Risk surveys are used to generate interviews for risk projects. Risk interviews, in turn, assist in the completion of questionnaires used in projects. They may generate evidence, change the status, or modify other properties of the controls in questionnaires. It is through the evaluation of these controls in questionnaires that risk is measured in a project.
When setting up a risk project, each asset component included in the scope is associated with an analyst and optionally an interviewee, a reviewer, and a survey. The analyst is the person responsible for answering a questionnaire, generated based on the knowledge base that was associated with the asset component. If interviews will be used to help answer controls, the interviewee is responsible for answering the interview, while the reviewer can optionally approve or modify the responses provided to the interview. The survey becomes the interview used for the project.
When a risk survey is created, it must be associated with a single knowledge base. Knowledge bases are used to generate questionnaires in projects, which are essentially knowledge bases that can be answered, and knowledge bases are also associated with asset components. These relationships allow risk interviews (generated based on surveys) to be used to help answer the corresponding questionnaires (generated based on knowledge bases) (see figure below).
Each survey may contain one or more pages, and each page may contain text, images, and various types of questions (see figure below).
By processing the answers provided for a risk interview, certain actions are taken directly in the controls of the associated questionnaires. These include attaching evidence, modifying the probability or severity scores, or modifying the status (Implemented, Not Implemented, etc.). All of this takes place automatically as the answers from the interviews are processed, increasing productivity and ensuring greater scalability in the process. These automatic actions in controls are possible through the creation of rules for processing the answers to the interviews. Each question created has a unique number which is used to refer to the questions when creating rules for them. These rules are specified when creating the survey which gives origin to the interview.
In addition to modifying properties (probability, severity, and status), there are two other types of actions that can be executed automatically in the controls through the control rules created for questions in a risk survey: the text entered in the comment field or files attached to a question can be attached to a control. If a field for comments is enabled in any type of question, a textbox is shown below the question. If a field for attaching evidence is enabled in any type of question, a field for attaching files to questions will be enabled. Rules for these two types of evidence must then be created for the question so that they can be attached to the control. These will then appear in the Evidence and Attachments sections of a control in the questionnaire.
Rules can also be created to control which questions will be visible to interviewees depending on answers to previous questions. This prevents interviewees from being obliged to answer questions which may not make sense to answer depending on answers to other questions. Comments and attachments can also be required depending on the answers provided to other questions by creating rules for this purpose, as long as fields for comments and attachments were enabled for the questions.
Note that the use of interviews in risk projects is optional. The controls for risk questionnaires may also be answered manually by the analyst or, in the case of technology assets, answered with the support of automated collectors. For details on automated collectors, see Chapter 17: Administration -> Settings -> Collector Servers.
Below is a summary of the steps involved in creating a risk survey:
1. A knowledge base is created in the system in the Risk Knowledge section of the Knowledge module (see figure below).
2. A knowledge base includes a list of controls, which are used to measure asset risks (see figure below).
3. A risk survey is registered in the Surveys section of the Knowledge module, and is associated with a knowledge base (see figure below).
4. A risk survey includes a series of questions, and these questions may have rules associated with them (see figure below).
5. These rules allow certain actions to be executed in the controls of the knowledge base the survey was associated with (see figure below).
6. An asset component is included in the scope of a risk project. The asset component and the survey are both previously associated with the same knowledge base. An interviewee (and optionally a reviewer) is also assigned (see figure below).
7. The knowledge base gives origin to a questionnaire in a risk project and is answered by an analyst (see figure below).
8. The survey gives origin to an interview in a risk project, and is answered by interviewees and reviewers. When a question is answered, the actions in the rules created for the questions are executed in the questionnaire controls (see figure below).