection attributes, the paths or identifiers of the objects must be separated by semicolons (";") and no spaces when completing the cells. The identifier of each object should be preceded by "id:" with no spaces after the tag. The identifier is available through the API and can also be found by inserting the name of the object in the general search field and clicking on the corresponding entry, which will then display the identifier at the end of the URL. For business components, the path is specified as follows: business component level > business component type > business component name. For perimeters, the path is specified as follows: parent perimeter name > perimeter name. For assets, the path is specified as follows: parent perimeter name > subperimeter name > asset name. For other objects, simply enter their names. When the spreadsheet is exported, the list of related objects might be truncated if the maximum number of characters allowed in the cell is exceeded. If the cell is not edited, the spreadsheet will be imported and all existing relationships will be kept. To edit the relationships, the ellipses and brackets must first be removed. Note that, in this case, the new relationships will be imported and any previous ones will be deleted. •Text: This type of attribute should be completed with normal text within any maximum or minimum limits set for it and according to the mask of regular expression if one was set for the field.
For details on creating attributes, see Chapter 17: Administration -> Customizations -> Objects and Attributes. |
Author |
This field lists the name and username of the person who registered the control. It should not be completed or edited, and any changes made to it will be ignored by the system. |
Date Created |
This field lists the date on which the control was registered. It should not be completed or edited, and any changes made to it will be ignored by the system. |
Updated By |
This field lists the name and username of the person who updated information on the control. It should not be completed or edited, and any changes made to it will be ignored by the system. |
Date Updated |
This field lists the date on which information on the control was updated. It should not be completed or edited, and any changes made to it will be ignored by the system. |
5. When finished, save the file to your computer.
Note: For details on importing risks or controls created through the spreadsheet, see Chapter 4: ERM -> Export/Import Risks and Controls -> How to Import Enterprise Risks and Controls.