This section explains the evaluation phase of a risk management project. As questionnaires from risk projects are answered, the analysis of each component included in the scope of the project is completed. For every closed questionnaire, it can be noted that some risks are controlled (implemented controls), while others are identified as still present (non-implemented controls). Once the technology assets have been processed, a Risk Score is calculated for the vulnerabilities mapped to them, which helps the organization determine how each vulnerability should best be handled. The objective of the evaluation phase is to decide which risks to treat and which to accept.
The decision to accept or treat risks should take into account not only the metrics associated with the risks identified, but also the organization's risk tolerance. To assist in this decision-making process, the system offers a feature to simulate risk treatment scenarios known as the What-If simulator. Once evaluated, a decision is made to treat the risks considered unacceptable. For this, the system allows treatment events to be generated which aim at managing actions for the elimination (whenever possible), mitigation, transference, or some other strategy to reduce each risk. Events to treat vulnerability-related risks can also be used to treat the same risks in another project, averting unnecessary costs by preventing risks under treatment from being treated again. Treatment events created for the project during the evaluation phase can be viewed in the Treatment tab, but are managed in the Workflow module.
It is important to understand that the analysis, evaluation, and treatment phases are not necessarily sequential, but rather overlapping processes. Risk evaluation may begin before the analysis is over and, similarly, the treatment phase can begin before evaluation of all the risks has been completed. Also note that there must be at least one non-implemented control in a closed questionnaire or one vulnerability in a closed vulnerability analysis for the Evaluation tab to be enabled, allowing risks to be treated or accepted.
The figure below illustrates the relationships between the concepts and types of risks associated with the analysis, evaluation, and treatment phases of the GRC Metaframework cycle.
As shown in the figure above, after a questionnaire is closed in the analysis phase, you can check which risks are controlled and which have been identified. In the evaluation phase, identified risks are progressively evaluated by risk managers. Thus, at any time during the project, it may be that some identified risks have already been evaluated, but not others. For evaluated risks, the decision has already been made to accept a risk or send it to treatment by creating a new treatment event or associating it with an existing treatment event. The total evaluated risk is then divided between risks being treated and accepted risks in this phase.
Once risks have been sent to treatment, the status of each becomes "Sent to Treatment". This status is temporary and is changed as soon as the risks are evaluated and corresponding events are created or associated with them in the Evaluation tab, at which point the status of each risk becomes "Being Treated". The author of the events receives a notification in the Home module when the events are successfully registered. As mentioned, these events are managed in the Workflow module by authorized users. Once risk treatment has begun in a project, it may be that some of the risks sent to treatment have been treated (that is, their corresponding events can be closed), while others may still be undergoing treatment (open events). Note that in the figure above, the risks that were controlled and those that were treated no longer pose a concern to the organization, while the risks still being treated, those that were accepted, and those that were not yet evaluated comprise the residual risk associated with the project in question.
In the following sections, you will learn how to use the system to evaluate risks identified in a project, with and without the support of the What-If simulator, as well as how to interpret the risk indicators the system displays (PSR, Risk Index, and Gap Index) associated with different types of risks (not evaluated, accepted, being treated, treated, etc.) that are displayed in the evaluation and treatment phases of the projects.