In this section, you can manage risks that are relevant to the organization and its objectives. When registering a risk, you must define the inherent impact and inherent probability, which will be used to calculate the Inherent Risk Score and the risk matrix, in addition to the residual probability and impact, which will be used to calculate the Residual Risk Score. In addition, risks can be classified in categories and types, and a risk owner must be assigned to each.
Enterprise risks and controls can be registered and edited through the system interface or offline, through a spreadsheet, and then imported back to the system. Once controls are registered, one or more controls can be associated with one or more risks.
Custom types of risks can be created in the Object Types section of the Administration module. In the Objects and Attributes section, attributes can be created for controls and risks, and they can be applied to one or more types of risks. Note that the order defined for risk and control attributes affects not only the interface, but also the default column order in the list and the order of the fields in the spreadsheet.