Risk Assessments

USER GUIDE
RELEASE 6.1 SP2
AUGUST 2016
 Risk Assessments 6.1 SP2 - User Guide

Copyright Notices
Copyright © 2016 MetricStream Inc., All Rights Reserved.

The MetricStream Risk Assessments User Guide Release 6.1 SP2, as well as the software described
within it, is furnished under license and may only be used or copied within the terms of that license.
The information in this document is provided for informational purposes only, is subject to change
without notice, and should not be construed as a commitment by MetricStream, Inc. MetricStream,
Inc. assumes no responsibility or liability for any errors or inaccuracies that may appear in this
document.

Except as permitted by license, no part of this publication may be reproduced, stored in a retrieval
system, or transmitted, in any form or by any means – electronic, mechanical, recording, or otherwise
– without the prior written permission of MetricStream, Inc.

Written and designed at MetricStream, Inc., 2600 East Bayshore Road, Palo Alto, CA 94303, U.S.A.

Printed in the U.S.A.

CAUTION

This document contains proprietary, confidential information that is the exclusive property of
MetricStream, Inc. If you do not have a valid contract with MetricStream for the use of this document,
or have not signed a non-disclosure agreement with MetricStream, then you received this document
in an unauthorized manner and are not legally entitled to possess or read it.

Use, duplication, and disclosure are subject to restrictions stated in your contract with MetricStream,
Inc. Use, duplication, and disclosure by the Government are subject to restrictions for commercial
software and shall be deemed to be Restricted Rights software under Federal Law.

Page 2 Copyright © 2016 MetricStream Inc.

 Table of Contents

About This Guide - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13

Target Audience - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13
Documentation Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13
Related Documents - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14
Chapter 1. Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 15
Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16
Risk Assessment Approach - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17
Risk Assessments Workflow - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18
Risk Assessments Plan > Approval Workflow - - - - - - - - - - - - - - - - - - - - - - - - - - 19
Risk Assessments - Process Flow - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 21
Configuration Settings for Approval Workflow - - - - - - - - - - - - - - - - - - - - - - - - - 22
Auto Approval - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 22
Displaying/Hiding of Level 1 Approver and Level 2 Approver fields - - - - - - - - - - - - 22
Activities - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23
Chapter 2. Risk Assessments Setup - - - - - - - - - - - - - - - - - - - - - - - 24
Quantitative Assessment Factors - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25
Quantitative Assessment Factor Form - - - - - - - - - - - - - - - - - - - - - - - - - - - 26
Header - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27
Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33
List of Values Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 38
Scoring Rules Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 41
Additional Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45
Modify/Review/Approve Section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - - 48
Related Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 48
Qualitative Assessment Factors - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 49
Qualitative Assessment Factor Form - - - - - - - - - - - - - - - - - - - - - - - - - - - - 50
Header - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 50
Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 52
Additional Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 56
Modify/Review/Approve Section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - - 57
Related Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57

Copyright © 2014 MetricStream Inc. Page 3

 Risk Management 6.1 SP2 - User Guide

Working on Assessment Factors > Owner- - - - - - - - - - - - - - - - - - - - - - - - - - - - 58

Accessing Quantitative/Qualitative Assessment Factor Form - - - - - - - - - - - - - - - 58
Workflow Changes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 58

Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - - 60

Working on Assessment Factors > Approver - - - - - - - - - - - - - - - - - - - - - - - - - - 61
Accessing Quantitative/Qualitative Assessment Factor Form - - - - - - - - - - - - - - - 61
Workflow Changes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 61

Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - - 63

Creating Risk Matrices - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64
Risk Scoring Algorithm - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 65
Title and Name - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 67
Factors/Controls Pane- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 68
Expanding and Collapsing Factors Pane Hierarchical Levels - - - - - - - - - - - - - - - - 69
Searching Factors/Controls - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69
Formula Bar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 70
Formula Bar Options - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 73
Workspace - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 73
Expanding and Collapsing Workspace Panes - - - - - - - - - - - - - - - - - - - - - - - - 73
Enabling and Disabling Formulas - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 74
Defining Scoring Formula - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 75
Defining Inherent Score Formula - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 76
Control Score Formula Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 77
Pre-Residual Score Formula Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 79
Residual Score Formula Pane - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 80

Validating Formulas - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 82
Validation Related Alert Messages - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 83

SnapShot - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 84
Sample Formula - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 84

Form Submission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 85
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - - 85
Perspectives - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 86
Perspectives Form- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 87
Perspectives Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 88
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - - 93
Configuring Organization Weightage - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 94
Organization Weightage Form - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 95

Page 4 Copyright © 2014 MetricStream Inc.

 Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - - 97
Scenario - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 98
Scenario - 2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 99
Scenario - 3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 100
Configuring Heat Maps for Standard Factors - - - - - - - - - - - - - - - - - - - - - - - - - 101
HeatMap Configuration For Standard Factors Form - - - - - - - - - - - - - - - - - - - 101
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 102
Chapter 3. Configuring Risk Matrices - - - - - - - - - - - - - - - - - - - - - 103
What Is Risk Matrix? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 104
Risk Configuration Methods - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 105
Risk Matrix Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 108
Instructions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 110
Enabling/Disabling Score Sections - - - - - - - - - - - - - - - - - - - - - - - - - - - - 111
Input Fields - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 112
Tool Bar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 114
Editing Data Tabular Format - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 120
Risk Configuration Matrix Workspace- - - - - - - - - - - - - - - - - - - - - - - - - - - 122
Chapter 4. Managing Risk Assessment Plans - - - - - - - - - - - - - - - - - 126
Creating Risk Assessment Plans - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 127
Ongoing Risk Assessments - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 127
Risk Assessment Plan Form - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 128
Header - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 128
Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 130
Scheduling Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 133
Assessments Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 136
Additional Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 145
Modify/Review/Approve Section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 148
Form Submission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 149
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 149
Working on Risk Assessment Plans > Owner - - - - - - - - - - - - - - - - - - - - - - - - - 150
Accessing Risk Assessment Plan Form - - - - - - - - - - - - - - - - - - - - - - - - - - 150
Workflow Changes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 150

Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 152

Working on Risk Assessment Plans > Approver - - - - - - - - - - - - - - - - - - - - - - - - 153
Accessing Risk Assessment Plan Form - - - - - - - - - - - - - - - - - - - - - - - - - - 153

Copyright © 2014 MetricStream Inc. Page 5

 Risk Management 6.1 SP2 - User Guide

Workflow Changes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 153

Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 155

Initiating Ad hoc Risk Assessment Tasks - - - - - - - - - - - - - - - - - - - - - - - - - - - 156
Risk Assessment Task Form - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 156
Header - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 157
Items Being Assessed Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 158
Form Submission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 159
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 159
Chapter 5. Performing Risk Assessments - - - - - - - - - - - - - - - - - - - 160
Assessing Risks - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 161
Accessing Ongoing Risk Assessment Assignments - - - - - - - - - - - - - - - - - - - - 161
Risk Assessment Form- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 162
Header - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 163
Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 164
Assessments Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 165
Expanding/Collapsing Tree Tabular Format- - - - - - - - - - - - - - - - - - - - - - - - - - - - 167
Assessments Tab > Organization to be Assessed - - - - - - - - - - - - - - - - - - - - - - - - - 167

Override Feature - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 175

Display of Prior Values for Risk Assessment Triggered Using the Same Scope - - - - - - 178
Adding Ad Hoc Risks at First Child Hierarchical Level - - - - - - - - - - - - - - - - - - - - - - - 179
Adding New Risks from GRC Library - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 180
Adding New Risks - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 181

Viewing Assessable Entity and Risk Details - - - - - - - - - - - - - - - - - - - - - - - - 183

Risk Tabular Format Hierarchical Level - - - - - - - - - - - - - - - - - - - - - - - - - - 183
Tabular Format Functionality - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 184
Collapsing and Expanding Tabular Formats - - - - - - - - - - - - - - - - - - - - - - - - - - - - 184
Floating Risk Rating Window - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 184
Floating Risk Rating Window Options- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 186
Hierarchical Factors - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 187
Expanding and Collapsing Hierarchical Tabular Format- - - - - - - - - - - - - - - - - - - - - - 188
Assessments Tab > Inherent Risk For Tabular Format - - - - - - - - - - - - - - - - - - - - - - 188
Qualitative Assessment Factor Response Columns - - - - - - - - - - - - - - - - - - - - - - - - 189
Assessments Tab > Controls For Tabular Format - - - - - - - - - - - - - - - - - - - - - - - - - 189
Adding New Controls - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 192
Adding GRC Library Controls - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 193
Adding New Controls - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 194

Page 6 Copyright © 2014 MetricStream Inc.

 Deleting Controls - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 194
Assessments Tab > Residual Risk For Tabular Format - - - - - - - - - - - - - - - - - - - - - - 194

Findings and Observations Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 196

Adding, Deleting and Renaming Findings and Observations - - - - - - - - - - - - - - - 197
Findings Related Fields - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 197

Additional Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 200

Modify/Review/Approve Section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 201
Form Submission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 202
Alert - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 203

Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 204

Related Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 204
Reviewing Risk Assessments- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 205
Risk Assessment Form > Reviewer - - - - - - - - - - - - - - - - - - - - - - - - - - - - 206
Modify/Review/Approve Section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 206
Form Submission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 207
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 207
Approving Risk Assessments - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 208
Risk Assessment Form > Approver - - - - - - - - - - - - - - - - - - - - - - - - - - - - 209
Modify/Review/Approve Section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 209
Form Submission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 210
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 211
Chapter 6. Rating Method - - - - - - - - - - - - - - - - - - - - - - - - - - - 212
What Is Risk Rating Method? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 213
How can I perform Risk Rating Assessment? - - - - - - - - - - - - - - - - - - - - - - - - - 213
Assessing Risks - Rating Method- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 215
Risk Assessment Form- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 215
Header - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 215
Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 215
Assessments Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 215
Assessments Tab > Inherent Risk For Tabular Format - - - - - - - - - - - - - - - - - - - - - - 215
Assessments Tab > Controls For Tabular Format - - - - - - - - - - - - - - - - - - - - - - - - - 220
Assessments Tab > Residual Risk For Tabular Format - - - - - - - - - - - - - - - - - - - - - - 222

Findings and Observations Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 225

Additional Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 225
Modify/Review/Approve Section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 226
Form Submission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 226

Copyright © 2014 MetricStream Inc. Page 7

 Risk Management 6.1 SP2 - User Guide

Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 226

Heat Maps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 227
Chapter 7. Scoring and Rating Method - - - - - - - - - - - - - - - - - - - - 228
What Is Scoring and Risk Rating Method? - - - - - - - - - - - - - - - - - - - - - - - - - - 229
How Can I perform Scoring and Risk Rating Assessment? - - - - - - - - - - - - - - - - - - 229
Assessing Risks - Scoring and Rating Method - - - - - - - - - - - - - - - - - - - - - - - - - 231
Risk Assessment Form- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 231
Header - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 231
Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 231
Assessments Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 232
Risk Assessments Form > Assessments Tab > Inherent Risk For Tabular Format - - - - - - - - - 232
Assessments Tab > Controls For Tabular Format - - - - - - - - - - - - - - - - - - - - - - - - - 237
Assessments Tab > Residual Risk For Tabular Format - - - - - - - - - - - - - - - - - - - - - - 239

Findings and Observations Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 244

Additional Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 244
Risk Assessment Form > Modify/Review/Approve Section - - - - - - - - - - - - - - - - 244
Form Submission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 244
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 244
Heat Maps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 245
Chapter 8. Ranking and Rating Method - - - - - - - - - - - - - - - - - - - - 246
What Is Ranking and Rating Method?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 247
How Can I perform Ranking and Rating Assessment? - - - - - - - - - - - - - - - - - - - - 247
Assessing Risks - Ranking and Rating Method - - - - - - - - - - - - - - - - - - - - - - - - 249
Risk Assessment Form- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 249
Header - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 249
Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 250
Assessments Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 250
Assessments Tab > Inherent Risk For Tabular Format - - - - - - - - - - - - - - - - - - - - - - 251
Assessments Tab > Controls For Tabular Format - - - - - - - - - - - - - - - - - - - - - - - - - 256
Assessments Tab > Residual Risk For Tabular Format - - - - - - - - - - - - - - - - - - - - - - 258

Findings and Observations Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 263

Additional Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 263
Modify/Review/Approve Section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 263
Form Submission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 263
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 263

Page 8 Copyright © 2014 MetricStream Inc.

Heat Maps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 264
Chapter 9. Scoring Algorithm and Rating Method - - - - - - - - - - - - - - 265
What Is Scoring Algorithm and Rating Method? - - - - - - - - - - - - - - - - - - - - - - - 266
How Can I perform Scoring Algorithm and Rating Assessment? - - - - - - - - - - - - - - - 266
Assessing Risks - Scoring Algorithm and Rating Method - - - - - - - - - - - - - - - - - - - 269
Risk Assessment Form- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 269
Header - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 269
Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 270
Assessments Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 270
Assessments Tab > Inherent Risk For Tabular Format - - - - - - - - - - - - - - - - - - - - - - 270
Assessments Tab > Controls For Tabular Format - - - - - - - - - - - - - - - - - - - - - - - - - 275
Assessments Tab > Residual Risk For Tabular Format - - - - - - - - - - - - - - - - - - - - - - 281

Findings and Observations Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 285

Additional Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 285
Modify/Review/Approve Section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 285
Form Submission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 285
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 285
Score Roll Up Scenario - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 286
Heat Maps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 288
Chapter 10. Risk Scoring Algorithm Method - - - - - - - - - - - - - - - - - 289
What Is Risk Algorithm Method? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 290
How can I perform Risk Algorithm Method Assessment? - - - - - - - - - - - - - - - - - - 290
Assessing Risks - Algorithm Method- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 291
Risk Assessment Form- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 291
Header - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 291
Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 292
Assessments Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 292
Risk Assessments Form > Assessments Tab > Organization to be Assessed - - - - - - - - - - - 292
Assessments Tab > Controls For Tabular Format - - - - - - - - - - - - - - - - - - - - - - - - - 297
Assessments Tab > Inherent Risk For Tabular Format - - - - - - - - - - - - - - - - - - - - - - 304

Findings and Observations Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 308

Additional Details Tab - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 308
Modify/Review/Approve Section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 308
Form Submission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 308
Task Assignments and E-mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - 308

Copyright © 2014 MetricStream Inc. Page 9

 Risk Management 6.1 SP2 - User Guide

Heat Maps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 309

Chapter 11. Heat Maps - - - - - - - - - - - - - - - - - - - - - - - - - - - - 310
What Is a Heat Map?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 311
Heat Map By Name - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 312
Heat Map By Name (Filtered by Organization) Report - - - - - - - - - - - - - - - - - - - - - - 313
Heat Map By Name (Filtered by Assessed Entities) Report - - - - - - - - - - - - - - - - - - - - 313
Heat Map By Name (Risks by rolled up score) Report - - - - - - - - - - - - - - - - - - - - - - 313
Heat Map By Name (Risks directly assessed) Report - - - - - - - - - - - - - - - - - - - - - - - 314

Heat Map By Count (Inherent) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 315

Heat Map By Count Inherent (Filtered by Organization) Report - - - - - - - - - - - - - - - - - 316
Heat Map By Count Inherent (Filtered by Assessed Entities) Report - - - - - - - - - - - - - - - 316
Heat Map By Count Inherent (Filtered by Risks by rolled up score) Report - - - - - - - - - - - 316
Heat Map By Count Inherent (Filtered by Risks directly assessed) Report - - - - - - - - - - - - 317

Heat Map By Count (Residual) chart - - - - - - - - - - - - - - - - - - - - - - - - - - - 318

Heat Map By Count Residual (Filtered by Organization) Report - - - - - - - - - - - - - - - - - 319
Heat Map By Count Residual (Filtered by Assessed Entities) Report - - - - - - - - - - - - - - - 319
Heat Map By Count Residual (Filtered by Risks by rolled up score) Report- - - - - - - - - - - - 319
Heat Map By Count Residual (Filtered by Risks directly assessed) Report - - - - - - - - - - - - 320

Risk Score and Rating Roll Up - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 321

Rules for Roll up Logic - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 321
Heat Map Overall Filters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 322
Report Filters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 323
Heat Map Zones - Risk Scoring Algorithm Method - - - - - - - - - - - - - - - - - - - - 326
Heat Map Plots and Chart Options - - - - - - - - - - - - - - - - - - - - - - - - - - - - 327
Printing Heat Maps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 331
Chapter 12. Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 333
Risk Assessments Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 334
Quantitative Assessment Factors Report - - - - - - - - - - - - - - - - - - - - - - - - - 337
Qualitative Assessment Factors Report - - - - - - - - - - - - - - - - - - - - - - - - - - 337
Perspectives Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 338
Risk Scoring Algorithms Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 338
Risk Matrix Configurations Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - 338
Organizations at Risk (By Rolled Up Score) Report - - - - - - - - - - - - - - - - - - - - 339
Organizations at Risk (By Individual Assessment)- - - - - - - - - - - - - - - - - - - - - 340
Inherent Risk Breakdown by Category Report - - - - - - - - - - - - - - - - - - - - - - 341

Page 10 Copyright © 2014 MetricStream Inc.

 Residual Risk Breakdown by Category Report - - - - - - - - - - - - - - - - - - - - - - 341
Risk Assessment Status Details Report - - - - - - - - - - - - - - - - - - - - - - - - - - 342
Risk Control Assessment Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 342
Risks Identified During Assessments - - - - - - - - - - - - - - - - - - - - - - - - - - - 343
Risk Register Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 343
Risk Register - Detailed Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 346
View Assessments Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 348
Other Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 348
Cross Perspective Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 349
Risk Rating Report- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 350
Risk Rating Chart - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 351
Top Organizations at Risk (By Rolled Up Score) - - - - - - - - - - - - - - - - - - - - - - 352
Organizations at Risk (Based on Risk Assessment) - - - - - - - - - - - - - - - - - - - - 352
Inherent Risks Breakdown by Category - - - - - - - - - - - - - - - - - - - - - - - - - - 352
Residual Risks Breakdown by Category - - - - - - - - - - - - - - - - - - - - - - - - - - 352
Perspectives Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 352
Risk Register Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 352
Risk Assessment Assignments Report- - - - - - - - - - - - - - - - - - - - - - - - - - - 352
Control Assessments (From Risk Assessments) Report - - - - - - - - - - - - - - - - - - 353
Assessment Status (Details) Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - 353
Ongoing Risk Assessments Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - 353
View New Controls Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 354
New Risks Added During Risk Assessments - - - - - - - - - - - - - - - - - - - - - - - - 355
Comments History Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 355
Change History Report - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 355
Reports from Other MetricStream Modules - - - - - - - - - - - - - - - - - - - - - - - - - 356
Creating Dynamic Dashboards Using Reports- - - - - - - - - - - - - - - - - - - - - - - - - 357
Dynamic Dashboards - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 357
Enterprise Risk Dashboard - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 357
Risk Register Dashboard - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 360

Chapter 13. Charts and Dashboards - - - - - - - - - - - - - - - - - - - - - - 363

Dashboards and Charts - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 364
Risk Assessment Status Chart - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 365
Issues by Status Chart - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 366
Inherent Risk Breakdown by Category Chart - - - - - - - - - - - - - - - - - - - - - - - 367
Residual Risk Breakdown by Category Chart - - - - - - - - - - - - - - - - - - - - - - - 368

Copyright © 2014 MetricStream Inc. Page 11

 Risk Management 6.1 SP2 - User Guide

Assessment Status (Overview) Chart - - - - - - - - - - - - - - - - - - - - - - - - - - - 368

Appendix - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 369
About My Tasks Menu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 370
Accessing Assignments from My Tasks Menu- - - - - - - - - - - - - - - - - - - - - - - 370
My Task Menu Features- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 370

Form Tool Bar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 371

Risk Assessments Forms - Additional Details Tab - - - - - - - - - - - - - - - - - - - - - - - 372
Data Browsers - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 373
Accessing Data Browsers - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 374
Data Browser Icons and Names - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 374

Searching and Editing Risk Assessment Forms - - - - - - - - - - - - - - - - - - - - - - 375

Calendars- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 377
Lock Functionality - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 378
Clarification Assignments - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 380
Load Preferences- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 381
Report-Data Display Matrix - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 382
What is Flow down?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 383

Scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 384
About Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 387
Filters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 387
Drill Downs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 388
List Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 388
Link Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 388
Accessing Link Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 389

About Charts and Dashboards - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 390

Drill Downs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 390
Interactive Legends - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 390
Hide/Display Feature - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 391
E-Mail Notifications - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 393
Qualitative and Quantitative Factor Forms - - - - - - - - - - - - - - - - - - - - - - - - 393
Risk Plan Form- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 397
Risk Assessments - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 402
Glossary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 408
Index - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 410
Documentation Feedback - - - - - - - - - - - - - - - - - - - - - - - - - - - 412

Page 12 Copyright © 2014 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

About This Guide

The MetricStream Risk Assessments User Guide Release 6.1 SP2 provides information on using the
MetricStream Risk Assessments module. The MetricStream Risk Assessments module is web-based.

Target Audience
This guide is intended for business users of the MetricStream Risk Assessments module. Business users
can be chief risk officers, chief executive officers, senior executives, members of Enterprise Risk
Assessments and Operational Risk Assessments groups, risk champions, risk coordinators and so on.

Note: This guide is not intended for system administrators of the MetricStream Risk Assessments module.

Documentation Conventions
The following conventions are used in this document.
Conventions Description
Note: Key pointers, in the form of notes, to help you use this module effectively
and efficiently are provided throughout this guide. You can recognize a
note when you come across a new paragraph in italics with the word
‘Note’ in red at the beginning of the paragraph.
For example:
Note: This guide is not intended for system administrators of the MetricStream
Risk Assessments module.

Boldface All MetricStream module names, software references, and document

names appear in boldface.
Examples:
 Module Name: Risk Assessments
 Software Reference: Comments field
 Role Names: risk assessor, risk program manager

Snippet Images Images that are partially captured are snipped off as shown below.

Copyright © 2016 MetricStream Inc. Page 13

 Risk Assessments 6.1 SP2 - User Guide

Conventions Description
References to other MetricStream documents to get more information on
the topic.

For example:
To use the Reports section effectively, familiarize yourself with
MetricStream Portal User Guide Release 6.1 SP5.

Related Documents
You can refer to the following documents:

 MetricStream Risk Assessments System Administrator Guide Release 6.1 SP5

 MetricStream Portal User Guide Release 6.1 SP5
 MetricStream EGRCP User Guide Release 6.1 SP5
 MetricStream EGRCP System Administrator Guide Release 6.1 SP5

If you need training or product support, contact MetricStream Support Services at

[email protected] or 800-858-5658.

A list of MetricStream offices is available on our Web site: http://www.metricstream.com/

Page 14 Copyright © 2016 MetricStream Inc.

Overview
1
Risk Assessment is the process of identifying, assessing, and prioritizing risks followed by coordinated
and economical application of resources to minimize, monitor, and control the probability and/or
impact of unfortunate events or to maximize the realization of opportunities. The objective of Risk
Assessment is to ensure that uncertainty does not affect the achievement of business goals.

Sections:
1. Overview
2. Risk Assessment Approach
3. Risk Assessments Workflow
4. Risk Assessments Plan > Approval Workflow
5. Configuration Settings for Approval Workflow
6. Configuration Settings for Approval Workflow

Copyright © 2016 MetricStream Inc. Page 15

 Risk Assessments 6.1 SP2 - User Guide

Overview
The Risk Assessment is the process of identifying, quantifying, and managing the risks that an
organization faces. As the outcomes of business activities are uncertain, they are said to have some
elements of risk. These risks include strategic failures, operational failures, financial failures, market
disruptions, environmental disasters, regulatory violations, and so on.

Using the MetricStream Risk Assessments module, you can minimize, monitor, and control the
probability and impact of unfortunate events or to maximize the realization of opportunities.

Page 16 Copyright © 2016 MetricStream Inc.

 Overview

Risk Assessment Approach

The Risk Assessments module follows the below mentioned approach:

 Users can schedule a periodic (or ad-hoc) risk assessment of one or more risks (all risks related to a
process, all risks related to an organization, and so on).
 The assessments are specified in the context of a single perspective. You can define the type of
assessment to be followed for the perspective (Org-Risk, Assessable Entity-Risk, and Org-Assessable
Entity-Risk).
 On a periodic basis, the module generates risk assessment assignments to the appropriate asses-
sors based on the schedule defined in the Risk Assessment Plan form.
 The risk assessors respond to one or more questions to arrive at the inherent and residual scores
and ratings.
 The assessment is sent to the approver (optional step).
 The module combines the risk assessment scores and rolls up to the organization level.
 You can assign a two-stage approval process for each of the risk assessment contents. Depending
on the approval cycle setup, on creation of the risk assessment contents, the required form is
assigned to the selected approver. For more information on the approval workflow, refer to the
Risk Assessments Workflow section.
 You can setup ongoing risk assessments for the required risk plans. The module triggers an assign-
ment to the risk assessors based on the schedule. For more information, see Ongoing Risk Assess-
ments.

Copyright © 2016 MetricStream Inc. Page 17

 Risk Assessments 6.1 SP2 - User Guide

Risk Assessments Workflow

The following figure depicts the logical or cyclical sequence of executing tasks for successful completion
of risk assessments using MetricStream's Risk Assessments module.

Figure 1: Risk Assessments Workflow

Page 18 Copyright © 2016 MetricStream Inc.

 Overview

Risk Assessments Plan > Approval Workflow

The following figure displays the workflow involved in the Risk Assessments Plan approval workflow
process.

Figure 2: Risk Assessments Plan > Approval Workflow

Copyright © 2016 MetricStream Inc. Page 19

 Risk Assessments 6.1 SP2 - User Guide

The following steps help you understand the workflow of the Risk Assessments Plan.

Step1 If the risk assessment plan initiator and owner is the same person, then the Risk
Assessment Plan form is routed to the level 1 and level 2 approvers (If approvers are
selected in the Risk Assessment Plan form).

 If the risk assessment plan initiator and owner are not the same, then the Risk Assess-
ment Plan form is routed to the plan owner selected in the Owners field of the form for
review. The plan owner can route the Risk Assessment Plan form to the initiator or
send it to level 1 and level 2 approvers, if specified. If no level1 or level2 approvers are
specified in the module, the workflow is completed and the plan is published. The plan
owner and approver can send the respective form back to the previous level for clarifi-
cation.

Note: To select a level 2 approver, you must first select the level 1 approver. Else, the module does
not populate values in the Level 2 Approver field.

 If no owners are specified in the Risk Assessment Plan form, then the form is routed to
all the users with RSK - Edit Scheduled Risk Assessment activity in the selected owner
organizations.
 If no valid users are found with RSK - Edit Scheduled Risk Assessment activity in any of
the selected owner organizations, then the Risk Assessment Plan form is routed to any
valid user in the module with the RSK - Edit All Scheduled Risk Assessment activity.
 If no valid users are found with RSK - Edit All Scheduled Risk Assessment activity in the
module, then the Risk Assessment Plan form is routed to the risk assessment plan initi-
ator.
Step 2 At each stage, the owner/approver can perform the following actions:

 Request Clarifications: To get clarification from the previous plan initiator / owner.

Note: Clarification request goes to Plan Initiator in case the Plan Owner requests for the same, or to
Plan Owner if initiated by any of the Plan Approvers.

 Approve: To approve created/edited risk assessment plan. Then the Risk Assessment
Plan form is routed to the next approver (If there are no other approvers, the Risk
Assessment plan is published).
 Cancel: To cancel the risk assessment plan.

Note:
- The cancelled risk assessments are not available in the data browser.
- Two users cannot edit the published risk assessment plans simultaneously.

Page 20 Copyright © 2016 MetricStream Inc.

 Overview

Risk Assessments - Process Flow

The following figure displays the process flow involved in the risk assessment process.

Figure 3: Risk Assessment Process Flow

Copyright © 2016 MetricStream Inc. Page 21

 Risk Assessments 6.1 SP2 - User Guide

Configuration Settings for Approval Workflow

The following section describes how to configure the approval workflow for Risk Assessments.

Auto Approval
Using the configuration parameter MS_RSK_AutoApprove, you can directly publish assessment factors
or risk assessment plan without any approval workflow process. This has to be configured for the data
objects, qualitative assessment factor, quantitative assessment factor, and risk assessment plan.

 To turn off the approval workflow process and directly publish the contents, set the configuration
parameter MS_RSK_AutoApprove to Yes. To turn on the approval workflow process and route the
contents to the owners and approvers, set the configuration parameter MS_RSK_AutoApprove to
No.

Note: Contact your system administrator for parameter configurations.

Displaying/Hiding of Level 1 Approver and Level 2 Approver fields

The display of the fields Level 1 Approver and Level 2 Approver in the Risk Assessments forms such as
Qualitative Assessment Factor, Quantitative Assessment Factor, and Risk Assessment Plan are
controlled by the parameter MS_RSK_Display_Owners_Approvers. The system administrator can
configure the display of these fields in the following manner:

 Owners
 Owners and Level 1 Approver
 Owners, Level 1 Approver, and Level 2 Approver

Note: Contact your system administrator for parameter configurations.

Page 22 Copyright © 2016 MetricStream Inc.

 Overview

Activities
Activities Use This Activity to...
RSK - Manage Scenarios View, create and modify Perspectives through the
Perspective form.
RSK - Manage Risk Factors View, create and modify Factors through Factor
forms.
RSK - View All Scheduled Risk Assessments View all the Risk Assessment Plans despite the access
restriction set for the plan.
RSK - View Scheduled Risk Assessment View the Risk Assessment Plan owned by the
organization the user belongs to.
RSK - Edit All Scheduled Risk Assessments Create or modify all the Risk Assessment Plans
despite the access restriction set for the plan.
RSK - Edit Scheduled Risk Assessment Create a new Risk Assessment Plan or modify an
existing Risk Assessment Plan owned by the
organization the user belongs to.
RSK - Approve Scheduled Risk Assessment Approve Risk Assessment Plans owned by the
Organization the user belongs to.
RSK - Assess Risks Perform Risk Assessments assigned to the user.
RSK - Approve Risk Assessments Approve Risk Assessments assigned to the user.
RSK - View Risk Assessment View Risk Assessments through the assessment form
where the user is part of the owner organization or
assessed organization.
RSK - View All Risk Assessments View any Risk Assessment through the assessment
form.

Copyright © 2016 MetricStream Inc. Page 23

 Risk Assessments 6.1 SP2 - User Guide

Risk Assessments Setup

The admin or program manager in the organization sets up risk assessments. Setting up risk
assessments comprises the following:

 Defining assessment factors (Quantitative/Qualitative)

 Configuring risk scoring algorithm and / or risk matrix
 Configuring heat maps
 Creating perspectives

Sections:
1. Quantitative Assessment Factors
2. Qualitative Assessment Factors
3. Working on Assessment Factors > Owner
4. Working on Assessment Factors > Approver
5. Creating Risk Matrices
6. Risk Scoring Algorithm
7. Perspectives
8. Configuring Organization Weightage
9. Configuring Heat Maps for Standard Factors

Page 24 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Quantitative Assessment Factors

Quantitative Assessment Factors are those factors that are assessed, and the assessment of these
factors determines the overall risk score and rating. Examples of quantitative factors are Impact,
Likelihood, Velocity, and so on.

To assess risks, the risk owner must create a set of assessment factors. You can define the following
assessment factors:

 Standard factors: Standard factor is a type of quantitative factor that has a default weight of 100%.
The weight cannot be modified, and the assessment rating provided by the assessor is taken as a
whole for the overall risk rating calculation. Example: Impact, Likelihood, Velocity, Dollar Exposure,
and so on are standard factors.
 Non-standard factors: Non-standard factors is another type of quantitative factor whose weight
can be modified by the user by defining the factor and optionally by the assessor at the time of
assessment. The factor carries a 100% weight by default, but you can modify the weight value. For
example, consider that the factor rating is provided as High, which translates to a score of 10, and
the weight value is modified to 50%. After applying the weight, the score becomes 5*(10*50/100),
and the rating changes to Medium.

You can tag risk assessment factors either as rules based or list of values.

Rule Based Factors

When you tag a factor as Rules Based, it lets you define rules (essentially numeric ranges) and corre-
sponding ratings and scores. The assessor can provide a numeric value during assessment, which is ver-
ified against the rules defined. Based on the closest match, the rating and score is arrived at.

List of Values Factors

When you tag a factor as List of Values, it allows you to define the factor in such a way that the respons-
es are available in the form of a drop down, and the assessor can select the most appropriate response
from multiple values available during risk assessment. Typically, these values are ratings such as High,
Medium, Low, and so on that gets translated to its corresponding score.

Copyright © 2016 MetricStream Inc. Page 25

 Risk Assessments 6.1 SP2 - User Guide

Quantitative Assessment Factor Form

Use the Quantitative Assessment Factor form to capture the name, details, list of values and other
details.

Figure 4: Quantitative Assessment Factor Form

Page 26 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Header
Use the header to capture the quantitative factor name and other details.

Figure 5: Quantitative Assessment Factor Form > Header

Field/List Name Description

Factor Name Use this field to specify the name or title of the quantitative
assessment factor. Examples: Impact, Likelihood.

Note:
- The maximum limit of characters allowed is 4000
- For each quantitative factor, a unique ID is generated, which is
appended to the name that you have entered. The combination of
name and ID is unique for quantitative factor form.

Acronym Enter the short abbreviation for the factor name. Example: PRF is
the acronym for Project Functional Requirements Definition
quantitative assessment factor.
Status Indicates the current work flow stage of the quantitative
assessment factor. At the creation stage, the status is always New.
However, after you submit the form, the status is automatically
updated based on the next workflow stage.

Copyright © 2016 MetricStream Inc. Page 27

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Standard Factor Use this field to classify the quantitative factor as standard or non-
standard.
 If the current factor is a standard factor, select Yes.

 If the current factor is a non-standard factor, select No.

For standard factors, there is no need to put in a weightage value.

Examples: Impact, Likelihood, Velocity, and so on. These factors are

effectively used for Enterprise Risk Management and Operational
Risk Management implementations.

For non-standard factors, you need to mandatorily put in a

weightage value, which is then multiplied with the factor score
calculated based on the response provided. The weightage value
can be in terms of number or percentage.

Examples: Process Maturity (80%), History of Significance (5%),

Segregation of Duties (10%), People Dependencies (20%), and so
on. These factors are effectively used while performing detailed
audit assessment, and used across internal audits, risk based audits
and occasionally in enterprise risk management implementation
projects.

Consider that there is a factor called financial Impact, and the user
has rated the factor as high, which is translated to a score of 5, and
the weightage applied is 50%. Then, the final score contribution of
the factor will be 50% of 5, which will be 2.5, rounded off to 3.

Page 28 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

List of Values/Rules Based Use this field to decide the type of response to be provided for the
(this field is non-editable if factor.
you select the value
Hierarchical Factor in the The following actions are available in this field:
Factor Segmentation field  List of Values: If you want to define a definitive set of responses
and the value Rules Based from which the assessor can choose one at the time of risk
appears in this field) assessment. For example, for the factor 'Impact' that is created,
the possible set of values could be 'High', 'Medium' and 'Low'.
User can choose one of the three values at the time of
assessment.
Note: List of Values is not applicable for hierarchical factors. When the
factor segmentation value is set as Hierarchical Factor, this field value is
set to Rules Based, and the field is disabled.

For more information on the List of Values tab, refer to the List of
Values Tab section.

 Rules Based: If you want to define the numeric value as the

response and define the corresponding factor score, select this
option. On selection, the Scoring Rules tab appears.
Note: After you select this value, the Scoring Rules tab appears, where
you can define the list of scoring rules and response values.

For more information on the Scoring Rules tab, refer to the Scoring
Rules Tab section.

If you choose the value as Rules Based, then you can define a set of
numeric ranges with a score for each range. The assessor can type
range of values in the Value fields, and can also define the score
based on the response values and rating based on the associated
score.
Sort Order Use this field to set the display order of the current quantitative
factor in the Risk Assessments form. This is a numeric-entry field.
Based on the value that you enter here; the quantitative factor is
displayed in the Risk Assessments form.
For example, If you enter 2 in this field, this factor is displayed as a
second factor in quantitative/standard factor section in the Risk
Assessments form.

Copyright © 2016 MetricStream Inc. Page 29

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Factor Segmentation Use this field to determine if the factor being created has a flat
structure or a hierarchical structure. The following are the available
options:
 Main Factor: Main Factors have a flat a structure, and are
directly assessed. The scores and rating arrived at for main
factors directly contribute to the risk score and rating. Main
factor can either be a standard or non-standard factor.
 Hierarchical Factor and Sub-Factor: Hierarchical and sub-factors
share a parent- child relationship. Multiple sub-factors can be
mapped to a single hierarchical factor.

Example:

Hierarchical Factor => Impact

Sub-Factors => Financial Impact, Reputational Impact

When there are sub-factors defined for a hierarchical factor, the

sub-factors are directly assessed, and together contribute to the
score and rating for the hierarchical factor based on the
computation logic selected. For example, if the computation logic
selected is sum, then the hierarchical factor score is the sum of all
the sub-factor scores.

The score displayed for the hierarchical factor is based on the score
arrived at using the computation logic specified. The same is then
mapped against the ranges defined in the hierarchical factor and
the rating is picked corresponding to the range within which the
computed score falls.

If there are no sub-factors mapped to the hierarchical factor, then

the hierarchical factor can be assessed directly.

For details, refer to the attachment.

Page 30 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Computation Logic Use this field value to determine the logic that needs to be applied
(appears only if you select on the scores of the sub factors to calculate the resultant
the value Hierarchical Factor hierarchical factor score.
in the Factor Segmentation
field) Example:
Hierarchical Factor => Impact
Sub-Factors => Financial Impact, Reputational Impact
Score => Financial Impact=4, Reputational Impact=8

 Average: The hierarchical factor score is calculated by taking the

average of all the sub-factor scores

Average: Impact => AVG (Financial Impact, Reputational Impact) =

4+8/2 = 6

 Maximum: The hierarchical factor score is calculated by taking

the maximum value from all the sub-factor scores.

Maximum: Impact => MAX (Financial Impact, Reputational Impact)

=8

 Minimum: The hierarchical factor score is calculated by taking

the minimum value from all the sub-factor scores.

Minimum: Impact => MIN (Financial Impact, Reputational Impact)=

4

 Product: The hierarchical factor score is calculated by

multiplying the score of all the sub-factors.

Product: Impact => PROD (Financial Impact, Reputational Impact) =

4*8 = 32

 Sum: The hierarchical factor score is calculated by adding the

scores of all the sub-factors.

Sum: Impact => SUM (Financial Impact, Reputational Impact) = 4+8

= 12

Copyright © 2016 MetricStream Inc. Page 31

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Hierarchical Factors Use this field to map sub factors to a hierarchical factor so that the
(appears only if the Factor score of sub factor rolls up to the hierarchical factor based on the
Segmentation value chosen computation logic defined.
is Sub-Factors)
Note:
- The sub factors are populated in the Risk Assessments form, based on
the risk categories and the hierarchical factor to which they are
associated.
- Sub factors tagged as standard factors can be associated only with
hierarchical factors tagged as standard factors. Similarly, sub factors
tagged as non-standard factors can be associated only with
hierarchical factors tagged as non-standard Factors.
The following assessment logic is used for calculating the factor
scores:
 If there are no sub factors associated with the hierarchical
factor, then the response field of the hierarchical factor is
editable and the default score is not considered for score
calculation.

Page 32 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Details Tab
Use the Details tab to enter the details of the quantitative factor.

Figure 6: Quantitative Assessment Factor Form > Details Tab

Field/List Name Description

General
Use this region to capture the contextual information about the Quantitative Assessment Factor
defined in the module.
Description
Type the details of the assessment factor by clicking .

Note: You can enter a maximum of 4000 characters in this field.

For more information on RTF functions, refer to the MetricStream
Portal User Guide Release 6.1 SP5

Categorization
Use this section to categorize the quantitative assessment factor.

Copyright © 2016 MetricStream Inc. Page 33

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Risk Category(ies) Select the risk categories to which the quantitative factor is
mapped to. The risk categories selected for a factor must match
with the ones that are mapped to the risk being assessed, as well
as the Perspective created.

The values in this field are populated from GRC Foundation

module. The risks categories are created in a data table within GRC
Foundation module and used in Risk Assessments module during
the risk assessment.

Note: If you do not define any risk category (ies) for a factor, then all risk
categories apply to that particular factor. In this case, risk category does
not act as a filter to the factor.

Applicable For Use this field to specify if the factor contributes to only inherent
(this field is available only if section or both inherent and residual sections. The following
you select the value Yes in options are available in this field:
the Standard Factor field.  Inherent Rating: If the current standard factor rating/score is
This field is not available if used for calculating only inherent risk rating, select this option.
you select the value Sub  Inherent Rating and Residual Rating: If the current standard
Factor in the Factor factor rating/score is used for calculating only inherent risk
Segmentation field) rating and residual risk rating scores, select this option.
Note: The segmentation value specified determines whether the factor
must be available only for inherent calculation or for both inherent and
residual calculations

For more information on the risk scoring algorithm, refer to the

Risk Scoring Algorithm section.
Input Type Use this field to determine input type for classifying default
(this field is not available if weightage factor as number or percentage. This is needed for
you select the value Yes in setting weightage aspect to each non-standard factors being
the Standard Factor field) defined in the system. The following options are available:
 Number: If you select this option, it indicates that the value
entered in the Default Weighting Factor field needs to be
considered as number.
 Percentage: If you select this option, it indicates that the value
entered in the Default Weighting Factor field needs to be
considered as percentage.

Page 34 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Default Weighting Factor Use this field to specify a default weighting factor for the current
(this field is not available if quantitative factor. The final computation of factor score is based
you select the value No in the on the valued entered in the Input Type field and value chosen in
Standard Factor field) the Default Weighting Factor field. Based on the value that you
enter in this field, the Weighting Factor field is populated in the
Risk Assessment form. By default, the value 100 is displayed in this
field. You can change the value as required.

The value that you enter here is used in the risk scoring roll up
during the risk assessment stage. This value can be replaced by the
overridden value if the assessor overrides the default score.

The following are the range of values:

 Percentage: 1 to 100
 Number: 1 to 100

If the factor score is 5, input type is percentage, and the default

weighting factor is 50%, then the final computed score of the factor
is 5 X 50% = 2.5 rounded off to 3

If the factor score is 5, input type is number and default weighting

factor is 50, the final computed score of the factor is 5 X 50 = 250.
Factor Contribution Use this field to specify how the factor score and rating contribute
(this field is available if you to the overall risk assessment.
select the value No in the
Standard Factor field. This The following options are available:
field is not available if you  Exclude Scores: If you do not want the inherent risk score and
select the value Sub Factor in residual risk score for the current quantitative factor, select this
the Factor Segmentation option.
field)  Increases Inherent Risk: If the current quantitative factor
contributes to increase the inherent risk, select this option.
 Reduces Residual Risk: If the current quantitative factor
contributes to reduce the residual risk, select this option.
 Reduces Inherent Risk: If the current quantitative factor
contributes to reduce the inherent risk, select this option.
Note: If the value chosen is either Increases Inherent Risk or Reduces
Inherent Risk, the factor is available only for inherent risk assessment. If
the value chosen is Reduces Residual Risk, the factor is available only for
residual risk assessment.

Ownership and Security

Use this section to specify one or more business units responsible for taking ownership for main-
taining the factor record.
Owner Organization(s) Select one or more organizations responsible for maintaining the
quantitative assessment factor.
This is not the set of organizations that the quantitative
assessment factor applies to. This field controls the workflow (for
approvals) and security for the quantitative factor contents, where
the security is restricted to owner organizations.

Copyright © 2016 MetricStream Inc. Page 35

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Owner(s) Select one or more owners for owning/maintaining the factor. The
factor owners are the users who belong to the owner organizations
and its parents, with RSK - Manage Factors access rights.

If no owners are explicitly selected, then the assignment is sent to

all users with RSK - Manage Factors from the selected owner
organizations and their parents. The user who responds to the
assignment becomes the responsible owner.

If there are no users with RSK - Manage Factors activity, then the
factor initiator becomes the responsible owner.
Level 1 Approver Use this to field to select the level 1 approver for approving factor
(the display of this field is content after re-work by owners. The level 1 approvers are the
controlled by the users who belong to the owner organizations and its parents, with
configuration parameter RSK - Manage Factors access rights.
MS_RSK_Owners_Approvers
) If no level 1 approvers are selected, then the assignment gets
published after approval from the owner.
Level 2 Approver Use this to field to select the level 2 approver for approving factor
(the display of this field is content after approval done by level 1 approver. The level 1
controlled by the approvers are the users who belong to the owner organizations
configuration parameter and its parents, with RSK - Manage Factors access rights.
MS_RSK_Owners_Approvers
) If no level 2 approvers are selected, then the assignment gets
published after approval from owner and level 1 approver.
Restrict Access To Use this field to provide restriction visibility of factor content to
users belonging selected owner organizations or no restriction.

 If you select No Restrictions in this field, all users with RSK -

View Scheduled Risk Assessment activity can view this
quantitative assessment factor.
 If you select Owner Organization(s) in this field, only users in
the owner organizations of the quantitative assessment factor
with RSK - View Scheduled Risk Assessment activity can view
this quantitative assessment factor and only users in the owner
organization of the current quantitative assessment factor with
RSK- Edit Scheduled Risk Assessment activity can edit this
quantitative assessment factor.
Validity (Dates)
Use this region to define the longevity of the quantitative assessment factor.
Valid From Enter the date from which this quantitative assessment factor is
valid. On the selected date, the quantitative assessment factor is
available for selection in the Risk Assessment Plan form for
assessment.
Note: You must use MM/DD/YYYY format.

Page 36 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Valid Until Enter the date to which this quantitative assessment factor is valid.
This quantitative assessment factor is not available for assessment
after the selected date.

Note:
- You must use MM/DD/YYYY format.
- You must enter a date which is greater than the entered valid From
date.
- If you do not enter any date in this field, this quantitative assessment
factor possesses perpetual validity.
- The user with RSK – Manage Risk Factors activity can edit this date
and this quantitative assessment factor is again available in the Risk
Assessment Plan form for assessment.

Copyright © 2016 MetricStream Inc. Page 37

 Risk Assessments 6.1 SP2 - User Guide

List of Values Tab

Use the List of Values tab to define the list of values for the assessor to assess the current quantitative
factor. A risk score can be defined for each response here. You must add at least one response in this
tab. Based on the responses and the corresponding scores defined, the module automatically
calculates the risk score. You can define the list of values for both standard factors and non-standard
factors in this tab. This tab is not available for hierarchical factors. You can define the list of values for
main and sub factors.

Figure 7: Quantitative Assessment Factor Form > List Of Values Tab

Field/List Name Description

List Of Values
Use this section to describe the user specific responses and associate a numeric score for comput-
ing inherent and residual risk scores accordingly for the factor record available for risk assessment.

Page 38 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Display ‘Not Applicable’ as a If you want to give an option to the assessor to include or exclude
choice to Assessor the factor for risk assessment, select this check box.

Note:
- If you select this check box, in the Risk Assessment form, the tick mark
corresponding to the factor names in the respective inherent and

residual sections appears in green color by default. If the assessor

choose not to consider the factor for risk calculation, then he or she
needs to click on the green tick mark. A message pops up stating that
the selected factor will not be part of calculations. Click OK to

continue. Now is replaced with , which indicates that the

corresponding factor is not considered in the computation to
calculate risk score and rating.
- If you do not select this check box, in the Risk Assessment form, the
tick mark corresponding to the factor names in the respective

inherent and residual sections appears in gray color . In this case,

the assessor has to mandatorily consider the factor in the
computation to calculate risk score and rating.
- If you have selected the value Sub Factor in the Factor Segmentation
field, by default, this check box is selected.
The following figure illustrates the above scenarios in the Risk
Assessement form.

Add Value link To add a new value for the factor, click the Add Row link.
The list of values related fields appear.
To add additional list of values, click this link as many times as
required.

Response Use this field to specify every value that must appear for the
assessor to choose from in the Assessment field in the Risk
Assessment form.

Note:
- The field can accept alpha-numerical values
- The field accept a maximum of 4000 characters

You can re-initiate the Factor form any time and modify the values

Copyright © 2016 MetricStream Inc. Page 39

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Default Response? Use this field to indicate whether the response value has to be
displayed as default response during the risk assessment. You must
mandatorily select at least one default response.
The selected response appears as a default response in the
Assessment field of the Risk Assessment form.
The available options in this list are Yes and No.
Score Use this field to capture the score corresponding to the response
value. The score that you enter here is used to calculate the risk
score.

Note:
- You can enter a maximum of 10 digits in this field.
- The field must accept positive integers as well as decimal values.
Response Description Type the detailed description of each response being defined by

clicking .
Note: You can enter a maximum of 4000 characters in this field.

Response Order Use the values provided in this field to determine the sequence in
which the factor responses have to be displayed in the Risk
Assessment form. This is particularly useful if the responses need
to be logically (Example: High / Medium / Low) sorted and not
alpha-numerically. By default, for the first row, the default value in
the Response Order field is displayed as 1, and subsequent rows
display the subsequent numbers. However, you can edit them
based on the order in which you want the responses to be
displayed in the Risk Assessment form.

Note:
- You can enter a maximum of 10 digits in this field.
- The field accepts only positive integer values.
Delete Last Value link To delete the last added row, click the Delete Last Value link.

Page 40 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Scoring Rules Tab

The Scoring Rules tab appears only when you select the value Rules Based in the List of Values/Rules
Based field. Use this tab to define the risk scoring rules for the factor. You must add at least one scoring
rule in this tab. You can also specify the rating for each scoring rule. Based on the rules and the rating
that you define here, the risk score is calculated. If you are defining the hierarchical factors, this tab is
only available and you need to define the scoring rules for the hierarchical factors.

Figure 8: Quantitative Assessment Factor Form > Scoring Rules Tab

Copyright © 2016 MetricStream Inc. Page 41

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Scoring Rules
Use this section to describe a set of rules and assign a corresponding score for the result.
Display ‘Not Applicable’ as a If you want to give an option to the assessor to include or exclude
choice to Assessor the factor for risk assessment, select this check box.

Note:
- If you select this check box, in the Risk Assessment form, the tick mark
corresponding to the factor names in the respective inherent and

residual sections appears in green color by default. If the assessor

choose not to consider the factor for risk calculation, then he or she
needs to click on the green tick mark. A message pops up stating that
the selected factor will not be part of calculations.

- Click OK to continue. Now is replaced with , which indicates

that the corresponding factor is not considered in the computation to
calculate risk score and rating.
- If you do not select this check box, in the Risk Assessment form, the
tick mark corresponding to the factor names in the respective

inherent and residual sections appears in gray color . In this case,

the assessor has to mandatorily consider the factor in the
computation to calculate risk score and rating.
- If you have selected the value Sub Factor in the Factor Segmentation
field, by default, this check box is selected.
The following figure illustrates the above scenarios in the Risk
Assessment form.

Input Type Use this to classify the input type (unit of measure) for the scoring
rules defined for the quantitative factor.
The following options are available:
 Amount: If you select this option, it indicates that the value
entered in the Value1, Value2 and Score fields need to be
considered as amount (in dollars)
 Number: If you select this option, it indicates that the value
entered in the Value1, Value2 and Score fields need to be
considered as number.
 Percentage: If you select this option, it indicates that the value
entered in the Value1, Value2 and Score fields need to be
considered as percentage.

Page 42 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Currency Select the currency in which the amount has to be considered. By
(appears only if you select default, Dollar ($) option is available. The values that are entered
the value Amount in the for amount in Value1, Value2, and Score fields are considered in
Input Type field) dollars or any specified currency value.

Add Rule link To add a new rule for the factor, click the Add Row link.
The list of scoring rules related fields appear.
To add additional scoring rules, click this link as many times as
required.
Row# The row number appears.
The value that you enter in each row is considered and compared
during the risk score calculation.
Type Specify the type of scoring rule. The following value is available in
this field:
 In Range: Specify the lower and upper values for the range
defined in Value1 and Value2 fields respectively.
This is a multi-row region; you must not enter the same value
range in two different rows. If you enter the same value range in
the two different rows, the system populates the default score
entered in the Default Score field in the Risk Assessment form for
the risk score. This occurs because the system is not able to
recognize which value needs to be populated as the risk score.
Value1 Specify the lower cap for the range. This is a numeric-entry field.
For example, to define a range between 10 and 20, the lower cap
value of 10 has to be entered in Value1 field.
Value2 Specify the upper cap for the range. This is a numeric-entry field.
For example, to define a range between 10 and 20, the upper cap
value of 20 has to be entered in Value2 field.
Score Use the value in this field for calculating the overall risk score. The
score provided here is computed against other factor scores based
on the formula selected.
Rating Use this field to specify the rating value corresponding to the range
and the score defined in the rule.
Note: This is an alphanumeric field and accepts alphabets and numbers.
You can enter maximum of 60 characters in this field.

Scoring Rule Description

Type the scoring rule description by clicking
Note: You can enter a maximum of 4000 characters in this field.
For more information on RTF functions, refer to the MetricStream
Portal User Guide Release 6.1 SP5

Copyright © 2016 MetricStream Inc. Page 43

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Default Score Use this field to specify the default score for this factor if the
response provided by the user does not match with any of the
rules/ranges defined. The default score is applicable for main,
hierarchical, and sub-factors

The default score is considered in case the value entered by the

user does not match with any of the rules defined.
For example,
Type: In Range
Value1: 5
Value2: 10
Score: 3
Rating: Low
Default Score: 5
Default Rating: Low

If the risk assessor enters the value 7 in the Current Assessment

field, as the defined scoring rule is satisfied, the system populates 3
as the risk score for the current factor.

If the value entered by the risk assessor is 11, as the defined

scoring rule is not satisfied, the system populates 5 as the risk score
and low as the risk rating for the current factor.

Note:
- You can enter a maximum of 10 digits in this field.
- The field must accept positive and negative integers as well as decimal
values.
- Default score in rules based factor accepts only the values from one of
the defined ranges in that factors. If you enter any value other than
the value from the defined range, an alert message is displayed.

Page 44 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Default Rating Enter the rating corresponding to the default score in this field. The
default score is applicable for main, hierarchical, and sub-factors
For example,
Type: In Range
Value1: 5
Value2: 10
Score: 3
Rating: Low
Default Score: 5
Default Rating: Low

If the risk assessor enters the value 7 in the Current Assessment

field, as the defined scoring rule is satisfied, the system populates 3
as the risk score for the current factor.

If the value entered by the risk assessor is 11, as the defined

scoring rule is not satisfied, the system populates 5 as the risk score
and low as the risk rating for the current factor.

Note:
- Default rating in rules based factor accepts only the values from one of
the defined ranges in that factors. If you enter any value other than
the value from the defined range, an alert message is displayed.
- You can enter alpha-numeric values up to 60 characters long in this
field.

Delete Last Rule link To delete the last added scoring rule, click the Delete Last Row link.

Additional Details Tab

Use the Additional Details tab to attach documents that the user can refer to.

Copyright © 2016 MetricStream Inc. Page 45

 Risk Assessments 6.1 SP2 - User Guide

Figure 9: Quantitative Assessment Factor Form > Additional Details Tab

Field/List Name Description

History
When you modify an existing plan, two more additional fields are displayed. For more
information on these fields, refer to the Risk Assessment Forms - Additional Details Tab
section.

Created By The full user name of the person who created the quantitative
assessment factor (at this stage, it is the logged in user) name
appears.
Created On The date on which the quantitative assessment factor is created
appears.
Documents
Attach File(s) To attach a file, perform the following steps:
1. Click the Browse… button.
2. Select the file from your local drive.
The file is attached, and the name of the file that you attached
appears.
Note: You may attach one or more files, as required.

To delete an attached file, click the Delete icon on the right side
of the attached file.

Page 46 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Modify/Review/Approve Section
Use the Modify/Review/Approve section to take action on the factor.

Figure 10: Quantitative Assessment Factor Form > Action Section

Field/List Name Description

Modify/Review/Approve
Action The following action values are available in the Quantitative
Assessment Factor form while you are creating a quantitative
assessment factor.
 Send for Approval: To send the quantitative assessment factors
for approval, select this option.
After you submit the form, the Quantitative Assessment Factor is
routed to approval cycle.
For more information on approval cycle, refer to the Risk
Assessments Workflow section.
Comment(s) Enter your comments regarding the quantitative assessment
factor.
After you submit the form, the Comments History report is
updated with the comments that you enter.
Comments History link To view the Comments History report, click the Comments History
report link.
The Comments History report appears.
This report displays the comments entered by all the users who
worked on this form in a chronological order.
Click the Done button to close the report.
When you create the quantitative assessment factor for the first
time, the comments history report does not display any details.

After entering all the required details in the form, click to submit the form. For more
information on the form toolbar icons, see Form Tool Bar.

Copyright © 2016 MetricStream Inc. Page 47

 Risk Assessments 6.1 SP2 - User Guide

Task Assignments and E-mail Notifications

After you submit the current form, assignments and e-mails are generated to the respective users, as
shown in the following table.

Submitted By Action Selected Assigned To Form Assigned E-Mail Sent

Initiator Send For Approval Owner Quantitative Owner

Note: When no owners are Assessment
selected, the system send Factor form
the assignment to all eligible Submit Owner Quantitative Owner
owners based on Manage Clarifications Assessment
Factors activity mapped to (This action is Factor
users within the Factor available only
Owner organizations when owner has
requested for
clarification and
Initiator is sending
back the form to
the owner with the
required
clarifications)

Related Reports
 Quantitative Assessment Factors Report

Page 48 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Qualitative Assessment Factors

Qualitative Factors are usually bunch of questions to which the response type can be a simple text,
date, options such as Yes/No, a paragraph, and so on. The qualitative factors are those where the
responses do not directly contribute to the risk score or rating. The qualitative factor responses are
typically used for reference, reporting and documentation purposes.

Examples:

 When was the last assessment done? The response type in this case is a date.
 Have necessary training been provided to all employees regarding handling of the Risks. The
response type can be Yes/No.

Using the Qualitative Assessment Factor form, you can define questions and the corresponding
response. The question and the response type that you define here are available in the Qualitative tab
of the Risk Assessment form. The risk assessor can respond to the questions.

Copyright © 2016 MetricStream Inc. Page 49

 Risk Assessments 6.1 SP2 - User Guide

Qualitative Assessment Factor Form

Use the Qualitative Assessment Factor form to capture the details and additional details of the
quantitative assessment factor.

Figure 11: Qualitative Assessment Factor Form

Header
Use the header section to capture the qualitative factor name and other details.

Figure 12: Qualitative Assessment Factor Form > Header

Page 50 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Factor Name Type the name of the qualitative factor.
You can create multiple qualitative assessment factors with the same
name. After providing the name, if you click outside this field, the
entered name appears next to the form title.

Note:
- The maximum limit of characters allowed is 100
- For each qualitative assessment factor, a unique ID is generated, which is
appended to the name that you have entered. The combination of name and
ID is unique for every qualitative assessment factor.

Status The first time when you create a factor, this field s the status as New.

Sort Order Use this field to set the display order of the current qualitative factor in
the Risk Assessment form. This is a numeric-entry field. Based on the
value that you enter here; the module displays this qualitative factor in
the Risk Assessment form.
For example, If you enter 2 in this field, the module displays this factor as
a second item in the Qualitative tab of the Risk Assessment form.

Copyright © 2016 MetricStream Inc. Page 51

 Risk Assessments 6.1 SP2 - User Guide

Details Tab
Use the Details tab to enter the details of the current qualitative factor.

Figure 13: Qualitative Assessment Factor Form > Details Tab

Field/List Name Description

General
Use this region to enter general details of the qualitative assessment factor.
Description Type any additional information about the Perspective by clicking

.
Note: You can enter a maximum of 4000 characters in this field.
For more information on RTF functions, refer to the MetricStream
Portal User Guide Release 6.1 SP5

Response Type Select the type of response that you want from the risk assessor for
this qualitative factor.
The following options are available in this field:
 Amount: If you select this option, the risk assessor can enter
only numbers as the response for the qualitative factor.
 Date: If you select this option, the risk assessor can enter only
date as the response for the qualitative factor.
 List Of Values: Based on the values that you define in the Value
field, the risk assessor can select any one of the values as the
response for the current qualitative factor.
 Number: If you select this option, the risk assessor can enter
only numbers as the response for the current question.
 Text: If you select this option, the respondent can enter alpha-
numeric values as the response for the current qualitative
factor.

Page 52 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Currency Select the currency in which the amount to be considered. By
(appears only if you select default $(USD) option is available. The values that are entered in
the value Amount in the the amount response field by the assessor during Risk Assessment
Response Type field) is considered in dollars.
Value Use this field to enter specific values, separating each value with a
(appears only if you select comma, as response to the selected response type (List of Values).
the value List of Values in the
Response Type field)
Categorization
Use this region to categorize the qualitative assessment factor.
Category(ies) Select the risk categories to which this qualitative factor applies to.
The module automatically selects the risks associated with the
selected risk categories during the Risk Assessment stage for the
current quantitative factor. For example, If you have selected
category 1 and it is associated with three risks, all the three risks
are populated during the Risk Assessment stage for the current
qualitative factor.
The values in this field are populated from GRC Foundation
module. The risks are created in the GRC Foundation module and
used in Risk Assessments module during the Risk Assessment.
Ownership and Security
Use this region to select the owners for the qualitative assessment factor.
Owner Organizations(s) Select one or more organizations responsible for maintaining this
qualitative assessment factor.
This is not the set of organizations that this qualitative assessment
factor applies to. This field controls the workflow (for approvals)
and security (for qualitative factor contents where security is
restricted to Owner Organizations).
For more information on approval cycle, refer to the Configuration
Settings for Approval Workflow section.
Owner(s) Select one or more owners of this qualitative assessment factor.
Only owners of the quantitative assessment factor can edit this
quantitative assessment factor. The quantitative assessment factor
owners are the users who belong to the owner organizations with
the RSK - Edit Scheduled Risk Assessment activity and RSK - Edit
All Scheduled Risk Assessments activity.
If the initiator and owner are different, on submission of the
qualitative assessment factor form, an assignment is generated to
the qualitative assessment factor owner to take action on the
submitted qualitative assessment factor.
For more information on approval cycle, refer to the Configuration
Settings for Approval Workflow section.

Copyright © 2016 MetricStream Inc. Page 53

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Level 1 Approver Select the first level approver for this qualitative assessment factor.
(the display of this field is Level 1 approver is a user who belongs to the owner organizations
controlled by the with the RSK - Approve Scheduled Risk Assessment activity.
configuration parameter
MS_RSK__Owners_Approver For more information on approval cycle, refer to the Configuration
s) Settings for Approval Workflow section.

If you select any user in this field, after you submit the form, an
assignment is generated to the selected user to review and
approve the current qualitative assessment factor details.
Level 2 Approver Select the level 2 approver for this qualitative assessment factor.
(the display of this field is Level 2 approver is a user who belongs to the owner organizations
controlled by the with the RSK - Approve Scheduled Risk Assessment activity.
configuration parameter
MS_RSK_Owners_Approvers For more information on approval cycle, refer to the Configuration
) Settings for Approval Workflow section.

If you select any user in this field, after the first level approval, an
assignment is generated to the selected user to review and
approve the current qualitative assessment factor details.
Restrict Access To Use this field to control access rights of users to the current
qualitative assessment factor.
If you select No Restrictions in this field, all users with RSK - View
Scheduled Risk Assessment activity can view this qualitative
assessment factor and all users with RSK - Edit Scheduled Risk
Assessment activity can edit this qualitative assessment factor.
If you select Owner Organization(s) in this field, only users in the
owner organization of the current qualitative assessment factor
with RSK - View Scheduled Risk Assessment activity can view this
qualitative assessment factor and only users in the owner
organization of the current qualitative assessment factor with RSK -
Edit Scheduled Risk Assessment activity can edit this qualitative
assessment factor.
Validity (Dates)
Use this region to define the longevity of the qualitative assessment factor.
Valid From Enter the date from which this qualitative assessment factor is
valid. On the selected date, the qualitative assessment factor is
available for assessment.
Note: You must use MM/DD/YYYY format.

Page 54 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Valid Until Enter the date till which this qualitative assessment factor is valid.
This qualitative assessment factor is not available for assessment
after the selected date. If you do not specify a date in the Valid
Until date field, it implies that the factor is valid for ever.

Note:
- You must use MM/DD/YYYY format.
- You must enter a date which is greater than the entered valid From
date.
- If you do not enter any date in this field, this qualitative assessment
factor possesses perpetual validity.
- The user with RSK – Manage Risk Factors activity can edit this date
and this qualitative assessment factor is again available in the Risk
Assessment Plan form for assessment.

Copyright © 2016 MetricStream Inc. Page 55

 Risk Assessments 6.1 SP2 - User Guide

Additional Details Tab

Use the Additional Details tab to attach documents that the user can refer to.

Figure 14: Qualitative Assessment Factor Form > Additional Details Tab

Field/List Name Description

History
When you are modifying an existing plan, two more additional fields are displayed. For more
information on these fields, refer to the Clarification Assignments section.

Created By The name of the person who created the qualitative assessment
factor (at this stage, it is the logged in user) name appears.
Created On The date on which the qualitative assessment factor is created
appears.
Documents
Attach File(s) To attach a file, perform the following steps:
1. Click the Browse… button.
2. Select the file from your local drive.
The file is attached, and the name of the file that you attached
appears.
Note: Note: You may attach one or more files, as required.

To delete an attached file, click the Delete icon on the right side
of the attached file.

After entering all the required details in the form, click to submit the form. For more information
on the form toolbar icons, see Form Tool Bar.

Page 56 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Modify/Review/Approve Section
Use the Modify /Review /Approve section to take action on the current qualitative assessment factor.

Figure 15: Qualitative Assessment Factor Form > Modify/Review/Approve Section

Task Assignments and E-mail Notifications

After you submit the current form, assignments and e-mails are generated to the respective users; also
new status is displayed in the subsequent/previous form as shown in the following table.

Submitted By Action Assigned Form Form Assigned E-Mail Sent

Selected To Status

Initiator Send For Owner Approval Qualitative Owner

Note: When no owners Approval Pending Assessment
are selected, the system Factor form
send the assignments to Submit Owner Approval Qualitative Owner
all eligible owners Clarificatio Pending Assessment
based on Manage ns Factor
Factors activity mapped (This
to users within the action is
Factor Owner available
organizations only when
owner has
requested
for
clarificatio
n and
Initiator is
sending
back the
form to the
owner with
the
required
clarificatio
ns)

Related Reports
Qualitative Assessment Factors Report

Copyright © 2016 MetricStream Inc. Page 57

 Risk Assessments 6.1 SP2 - User Guide

Working on Assessment Factors > Owner

As an owner, you can review the factor details and take appropriate action regarding the quantitative/
qualitative assessment factors. The forms available at the owner stage are the same as the initiation
stage. You can access the assignment from My Tasks menu.

Accessing Quantitative/Qualitative Assessment Factor Form

 Click the Approve Quantitative/Qualitative Factor <Quantitative/Qualitative Assessment Factor
Name> (<Quantitative/Qualitative Assessment Factor ID>) (<PID>) link in the My Tasks menu.

For more information on the My Tasks menu, see About My Tasks Menu.

Workflow Changes
At this stage, all the tabs, sections, and fields of the Quantitative/Qualitative Assessment Factor form
are the same as initiation stage except for a few field-level changes, which are captured in the following
table. For more details on the Quantitative and Qualitative form, see Quantitative Assessment Factor
Form and Qualitative Assessment Factor Form respectively.

Field/List Name Description

Header Section
Status Status of the Quantitative/Qualitative Assessment Factor is
automatically updated as Approval Pending.
Additional Details Tab
Note: The following fields are unavailable at the owner review stage of the Quantitative/Qualitative
Assessment Factor form.
Created On The date on which the current Quantitative/Qualitative
(non editable) Assessment Factor form is created appears.
Created By The name of the user who created the current Quantitative/
(non editable) Qualitative Assessment Factor form appears.
Action Section
The options available in the Action field vary at the owner stage.

Page 58 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Action The following actions are available in the Quantitative Assessment
Factor/Qualitative Assessment Factor form while you work on the
quantitative assessment factor/qualitative assessment factor as an
owner.
 Approve: To send the assessment factor to the selected
approver for approval, select this option.
 Request Clarification(s): To get more clarification from the
assessment factor initiator, select this option.
 Cancel: To cancel the assessment factor and close the
assessment factor, select this option.
If you select Cancel, the assessment factor is closed and no
assignments are generated.

Note:
- If no approvers are selected for this assessment factor, the plan is
published when you select the Approve option.
- After you submit the form, the Quantitative Assessment Factor/
Qualitative Assessment Factor form is routed to different users based
on the action selected.

Comments Enter your comments regarding the quantitative assessment

factor/qualitative assessment factor.
After you submit the form, the Comments History report is
updated with the comments that you enter.
Comments History link To view the Comments History report, click the Comments History
report link.
The Comments History report appears.
This report displays the comments entered by all the users who
worked on this form in a chronological order.
Click the Done button to close the report.

After entering all the required details in the form, click to submit the form. For more information
on the form toolbar icons, see Form Tool Bar.

Copyright © 2016 MetricStream Inc. Page 59

 Risk Assessments 6.1 SP2 - User Guide

Task Assignments and E-mail Notifications

After you submit the current form, assignments and e-mails are generated to the respective users; also
new status is displayed in the subsequent form, as shown in the following table.

Submitted Action Selected Assigned Form Assigned Form Status E-Mail Sent
By To
Approve Level1 Quantitative Approval Level1
Approver Assessment Pending Approver
Owner Factor/
Note: If no
Level 1 Qualitative CC: Initiator
Approver is Assessment
mentioned, Factor
then the
form is
published
directly

Cancel Not Not applicable. Not Initiator

applicable The form is applicable
canceled and will
not be available
in the system
anymore.
Request Initiator Quantitative Clarification Initiator
Clarifications Assessment Requested in
Factor/ the previous
Qualitative form
Assessment (initiator
Factor stage)

Submit Level 1 Quantitative Level1

Clarifications approver Assessment Approver
(This action is Factor/
available only Qualitative CC: Initiator
when level 1/ Assessment
level 2 approver Factor
has requested for
clarification and
the initiator
works on the
form to provide
the required
clarifications to
the owner)

Page 60 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Working on Assessment Factors > Approver

When the quantitative assessment factor/qualitative assessment factor owner sends the factor for
approval, the selected level 1 approver receives the assignment. If no approvers are selected when the
owner approves the quantitative assessment factor/qualitative assessment factor, the factor is
published automatically.

Note: To select the level 2 approver, you must select the level 1 approver. Otherwise, the module does not
populate list of values for selection in the Level 2 Approver field.

The module automatically populates the quantitative and qualitative factors in the Risk Assessment
form based on the Risk Category selected during the Risk Assessment Plan creation.

Accessing Quantitative/Qualitative Assessment Factor Form

 Click the Approve Quantitative/Qualitative Factor <Quantitative/Qualitative Assessment Factor
Name> [<Quantitative/Qualitative Assessment Factor ID>] (<PID>) link in the My Tasks menu.

For more information on the My Tasks menu, see About My Tasks Menu.

Workflow Changes
At this stage, all the tabs, sections, and fields of the Quantitative/Qualitative Assessment Factor form
are the same as initiation stage except for a few field-level changes, which are captured in the following
table. For more details on the Quantitative and Qualitative form, see Quantitative Assessment Factor
Form and Qualitative Assessment Factor Form respectively.

Field/List Name Description

Header Section
Status Status of the Quantitative/Qualitative Assessment Factor is
automatically updated as Approval Pending.
Additional Details Tab
Note: The following fields are unavailable at the approval stages of the Quantitative/Qualitative
Assessment Factor form.
Created On The date on which the current Quantitative/Qualitative
(non editable) Assessment Factor form is created appears.
Created By The name of the user who created the current Quantitative/
(non editable) Qualitative Assessment Factor form appears.
Action Section
The options available in the Action field vary at the approver stage.

Copyright © 2016 MetricStream Inc. Page 61

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Action The following actions are available in the Quantitative Assessment
Factor/Qualitative Assessment Factor form while you work on the
quantitative assessment factor/qualitative assessment factor as an
approver.
 Approve: To send the assessment factor to the selected
approver for approval, select this option.
 Request Clarification(s): To get more clarification from the
assessment factor initiator, select this option.
 Cancel: To cancel the assessment factor and close the
assessment factor, select this option.
If you select Cancel, the assessment factor is closed and no
assignments are generated.

Note:
- If no approvers are selected for this assessment factor, the plan is
published when you select the Approve option.
- After you submit the form, the Quantitative Assessment Factor/
Qualitative Assessment Factor form is routed to different users based
on the action selected.

Comments Enter your comments regarding the quantitative assessment

factor/qualitative assessment factor.
After you submit the form, the Comments History report is
updated with the comments that you enter.
Comments History link To view the Comments History report, click the Comments History
report link.
The Comments History report appears.
This report displays the comments entered by all the users who
worked on this form in a chronological order.
Click the Done button to close the report.

After entering all the required details in the form, click to submit the form. For more information
on the form toolbar icons, see Form Tool Bar.

Page 62 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Task Assignments and E-mail Notifications

After you submit the current form, assignments and e-mails are generated to the respective users, as
shown in the following table.

Submitted Action Assigned Form Assigned Form E-Mail

By Selected To Status Sent
Approve Level 2 Quantitative Approval Level 2
Approver Assessment Pending Approver
Level 1 Factor/Qualitative when the
Note: If no
Approver Level 2 Assessment Factor form is CC: Owner
Approver is with Level and
mentioned, 2 Approver Initiator
then the
form is
published
directly

Cancel Not Not applicable. The Not Owner

applicable form is canceled and Applicable CC:
is no more available Initiator
in the system.
Request Owner Quantitative Clarificatio Owner
Clarifications Assessment n CC:
Factor/Qualitative Requested Initiator
Assessment Factor in the
previous
form
(owner
stage)

Submit Owner Risk Assessment Plan Level 1

Clarifications form Approver
(This action is
available only CC:
when level 1/ Initiator
level 2
approver
requests for
clarification
and the owner
works on the
form to
provide the
required
clarifications to
the level 1
approver)

Copyright © 2016 MetricStream Inc. Page 63

 Risk Assessments 6.1 SP2 - User Guide

Creating Risk Matrices

The Risk Configuration Matrix provides a simple interface for users to create a matrix.

For more information on Configuring Risk Matrix, refer to the Configuring Risk Matrices section.

Page 64 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Risk Scoring Algorithm

Using the Risk Scoring Algorithm interface, you can define the risk scoring algorithm specific to your
organization to conduct risk assessments on a periodic or ongoing basis. This form interface provides
you an option to define the risk scoring formula for the following:

 Inherent Risk Score: Overall risk score without the effect of any controls
 Control Score: Overall controls being assessed to mitigate inherent Risks
 Pre-residual score: The logic that needs to be used to calculate the residual risk when factors are
mitigated using controls
 Residual Risk Score: Overall risk score with the effect of mitigated controls applied to reduce inher-
ent risks

This interface provides an option to the user to drag and drop the required factor/control options and
use the various mathematical functions and operators to define the risk scoring algorithm. You can also
validate the defined scoring algorithm expression using the validate option available in this interface.
The scoring algorithm that you define here is available in the Perspectives form. During the risk
assessment planning, the plan initiator selects the Perspective, which is mapped to the scoring
algorithm and initiates the Risk Assessment workflow. Based on the scoring algorithm that you defined,
different risk scores are calculated during the Risk Assessment stage.

Copyright © 2016 MetricStream Inc. Page 65

 Risk Assessments Setup

Title and Name Clear Formula and Form Tool Bar

Undo Options Validate Formula

Formula Bar

Workspace

Factors/Controls Pane Formula Snapshot Pane

Figure 16: Risk Scoring Algorithm User Interface

Copyright © 2016 MetricStream Inc. Page 66

 Risk Assessments Setup

The following table provides the brief description of risk scoring algorithm user interface.

Name Description
Title and Name Displays the title of the risk scoring algorithm. Use this section to enter
the risk algorithm name that you define in this interface.
Formula Bar Provides mathematical operators to define the risk scoring formula.
Formula Bar Provides options such as validate, clear formula, and undo.
Options
Factors/ Displays the standard and non-standard factors that are tagged as
Controls Pane Increases Inherent Risk, Reduces Inherent Risk and Reduces Residual
Risk and Controls.
Workspace Provides different formula panes such as Inherent Score Formula,
Control Score Formula, and so on to define the risk scoring algorithm.
Formula Displays the overall formula view of formulas defined in the workspace
Snapshot Pane area.
Form Tool Bar Comprises a set of icons to perform various actions.

Title and Name

 The module displays the title Risk Scoring Algorithm.
 Type the name of the risk scoring algorithm in Algorithm Name field. You must enter a unique
name in this field. This field accepts maximum of 60 characters. This field accepts alpha-numeric
values. After you submit the form for each risk scoring algorithm, the module generates a unique
risk scoring algorithm number. The combination of risk scoring algorithm name and risk scoring
algorithm number is unique for every risk scoring algorithm. For example, in the text, ‘Metric-
Stream Risk Scoring Algorithm 6.1 (RRB-000041)’, ‘MetricStream Risk Scoring Algorithm 6.1’ is the
Risk scoring algorithm name and ‘(RRB-000041)’ is the risk scoring algorithm number. You must
enter a unique name in this field. You can enter a maximum of sixty characters.

Figure 17: Risk Scoring Algorithm Interface >Title and Name

By default, the following Risk scoring algorithm logic are pre-packed with the Risk Assessments
module:

MetricStream Risk Scoring Algorithm 6.1 (Sum)

 Inherent Score: Sum (Standard Factors) + (Sum (Factors Increasing Inherent Risk) - Sum (Factors
Reducing Inherent Risk)

Copyright © 2016 MetricStream Inc. Page 67

 Risk Assessments 6.1 SP2 - User Guide

 Control Score: Sum (All Controls)

 Residual Score: Inherent Score - Sum (Factors Reducing Residual Risk) - Controls

Note: For this logic the Inclusion of Division by Factor Weights field is enabled.

MetricStream Risk Scoring Algorithm 6.1 (Product)

 Inherent Score: Product (Standard Factors) + (Sum (Factors Increasing Inherent Risk) - Sum (Factors
Reducing Inherent Risk)
 Control Score: Sum (All Controls)
 Residual Score: Inherent Score - Sum (Factors Reducing Residual Risk) - Controls

Note: For this logic the Inclusion of Division by Factor Weights field is enabled.

Factors/Controls Pane
The Factors/Controls pane is available on the upper-left of the risk scoring algorithm interface as
collapsible/expandable side bar widget. When you access the scoring algorithm interface the Factors/
Controls bar is available as expanded view. To collapse the Factors/Controls pane, click the left-
pointing arrow .

The pane name varies based on the workspace for which you are defining the scoring formula.

Example:

While defining the scoring formula for Inherent score Formula workspace, the standard and non-
standard factors that increase and reduces inherent risks are available in this pane.

Figure 18: Factors Pane View for Inherent Score Formula Workspace

While defining the scoring formula for Controls formula, All Controls option is available in this pane

Figure 19: Controls Pane View for Control Score Formula Workspace

Page 68 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Expanding and Collapsing Factors Pane Hierarchical Levels

When you access this pane, all the factors are available as a collapsed bar and each collapsed bar is
termed as parent hierarchical level. To view the child hierarchical level under each parent hierarchical
level, click the expand icon next to the parent hierarchical level. The factors under the parent
hierarchical level are expanded. You can expand all the parent hierarchical levels by clicking the Expand
All icon available in this pane. After you click this icon, all the parent hierarchical levels are
expanded and the Collapse All icon appears.

To collapse a particular parent hierarchical level, click the collapse icon next to the parent
hierarchical level. You can collapse all the parent hierarchical levels by clicking the Collapse All icon
available in this pane. After you click this icon, all the parent hierarchical levels are collapsed to parent
hierarchical level view and the Expand All icon appears.

Parent Hierarchical Level

Child Hierarchical Level

Parent Hierarchical level

Figure 20: Parent and Child Hierarchical Level

Searching Factors/Controls
The Factors/Controls pane provides an option to search for the existing assessment factors. This option
enables you to filter information and narrow-down your search. To search for required factors, use the
search field available in the Factors/Controls pane.

When you enter the first letter or word of the factor that you are searching for in this field, the module
displays the factors with all the words beginning with the entered letter or word present under the
parent hierarchical level in an expanded view. If no child hierarchical level consists the letters or words

Copyright © 2016 MetricStream Inc. Page 69

 Risk Assessments 6.1 SP2 - User Guide

that you are searching for, no results are displayed under the parent hierarchical levels. However, the
parent hierarchical levels appear expanded without displaying the child hierarchical levels.

Figure 21: Search Results Found

To clear the entered data in the search field, click the Erase icon next to the search field. The text
Enter Factor Name appears in the search field.

Note: The search function is unavailable for Control Score Formula workspace pane.

Figure 22: Search Results Not Found

Formula Bar
Use the mathematical functions and operators available in this bar to define the Risk scoring algorithm
in workplace. You must select the mathematical functions and operators available in this bar to create
your Risk scoring formula.

To add the operators or functions, perform the following steps:

Step 1 Navigate to the specific section in the workspace where you want to define the formula.
Step 2 Click the required option that you want to add from the formula bar.
The option that you selected is added in the selected workspace and the All Formula pane displays
the formula details that you added in the workspace.

The following table provides the list of options and there descriptions available in the Insert menu bar.

Icon Description
You can use this operator only for Inherent Score Formula, Pre-
Residual Score Formula and Residual expressions.
Plus

Page 70 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Icon Description
You can use this operator only for Inherent Score Formula, Pre-
Residual Score Formula and Residual expressions.
Minus
You can use this operator only for Inherent Score Formula, Pre-
Residual Score Formula and Residual expressions.
Multiplication
You can use this operator only for Inherent Score Formula, Pre-
Residual Score Formula and Residual expressions.
Division
You can use this operator only for Inherent Score Formula, Pre-
Residual Score Formula and Residual expressions.
Open Bracket
Note: While computing using division , the opening and closing of
brackets must be effectively used.

You can use this operator only for Inherent Score Formula, Pre-
Residual Score Formula and Residual expressions.
Close Bracket
 Functions consists of three options Sum, Average and Product.
 After you add the function by selecting a particular function
from this menu, the selected function is added in the
workspace.
 You can add the above functions to standard factors, factors
increasing inherent risk, factors reducing inherent risks and
factors reduce residual risks. However, you cannot use these
Functions
functions to individual factor tagged under the above
mentioned factor categories.
In the following example, the Financial factor is a child hierarchical
level that is categorized under the Standard Factor parent
hierarchical level for which you cannot use the above mentioned
functions.

 You must add these functions before adding the factors from
the factors pane. If you try to add factors before adding the
function in the workspace, the message “Please enter a
Function and try again” appears.

Copyright © 2016 MetricStream Inc. Page 71

 Risk Assessments 6.1 SP2 - User Guide

Icon Description
Use this option when you want to insert a number while defining
the scoring algorithm.
To insert the number, perform the following steps:
Number Insert 1. Click the field beside the Insert button.
2. Type the number.
3. Click the Insert button.

Note:
- The number is added in the respective pane in the workspace.
- You can enter a number which is ≥ to 999999.99.
- If you enter a number which is ≥ to 999999.99, the module displays an
alert message.
For more information on alert messages, refer to the Validation
Related Alert Messages section.
If you want to consider the weighted factor score (defined for
factors) for risk score calculation, click the OFF button . When
Divide by Sum of Weights you click this button, the message “The Factors (Non-Standard)
affecting Inherent and Residual Risk will be divided by the sum of
(The icon is their weights” appears. Click OK.
interchangeable with Note: By default, the OFF button appears. When you click this
icon) button, the weighted factors defined for factors during factor creation
stage are considered for risk score calculation.

Page 72 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Formula Bar Options

Use the options available in this bar to perform various functions like clear formula, validate formula
and so on.

Icon/Button Description
Use this icon to clear the formula that you defined in the different
panes of workspace. To delete the formula, navigate to the specific
Clear Formula pane in the workspace and click this icon.
After you click this icon, the formula defined in the specific pane is
cleared and you can define the new formula.
Use this icon to redo the most recent undone action. You can also
use the BACKSPACE key.
Undo
To validate the defined scoring formula, click this icon.
After you click this icon, if there are any errors in defined scoring
Validate Formulas formula in different panes of workspace, the module displays the
specific errors corresponding with different panes in the
workspace.

Workspace
Workspace is the region where you can define the risk scoring algorithm. Based on the formula that
you define here, the risk scores are calculated by the module during the risk assessment stage. Using
this region, you can define the scoring formula for parent hierarchical level or child hierarchical levels
that are available in the Factors/Controls pane. The workspace comprises the following panes:

 Inherent Score Formula: Use this pane to define the formula for calculating the inherent risk score.
 Control Score Formula: Use this pane to define the formula for calculating the control score.
 Pre-Residual Score Formula: Use this pane to define the pre-residual score formula.
 Residual Score Formula: Use this pane to define the formula for calculating the residual risk score.

Expanding and Collapsing Workspace Panes

When you access the risk scoring algorithm interface, all the workspace panes are collapsed except the
Inherent Score Formula pane. To expand the other workspace panes, click the Expand icon in the
respective pane.

Note: You can expand only one pane at a time.

Copyright © 2016 MetricStream Inc. Page 73

 Risk Assessments 6.1 SP2 - User Guide

To collapse the workspace pane, click the Collapse icon in the respective pane. The selected
workspace pane is collapsed.

Figure 23: Expanding and Collapsing Workspace

Enabling and Disabling Formulas

Using the ON/OFF buttons, you can enable or disable the formula panes. The ON and OFF buttons are
available in each workspace panes. You can disable the formula panes that are not applicable for risk
assessment scoring methodology. Based on the formula panes that you enable or disable, the factors
pane displays the factor details. You cannot disable both Inherent and Residual score formulas. When
you click the OFF button, the message “Either Inherent or Residual Score Formula can be Disable. Not
Both” appears. Click OK.

Based on the formula panes that you disable in this interface, the respective section is hidden on the
Risk Assessment form. For example, if you disable Control Score formula, the Control Assessment
section is hidden for the Risk Assessor in the Risk Assessment form while assessing the risk.

The following table provides the list of buttons and descriptions used for enabling or disabling the
formula panes.

Button Description
If you want to enable a particular formula pane, click this button in
the respective formula pane.
(this button interchanges This button is available in the following formula panes:
with button)  Inherent Score Formula
 Control Score Formula
 Residual Score Formula

If you want to disable a particular formula pane, click this button in

the respective formula pane. This button is available in the
(this button interchanges following formula panes:
 Inherent Score Formula
with button)
 Control Score Formula
 Residual Score Formula

Page 74 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Defining Scoring Formula

You can define the scoring formula for different workspace panes by dragging the different options
available in the Factors/Controls pane into the workspace.

Drag and drop the required factors from the Factors

pane into the required workspace pane

Figure 24: Defining Scoring Formula

While dragging and dropping the required factor/control options from this pane into the workspace,
the validations are performed by the module to verify if the action that is performed is a valid action
or not.

All the valid drag and drops actions are represented by the right icon before the item that you are
dragging ; else the module does not add the dragged item in the workspace and
shows the error icon before the item that you are adding and the related error
message is displayed.

For example, if you try to add the parent Standard Factor hierarchical level to the Inherent Score
Formula workspace pane without adding the function, the message “Please enter a Function and try
again” appears.

For assessing risks, the factors such as quantitative (impact and likelihood) and qualitative, which affect
the organizations are considered. Out of these, only quantitative factors affect the risk score. While
assessing the risk, assessors are concerned about residual risk and inherent risk scores. The inherent
risk rating is computed from the standard as well as quantitative factors of factor contribution
(Increases Inherent Risk (IIR) and Reduces Inherent Risk (RIR)). The residual risk score is computed
from the ratings of overall control effectiveness and quantitative factor of factor contribution (RIR).

Copyright © 2016 MetricStream Inc. Page 75

 Risk Assessments 6.1 SP2 - User Guide

Defining Inherent Score Formula

The risk that an activity would pose if no controls or other mitigating factors were in place (the gross
risk or risk before controls) are called as inherent risks. You can define the inherent score formula using
this pane. You can define the score for parent hierarchical level or child hierarchical levels that are
available in the Factors pane.

The following options are available in Factors pane:

 Standard Factors: Displays all the quantitative factors that are tagged as standard factors.
 Factors Increasing Inherent Risk: Displays all the non-standard quantitative factors that increases
the inherent risk.
 Factors Reducing Inherent Risk: Displays all the non-standard quantitative factors that increases
the inherent risk.

Figure 25: Inherent Score Formula Pane

In the Inherent Score Formula Pane, you can perform the following:

1. Inserting Mathematical Functions

 Sum
 Average
 Product
2. Drag and Drop parent hierarchical levels

Prerequisite: You must add function first.

 Drag and drop the required parent hierarchical level into this pane. To add the child hierarchical lev-
els in the formula, you must use the operators. To add one or more parent hierarchical levels in the
formula, you must insert an operator first, the required function next, and then the parent hierar-
chical level within parentheses.

Sample formula: Product (Standard Factors) + (Sum (Factors Increasing Inherent Risk) - Sum (Factors
Reducing Inherent Risk)).

Note: To use the same parent hierarchical level for the second time in the formula, you must use functions.

Page 76 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

3. Dragging and Dropping child hierarchical levels.

 Drag and drop the required child hierarchical level into this pane. You cannot insert an operator and
then drag and drop the child hierarchical levels. If you try to insert the operator first and then drag
and drop the child hierarchical levels, the alert message, ‘You must use the operators to add one or
more child hierarchical levels in the formula’ appears.
 To add one or more parent hierarchical levels after adding the child hierarchical levels in the for-
mula, you must insert an operator first, the required function next, and then the parent hierarchical
level within parentheses.
4. Inserting Numbers

 To insert number, type the number in the number field and click the Insert Number

into Formula icon next o the number field. The typed number is inserted in the selected work-

space pane. You can use numbers only with operators.

 You can enter fraction numbers or whole numbers.
 You can insert numbers in the formula at the beginning followed by operators.

Control Score Formula Pane

You can define the control score formula using this pane based on two criteria:

 Overall control scores to reduce the inherent risk

 Controls to mitigate the risks by individual standard factors

You can define the score for parent hierarchical level or child hierarchical levels that are available in the
Factors pane.

The following options are available in Controls pane:

 All Controls: This option is available only if you select the option Based on Overall Control Score
Reducing Inherent Risk.

Figure 26: Control Score Formula Pane

You can select any one of the below option to define the control score formula.

Based On Overall Control Score Reducing Inherent Risk: If you want a simple method to calculate the
overall control score that can be reduced from the overall inherent score to calculate the residual
score, select this option. After you select this option, the Controls tab displays the All Controls option.
To define the formula, add the required function from the formula bar and then drag and drop the All
Controls option from the Factors pane.

Copyright © 2016 MetricStream Inc. Page 77

 Risk Assessments 6.1 SP2 - User Guide

If you are choosing this option, the assessment form the assessor can view the below listed fields in the
Control tabular format:

 Rating
 Score
 Weighting
 Control Score%

All the Control scores that are populated in the Control Score% column are added, averaged or
multiplied based on the function that you use here for defining the control score formula.

After selecting the above option, insert the function from the Insert bar and drag and drop the All
Controls option from the Controls pane.

Note: When you select this option, all the options available in the insert menu except Function is made
unavailable for usage.

Example:

Control 1-Score=10

Control 2-Score=15

Control function= Sum

Overall Control Score=10+15=25.

Figure 27: Adding Control Score Formula

Based On Controls Mitigating Standard Factors: If you want to calculate the control score based on the
mitigated percentage value that mitigates each of the standard factors by a certain percentage, select
this option. When you choose this option, you can use only functions to define the control score
formula.

This formula is applied for each factor that is used during Risk Assessment.

Page 78 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

If you are choosing this option in the assessment form, the assessor can view the below mentioned field
in the Control tabular format:

 Mitigates

The assessor decides on the factors that need to be mitigated and records the mitigated percentage
value. Based on the function that you use here, the factor scores are recalculated during the
assessment stage populated for each factor.

Note: When you select this option all the options available in the insert menu except Function is made
unavailable for usage.

Pre-Residual Score Formula Pane

Pre-residual score is the mitigated standard factors score. This is used when you are using certain
controls to mitigate the factors. After entering the mitigated percentage, the factor scores are
recalculated before arriving at the residual scores. This tab is editable only if you select the option
Based On Controls Mitigating Standard Factors in the Control Score Formula pane.

You can define the pre-residual score using the options available in the Factors hierarchical level. The
following options are available in Factors pane:

 Standard Factors: Displays parent standard factor hierarchical level.

 Standard Factors Mitigated By Controls: If you drag and drop this option, all the factors that are
mitigated by the controls during Risk Assessments are considered for pre-residual score calculation.

In this pane, you can perform the following:

 You can drag and drop the above mentioned options from the Factors/Controls pane.
 You can use the parent factors options available in the Factors pane as many times as required in
the formula.
 You can use operators available in the Insert menu bar.
 You cannot use functions for defining the pre-residual score formula.

Figure 28: Pre-Residual Score Formula

Copyright © 2016 MetricStream Inc. Page 79

 Risk Assessments 6.1 SP2 - User Guide

Residual Score Formula Pane

The risk that remains after controls (the net risk or risk after controls) are called as residual risks. You
can define the residual score formula using this pane. You can define the score for parent hierarchical
level or child hierarchical levels that are available in the Factors/Controls pane.

The following options are available in Factors/Controls pane:

 Standard Factors: Displays all the quantitative factors that are tagged as standard factors.
 Factors Reducing Residual Risk: Displays all the non-standard quantitative factors that reduces the
residual risk.
 Inherent Score Formula: Carries the same scoring logic defined in the Inherent Score Formula
pane. This is applicable if the standard factors are available for both inherent and residual Risk
assessment.

Example:

Inherent Impact: 5

Inherent Likelihood: 3

Inherent Score = Impact * Likelihood = 15

Residual Score = Inherent Score - Controls = 15 - 5 = 10

Example:

Inherent Impact: 5

Inherent Likelihood: 3

Inherent Score = Impact * Likelihood = 15

Residual Impact = 5

Residual Likelihood = 5

Residual Score = Inherent Score Formula - Controls = 25 - 5 = 20

 Inherent Score: If you want to use the overall inherent score that is computed during the Risk
Assessment stage in the formula, use this option.

Example:

Overall inherent score-Controls/100

 Controls: You can use this option, if you are mitigating the factors using the Control score formula
as defined in the Controls Formula Bar.

Page 80 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Note: This option is available only if you select the option Based On Overall Control Score Reducing Inherent Risk
in the Control Score Formula pane.

Figure 29: Residual Score Formula Pane

In the Residual Score Formula pane, you can perform the following:

1. Inserting Functions

 Sum
 Average
 Product
2. Dragging and Dropping Parent hierarchical levels.

Prerequisite: You must add function first.

 Drag and drop the required parent hierarchical level into this pane. To add the child hierarchical lev-
els in the formula, you must use the operators. To add one or more parent hierarchical levels in the
formula, perform the following:

a) Insert an operator

b ) Inert the required function

c ) Insert the parent hierarchical level within parentheses

Sample formula: Inherent Score Formula-Controls

You cannot use functions for child hierarchical levels after adding the parent hierarchical level in the
formula.

Note: You cannot duplicate the parent hierarchical levels in the formula.

4. Dragging and Dropping Child hierarchical levels.

 Drag and drop the required child hierarchical level into this pane. You cannot insert an operator and
then drag and drop the child hierarchical levels, if you try to do this the module displays the related
error message.

Copyright © 2016 MetricStream Inc. Page 81

 Risk Assessments 6.1 SP2 - User Guide

 You must use the operators to add one or more child hierarchical levels in the formula. To add one
or more parent hierarchical levels after adding the child hierarchical levels in the formula, perform
the following:

a) Insert an operator

b ) Insert the required function

c ) Drag and drop the parent hierarchical level within parentheses.
4. Inserting Numbers

 To insert number, type the number in the number field and click the Insert Number

into Formula icon next o the number field. The typed number is inserted in the selected work-

space pane. You can use numbers only with operators.

 You can enter fraction numbers or whole numbers.

You can insert numbers in the formula at the beginning followed by operators.You can drag and drop
the above mentioned options from the Factors/Controls pane.

 You can use the parent factors options available in the Factors pane as many times as required in
the formula.
 You can use operators available in the Insert menu bar.

Validating Formulas
After defining the formula in each pane, you must click the Validate Formulas button

present in the Insert menu options to validate the expressions that you defined in each workspace
pane. When you click this button, the module validates the expressions defined in each pane and
displays the error or alert message in respective panes. The validation related messages are
represented with different icons.

The following table provides a list of validation related icons and its description.

Icon Description
If the formula entered in the workspace pane is a valid expression, the
module displays this icon in respective pane.
Valid Formula
If you have not defined the formula in a particular workspace pane, the
module displays this icon indicating that you must enter a formula in a
No Formula
particular workspace pane.
If the formula entered in the workspace pane is a invalid expression, the
module displays this icon in respective panes. You must rectify the
Invalid Formula formula in the respective pane and validate the rectified formula again
by clicking the Validate Formula button.

Page 82 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Validation Related Alert Messages

The following table provides a list of validation related alert messages that are displayed while defining
the risk scoring algorithm.

Alert Title Alert Text Displayed when the user...

Validate Please Validate Clicks the 'Submit' icon without validating the
Expressions. formula.
Incomplete Name Please enter a rule Clicks the 'Submit' icon without entering the rule
name. name.
Invalid Entry Please enter a number Enters a non numeric value in the Number text
field.
Invalid Entry Function does not Tries to drag a Child Factor hierarchical level to the
apply to change in expression builder after adding the aggregate
database function.

Invalid Inherent, Control & Clicks the 'Validate' button and the entered
Expression(s) Residual expression [is/ expression is Invalid
are] Invalid Note: The alert message is displayed with the relevant
object(s) details.

Invalid Inherent, Control & Clicks the 'Validate' button without entering the
Expression(s) Residual expressions expression for a particular pane.
[is/are] Empty
Invalid Entry Please enter a number Enters a number greater that 6 characters long.
less than 999999.99
characters long.
Invalid Note: "Control" has Enters 'control' element in the Residual Expression
Expression(s) been removed from and then changes the formula to mitigate
Residual Score Formula standard factors.
since there was a
change in the Control Note:
Scoring Method. - The 'control' element is removed from the 'Residual
Formula' pane and the Factors/Controls pane.
- This alert message is displayed only when you click
the Validate button.

Information The Factors (Non- Switches the 'Divide by Sum of Weights' slider
Standard) affecting button to 'ON'.
Inherent and Residual
Risk will be divided by
the sum of their
weights.

Copyright © 2016 MetricStream Inc. Page 83

 Risk Assessments 6.1 SP2 - User Guide

SnapShot
This section displays the overall formula that you define in each workspace pane. When you access this
interface, the default columns Inherent Score Formula, Control Score Formula, and Residual Score
Formula columns are displayed. When you start building the risk scoring algorithm, the module
refreshes this pane and displays the latest updates that you make in each pane. If you have disabled a
particular formula pane, the text NA is displayed next to the respective formula.

Figure 30: Snapshot Pane

Sample Formula
Consider a scenario where the risk administrator creates a risk scoring algorithm by name
MetricStream Risk Scoring Algorithm 6.1. The algorithm consists of the following expressions for
different risk score calculations.

 Inherent Score Formula: Product (Standard Factors)

 Control Score Formula: Sum
 Pre-Residual Score Formula: Standard Factors Mitigated By Controls
 Residual Score Formula: Same as Inherent Score Formula

To create the above sample formula, perform the following steps:

Step 1 Navigate to the Risk Scoring Algorithm interface.
Step 2 Click the Algorithm Name field and type the name MetricStream Risk Scoring Algorithm
6.1.

Figure 31: Adding Algorithms Name

Step 3 Now, navigate to the Inherent Score Formula pane, click Functions in the Insert menu, and
then select Product.

Page 84 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Figure 32: Adding Function

Step 4 Drag and drop the Standard Factor parent hierarchical level from the Factors pane into the
Inherent Score Formula pane.
Step 5 Click the Control Score Formula pane, select Based On Controls Mitigating Standard
Factors option.
Step 6 Navigate to the formula space and click Functions in the Insert menu and then select Sum.
Step 7 Click Pre-Residual Score Formula pane, drag and drop the Standard Factors Mitigated By
Controls option from the factors pane.
Step 8 Click the Residual Score Formula pane, drag and drop the Same as Inherent Score Formula
from the Factors pane.
The following screen displays the snapshot of the sample use case.

Figure 33: Snapshot of Sample Use case

Form Submission
For more information on the Form Tool Bar icons, refer to the Form Tool Bar section.

Task Assignments and E-mail Notifications

After you submit the current form, no task assignments and e-mails are generated.

Copyright © 2016 MetricStream Inc. Page 85

 Risk Assessments 6.1 SP2 - User Guide

Perspectives
Perspectives are created in every organization, which enables organizations to perform various types
of risk assessments using different types of risk scoring algorithms and risk configuration matrix. This
type of setup enables different users in various organizations to assess the same risks using different
perspectives. The perspectives that you define here are available in the Risk Assessment Plan; you can
schedule the assessment of these perspectives periodically to mitigate the associated risks. When you
access the Perspectives form, it opens with the details of all the Perspectives in the module. You can
add new perspectives by clicking the Add Perspectives link.

Page 86 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Perspectives Form
Use the Perspectives form to define the perspectives for different organizations. You can define
multiple Perspectives using this form.

Figure 34: Perspectives Form

Copyright © 2016 MetricStream Inc. Page 87

 Risk Assessments 6.1 SP2 - User Guide

Perspectives Tab
Use the Perspectives tab to define the perspectives for different organizations. This is a multi-row
region, and you can add multiple perspectives.

Figure 35: Perspectives Form > Perspectives Tab

Field/List Name Description

Perspectives
Add Perspectives link To add a new perspective, click the Add Perspectives link.
The related fields appear.
To add additional perspectives, click this link as many times as required.

Page 88 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Row# The row number appears.
After you submit the form, for each row the module generates a unique
identification number. This number acts as a reference to identify the
perspectives along with the perspective name.
The perspectives that you create here carry the same PID number but
unique perspective number.
For example, If you have added perspective 1 as Corporate Assessment in
Row#1 and perspective 2 as Enterprise (Risk-Org) in Row#2, after you
submit the form, the module generates a unique perspective numbers
for each row. SCN-000201- Corporate Assessment and SCN-000202-
Enterprise (Risk-Org).
Perspective Name Type a unique perspective name. The duplicate names are not allowed in
the multi-row region.
Default Perspective Use this field to indicate whether the current perspective is a default
perspective or not. To set the current perspective as default, select Yes.
You must tag one perspective as default. If you do not tag one
perspective as default, after you submit the form, the module displays an
alert message.
Note: The Perspective that you tag as default is used for Risk reporting purpose.
It enables the logged-in users to access and view the assessment details of the
Risk associated with the default Perspective.

Assessment Type Select the type of assessment for the current perspective. You can
perform the following three type of Risk Assessment.
 Assessable Entity - Risk: If the assessment type is on core object and
risk based, select this option.
 Org – Assessable Entity – Risk: If the assessment type is on
organization core object and risk based, select this option.
Note: Core Objects are buckets of assessable entities such as Processes, Asset
Classes, Assets, Suppliers, Auditable Entities and so on, except organizations.

 Org – Risk: If the assessment type is on organization and risk based,

select this option.
Note: Based on the type of Risk Assessment the risk score is calculated by the
module during the Risk Assessment stage.

For example:

 The Org-Risk and Org-Process-Risk assessment types are typically

ideal for Enterprise Risk Management use cases wherein the line
managers can assess risks for their individual organizations and roll up
the individual organization scores to arrive at Risk scores as well as
Processes/Auditable Entities.
 The Org-Process-Risk and Process-Risk assessments are ideal for
Audits and SOX use cases.

Copyright © 2016 MetricStream Inc. Page 89

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Assessable Entity Select one or more assessable entities that you want to assess. The
(appears only if you following options are available:
select Assessable  Asset: If you want to assess the assets (Assets represent physical/
Entity - Risk or Org – logical information systems such as desktops, laptops, servers,
Assessable Entity –  virtual machines, and so on within an Information Technology (IT)
Risk in the Assessment environment), select this option.
Type field)  Asset Class: If you want to assess asset classes that belong to a
particular asset, select this option.
 Objective: If you want to assess the objectives (It is the organization's
objectives. The categories of Objectives can be Business objective,
Control Objective or Process Objective)
 Process: If you want to assess the process (is a sequence of activities
performed to achieve certain goals) specific to organization, select
this option.
 Product: If you want to assess the products, select this option.

Note: The Product can be a banking product or the product that an organization
manufactures and sells.

Based on the entity that you choose, the assessable entities are filtered
and displayed in the Assessable Entity field of the Risk Assessment Plan
form. For example, if you select Objective, all the objectives belonging to
the selected categories are made available in the Assessable Entity field
of the Risk Assessment Plan form.

If you do not choose any assessable entity in this field the objects with
the relevant associations established in the GRC Foundation library are
made available for selection in the Assessable Entity field of Risk
Assessment Plan form.
Note: The Assessable entities are retrieved from the GRC Foundation module.

Category(ies) Select the risk categories to which this perspective applies to. The
module automatically selects the risks associated with the selected risk
categories during the Risk Assessment stage for the current perspective.
For example, If you have selected business relationships, and associate
this with three risks, all the three risks are populated during the Risk
Assessment stage for the current perspective.
The values in this field are populated from GRC Foundation module.
If no risk category is selected, all the risk categories are considered as
default by the module.
To Be Assessed By Select the users from the organization assessing the current perspective.
The following options are available in this field:
 All Organizations: If you want users from any organization to assess
this perspective, select this option.
 Specific Organizations: If you want specific users from a particular
organization to assess this perspective, select this option.

Page 90 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Organization(s) Select the name of the organizations assessing the current perspective.
(appears only if you Only users from the selected organizations can only assess this
select the value perspective.
Specific Organizations
in the To Be Assessed
By field)
Additional Information
Type any additional information about the Perspective by clicking .

Note: You can enter a maximum of 4000 characters in this field.

For more information on RTF functions, refer to the MetricStream
Portal User Guide Release 6.1 SP5

Risk Assessment Select the Risk Assessment Method based on your requirement. The
Methodology following options are available:
 Rating Method
 Scoring and Rating Method
 Ranking and Rating Method
 Scoring Algorithm and Rating Method
 Risk Scoring Algorithm
For more information on Risk Assessment methods, refer to the Risk
Configuration Methods section.
Profile Select the Risk Matrix Configuration profile.
(appears if you select You can configure your rating, scores or rank in Risk Matrix Configuration
any option other than profile based on which you can conduct Risk Assessments. The rating,
Risk Scoring Algorithm ranks and scores are based on the profile configuration.
in Risk Assessment Note: The profile values are filtered based on the selection of Risk Assessment
Methodology field) Methodology.

Perspective Algorithm Select the risk scoring logic for the current perspective. The module
(appears only if you displays the existing Risk scoring algorithms as defined in the Risk
select the value Risk Scoring Algorithm interface. Based on the scoring algorithm that you
Scoring Algorithm in select here, the module calculates the risk scores during the Risk
Risk Assessment Assessment stage.
Methodology field)
Note:
- This is applicable only for Risk Scoring Algorithm and Algorithm and rating
methods.
- The MetricStream Risk Scoring Algorithm is available by default. The
Operand For Scoring (Multiplication and Sum) option which was used in Risk
Assessments SP3 module is available as MetricStream Risk Scoring
Algorithm 6.0 (Product) and MetricStream Risk Scoring Algorithm 6.0 (Sum)
in this field for selection.
For more information on defining the risk scoring algorithm, refer to the
Risk Scoring Algorithm section.

Copyright © 2016 MetricStream Inc. Page 91

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Calculate Scores by Use this field to in indicate whether the Risk Assessment scores
Default (Inherent, Controls and Residual scores) in the Risk Assessment form
must be auto calculated by default or not while preforming the Risk
assessment by the Risk assessor.
The following options are available:
 Yes: To auto calculate the Risk Assessment score (inherent, control
and residual risk scores), select this option.
Note: If you select Yes, the rolled-up risk score is calculated automatically by the
module and displayed in the Floating Risk Rating Window of the Risk Assessment
form.

 No: To provide an option to calculate the Risk Assessment score to

the Risk assessor to calculate the Risk score (inherent, control and
residual risk scores) while performing the Risk assessment, select this
option.
Note: If you select No, the rolled-up risk score is not calculated automatically by
the module and the Compute Scores button is displayed in the Floating Risk
Rating Window of the Risk Assessment form to calculate the risk score.

Validity (Dates)
Use this region to define the longevity of the Perspective.
Valid From Enter the date form which this perspective is valid. On the selected date,
the perspective is available in the Risk Assessment Plan form for
assessment.
Note: You must use MM/DD/YYYY format.

Valid Until Enter the date to which this perspective is valid. This perspective is not
available in the Risk Assessment Plan form for assessment after the
selected date.

Note:
- You must use MM/DD/YYYY format.
- If you do not enter any date in this field, this perspective possesses perpetual
validity.
- The user with RSK- Manage Scenarios activity can edit this date using the
Perspective List Report and this perspective is again available in the Risk
Assessment Plan form for assessment.

Delete last Perspective To delete the last added perspective, click the Delete Last Row link.
link

After entering all the required details in the form, click to submit the form. For more
information on the form toolbar icons, see Form Tool Bar.

Page 92 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Task Assignments and E-mail Notifications

After you submit the current form, the task assignments and e-mails are generated.

Copyright © 2016 MetricStream Inc. Page 93

 Risk Assessments 6.1 SP2 - User Guide

Configuring Organization Weightage

By using the Organization Weightage form, you can assign weightage to an organization to determine
the risk scores. The scores are calculated based on the weightage the organization is assigned and the
same rolls up to its hierarchy. You can view the calculated scores through the Top Organization by
Rolled up Score report.

You can set up weightage by specifying weights or percentage through the parameters below:

 MS_RSK_ORG_WEIGHTAGE_CONFIG
 MS_RSK_ORG_WEIGHTAGE_ROLLUP

The module converts the weights into percentage, if the input method chosen is 'Weights'.
For more information on configuration parameter, refer to the MetricStream Risk Assessments System
Administrator Guide Release 6.1 SP2.

All the organizations that are defined at the Enterprise level in EGRCP platform are available for
weightage configuration. If a new business unit is added or in case of organization restructuring, you
need to reconfigure the organization weights for new organizations or restructured organizations.

Note: This functionality is not available for Risk Algorithm Method.

You can access the Organization Weightage form only through data browser. For more information,
see Searching and Editing Risk Assessment Forms.

Page 94 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Organization Weightage Form

Use the Organization Weightage form to define the weightage or percentage for organization.

Figure 36: Organization Weightage Form

Field/List Name Description

Organization Hierarchy Select the name of the hierarchy in the organization for which you
want to define the weightage. All the organization hierarchies that
are defined in EGRCP are available for selection.
Note: If you are editing the existing weightage of an organization, this field
is non-editable.

Organization Select the organization for which you want to define the
weightage. The organizations are displayed based on the selected
hierarchy of the organization.
After you select the organization, the parent and its child
organizations are available in a tabular format for specifying the
weightages.
In the above example, ARM 2.1 organization has the following child
organizations that are displayed in a tabular format:
 AMR 2.1.1
 AMR 2.1.2
 AMR 2.1.3
You can enter the weights for each level that aggregates to 100% at
the parent level. This is applicable for each hierarchy.
If the input is through weights, the percentage is automatically
calculated.
For example, If the weights for AMR 1.1, AMR 1.2, and AMR 1.3 are
1, 2, and 3 respectively, then the percentage is (Weight/Total
Weights)*100=Percentage. Therefore for AMR 1.1, the percentage
is [1/(1+2+3)]*100=16.67%
If the input is through percentage then the total percentage input
for the child organizations need to be 100%
Note: If you are editing the existing weightage of an organization, this field
is non-editable.

Copyright © 2016 MetricStream Inc. Page 95

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

Total Percentage(%) The total percentage weightage contributions of the organizations
appear. This value in this field is automatically refreshed based on
the percentage that you enter for each organization in organization
tabular format.
The total% must be 100 before you submit the form. Otherwise,
the module displays the message “The percentage distributed is
not equal to 100%. Please check the distribution”.
Note: This field is made available based on the
MS_RSK_ORG_WEIGHTAGE_CONFIG configuration parameter setting.

Child tabular format.

The child organizations are displayed in a tabular format.
Organization The child organization name appears.

Weight Type the weightage that needs to be considered for the

(this is available based on the organization while rolling up the scores to enterprise entity.
Configuration parameter set-
ting) Note:
- This field accepts positive integers.
- The Weightage that you enter here is converted into percentage and
displayed in the Percentage field.
- One or more child organizations can have same Weightage, however
the total percentage must be 100% for the parent organization.
- This field is made available based on the
MS_RSK_ORG_WEIGHTAGE_CONFIG configuration parameter setting.
For more information on configuring parameters, refer to the
MetricStream Risk Assessments System Administrator Guide Release
6.1 SP2.

Page 96 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Field/List Name Description

Percentage Type the percentage contribution that needs to be considered for
the organization for score roll up.
Note: This field is editable based on the
MS_RSK_ORG_WEIGHTAGE_CONFIG configuration parameter setting.
For more information on configuring parameters, refer to the
MetricStream Risk Assessments System Administrator Guide Release
6.1 SP2

If the above parameter is set to Weightage, this field is non -

editable. The module displays the percentage weightage based on
the value that you enter in the Weight field. Weightage is
calculated based on the formula:
(weightage (entered in the Weightage field) / (Sum of weights
entered for child organization in the tabular format) *100
Example: Different weights for each organization
Organization Weight Percentage
LOB - HR 1 1/ 6*100= 16.67
LOB- Benefits 2 2/ 6*100= 33.33
Lob - Staffing 3 3 / 6*100= 50.00

Example: Two organizations have same weights

Organization Weight Percentage
LOB - HR 1 1/2 *100= 25
LOB- Benefits 1 1/2* 100 =25
Lob - Staffing 3 1/2*100 = 50

Note: The fraction weights and percentages are rounded off to the first
available digit after the decimal point.

Example:
Weight = 1.45, it is rounded off as 1.5.
Weight = 1.44, it is rounded off as 1.4.

After entering all the required details in the form, click to submit the form. For more information
on the form toolbar icons, see Form Tool Bar.

Task Assignments and E-mail Notifications

After you submit the current form, no task assignments and e-mails are generated.

Copyright © 2016 MetricStream Inc. Page 97

 Risk Assessments Setup

Scenario - 1
In the below scenario: HR, Benefits, and Staffing - Three assessments which are at level 3

LOB - Shared Services, LOB Retail - Two assessments which are level 2 (No assessment for LOB Human Resource which is at level 2, but the child organizations are assessed)

The score is rolled up to Line of Business by applying the individual Percentage defined for each organization at the third level and then rolled to the LOB Human Resource by
applying the percentage (that is, 30%) as shown below.The Risk score that is referred in this example is the inherent or residual score from the Risk assessment performed for that
organization.
Total Risk score = 1.7 + 2.4+ 0.8 / 3 = 1.63(2) Line of Business
Enterprise Risk Score = 2

Total Risk score = 3.1 + 1.7+ 3.6 / 3 = 2.8

2.8* 30/ 100 = 1.7 = 2 (this score is rounded off to the Total Risk score = 8 Total Risk score = 2
next available whole number) 8* 30/ 100 = 2.4 2* 40/ 100 = 0.8

LOB - Human Resource (30%) LOB - Shared Services (30%) LOB - Retail (40%)

HR Benefits Staffing
(16.67%) (33.33%) (50%)

Risk score = 20 Risk score = 5 Risk score = 7

20* 16.67/ 100 = 3.1 5* 33.33/ 100 = 1.7 7* 50/ 100 = 3.6

Copyright © 2016 MetricStream Inc. Page 98

 Risk Assessments 6.1 SP2 - User Guide

Scenario - 2
In the below scenario there is only one assessment for HR organization which is at level 3 and there are no assessments at level 2 and level 1. The score is rolled up to Line of Business
by applying the Percentage at the HR level (that is, 16.67%) as well as the LOB Human Resource (that is, 30%) as shown below.

The Risk score that is referred in this example is the inherent or residual score from the Risk assessment performed for that organization.
Enterprise Risk Score = 1 Line of Business

Total Risk score = 3.1

3.1* 30/ 100 = 0.93 (1)

LOB - Human Resource (30%) LOB - Shared Services (30%) LOB - Retail (40%)

No assessments No assessments

HR Benefits Staffing
(16.67%) (33.33%) (50%)

No assessments No assessments
Total Risk score = 20
20* 16.67/ 100 = 3.1

Page 99 Copyright © 2016 MetricStream Inc.

 Risk Assessments Setup

Scenario - 3
In the below scenario: HR, Benefits, and Staffing - Three assessments which are at level 3.

LOB Human Resource which is at level 2 is also assessed. The score is rolled up to Line of Business by applying the individual Percentage defined for each organization at the third
level and these scores from level 3 and LOB Human Resource score are averaged by applying the percentage (that is 30%) and then rolled out to the Line of business as shown below.

The Risk score that is referred in this example is the inherent or residual score from the Risk assessment performed for that organization.
Enterprise Risk Score = 1 Line of Business

Total Risk score = [(3.1 + 1.7+ 3.6 + 4) / 4]*30/

100 = 0.9 (1)

Risk score for LOB Human Resource = 4

LOB - Human Resource (30%) LOB - Shared Services (30%) LOB - Retail (40%)

No assessment No assessment

HR Benefits Staffing
(16.67%) (33.33%) (50%)

Total Risk score = 20 Total Risk score = 5 Total Risk score = 7

20* 16.67/ 100 = 3.1 5* 33.33/ 100 = 1.7 7* 50/ 100 = 3.6

Copyright © 2016 MetricStream Inc. Page 100

 Risk Assessments Setup

Configuring Heat Maps for Standard Factors

Using the HeatMap Configuration For Standard Factors form, the system administrator can configure
the display of standard factors in the heat map for perspectives. Based on the default profile, the
module displays the heat map chart to the end users.

HeatMap Configuration For Standard Factors Form

Use the HeatMap Configuration For Standard Factors form to configure the display of standard factors
in the heat maps.

Figure 37: HeatMap Configuration For Standard Factors Form

Field/List Name Description

Add Row link To add new configuration for standard factors, click the Add Row link.
The configuration related fields appear.
To add additional configurations, click this link as many times as required.
Row# The row number appears.
On form submission, for each row the system generates a unique
identification number. This number acts as a reference to identify the
standard factor configuration for each perspective.
The perspectives that you create here carry the same PID number but
unique configuration number.
Perspective Select the name of the perspective for which you want to configure the
heat map chart details.

Copyright © 2016 MetricStream Inc. Page 101

 Risk Assessments 6.1 SP2 - User Guide

Field/List Name Description

X- Axis Select the standard factor which you want to be plotted on the X-axis of
the heat map. The values in this field are displayed based on the
perspective selected in the Perspective field. All the standard factors
which are mapped to the selected perspective are displayed in this field.
This field does not display the standard factors which are selected in the Y-
Axis field.
Y - Axis Select the standard factor which you want to be plotted on the Y-axis of
the heat map. The values in this field are displayed based on the
perspective selected in the Perspective field. All the standard factors
which are mapped to the selected perspective are displayed in this field.
This field does not display the standard factors which are selected in the X-
Axis field.

Profile Name Type the name of the profile. You can type the same profile name in the
multi-row region.
Default Profile Use this field to indicate whether the current profile is a default profile or
not. To set the current profile as default, select Yes. You must tag one
profile as default in the multi-row region. If you do not tag one profile as
default, when you click the Submit icon, the system displays the message
“Based on the default profile settings, the heat map is displayed to the
user”.
Delete Last Row link To delete the last added row, click the Delete Last Row link.
Delete check box To delete a particular row, select the Delete check box in line with the row
that you want to delete.
The selected row appears in a different color.
After form submission, the selected row is deleted.

After entering all the required details in the form, click to submit the form. For more
information on the form toolbar icons, see Form Tool Bar.

Task Assignments and E-mail Notifications

After you submit the current form, no task assignments and e-mails are generated.

Page 102 Copyright © 2016 MetricStream Inc.

Configuring Risk Matrices
3
The following chapter provides information on the Risk Configuration Matrix user interface and
different methods of configuring the Risk Configuration matrices.

Sections:
1. What Is Risk Matrix?
2. Risk Configuration Methods
3. Risk Matrix Configuration

Copyright © 2016 MetricStream Inc. Page 103

 Risk Assessments 6.1 SP2 - User Guide

What Is Risk Matrix?

A Risk Matrix is used during risk assessment to define the level of risk (also called the risk rating, risk
rank, or risk score) based on two coordinates or attributes. The level of risk is determined by the
intersection point or cell of the X and Y coordinates.

An example is illustrated below:

Figure 38: Heat Map Displaying Impact Vs Likelihood (5X5) Matrix

In the above diagram, a simple heat map of Impact and Likelihood is depicted to increase visibility of
Risks and assist the management in decision making.

Although many standard risk matrices exist, individual projects and organizations may want to create
their own or adopt an existing risk matrix.

Risk Matrix is used when risk assessment and reporting through heat maps are done using only two
attributes. In most cases, when there is no mathematical logic or approach in performing a risk
assessment, simple matrix based approach with two coordinates is followed. This is recommended for
simple risk assessments.

You can perform risk assessment based on the following methodologies:

 Matrix or a combination of Matrix and a scoring algorithm

or

 Risk Scoring Algorithm depending on the use case and Risk Assessment methodology that your
organization follows.

Page 104 Copyright © 2016 MetricStream Inc.

 Configuring Risk Matrices

After the risk assessments are performed based on the matrix, it enables organization to configure the
risk profile for organizations, business units, and so on. The heat maps are also based on this
configuration.

Risk Configuration Methods

The following table provides information on the Risk Matrix Configuration methods and their
description.

Method Use This Method When... You can Accomplish This By....
Rating The rating is based on the Creating a Matrix profile with factors
combination of two attributes (responses) as X and Y Coordinates.
or factors, based on which risk You can then specify the rating for
assessment is performed. each cell, which means that the
assessment of a risk is based on the
The following is an example of response for a factor.
rating for a specific
combination of response values
provided for Impact and
Likelihood:

Impact = Moderate
Likelihood = Possible
Rating = Medium
Scoring and Rating The rating and scoring are Creating a Matrix profile with factors
based on the combination of (responses) as X and Y Coordinates.
two attributes or factors, based You can then specify the rating and
on which risk assessment is scoring for each cell, which means
performed. that the assessment of a risk, its
rating and the score are based on the
The following is an example of response for a factor.
rating and score for a specific The scores are then rolled up to the
combination of response values assessed entity and organization; the
provided for Impact and rating for them are also based on the
Likelihood: Risk Matrix Configuration. The heat
maps are configured based on Risk
Impact = Moderate Matrix Configuration.
Likelihood = Possible
Rating = Medium
Score is '8'

Copyright © 2016 MetricStream Inc. Page 105

 Risk Assessments 6.1 SP2 - User Guide

Method Use This Method When... You can Accomplish This By....
Ranking and Rating The rating, ranking, and scoring Creating a Matrix profile with factors
are based on the combination (responses) as X and Y Coordinates.
of two attributes or factors, You can then specify the rating,
based on which risk assessment scoring and rank for each cell, which
is performed. The ranking is means that the assessment of a risk,
useful to differentiate between its rating, score, and the rank are
two or more risks having the based on the response for a factor.
same rating. This helps in The risks are ranked as per the risk
determining the top 5 or top 10 rating and therefore help in
risks although there may be prioritizing the risks that need to be
risks that are rated as very high addressed.
and high. The scores are then rolled up to the
assessed entity and organization and
The following is an example of the rating for them are also based on
rating, score, and ranking for a Risk Matrix Configuration. The heat
specific combination of maps are configured based on Risk
response values provided for Matrix Configuration.
Impact and Likelihood:

Impact = Moderate
Likelihood = Possible
Rating = Medium
Score = 8
Ranking = 9
Scoring Algorithm and Only the rating is based on the Defining the scoring algorithm for
Rating combination of two attributes your risk assessments and also
or factors, based on which the specify the rating and heat map
risk assessment is performed. configuration based on 2 factors
The scores however are based through Risk Configuration Matrix.
on the Risk Scoring Algorithm. The roll up is by factors for Risk rating
and the heat map is two dimensional
The following is an example of based on the Matrix Configuration.
rating (based on the Risk
Configuration Matrix), and
score (based on the algorithm)
for a specific combination of
response values provided for
Impact and Likelihood:

Impact = Moderate (Score=2)

Likelihood = Possible (Score=3)
Rating = Medium' (based on
the Matrix configuration)
Score = 6 (Product of Impact
and Likelihood).

Page 106 Copyright © 2016 MetricStream Inc.

 Configuring Risk Matrices

Method Use This Method When... You can Accomplish This By....
Risk Scoring Algorithm The Rating is based on the Risk For more information on defining
Scoring Algorithm and not a scoring algorithm, refer to the Risk
simple Matrix. This method can Scoring Algorithm section.
have more than two factors.

Example 1:
Impact = Moderate (Score=2)
Likelihood = Possible (Score=3)
Score = 6(Product of Impact
and Likelihood)
'6' falls in the range of 5 to 9
and hence 'Moderate'. If the
score was between 0 and 4, it
would have been rated as
'Low'.

Example 2:
The factors can be Project
Complexity, Project Size,
Budget, Staffing, and so on
based on which Risk
Assessment is done and not
based on simple Impact and
Likelihood factors.

Copyright © 2016 MetricStream Inc. Page 107

 Risk Assessments 6.1 SP2 - User Guide

Risk Matrix Configuration

The Risk Matrix Configuration helps you map/configure the organization's Risk Matrix. It enables you
to visualize the basis of Risk Rating and Scoring for an assessment along with how these risks are
reported through heat maps. It allows you to create multiple Risk matrix profiles, which allows multiple
groups to assess the same Risks or different Risk using their respective perspective. For example, this
feature enables top-down or Corporate Risk Assessment to use a 3X3 Matrix and bottom-up or
Business Unit Risk Assessment to use a 5X5 Matrix.

Page 108 Copyright © 2016 MetricStream Inc.

 Configuring Risk Matrices

The following figure depicts the Risk Matrix Configuration Interface.

Instructions that guide you through the Configuration setup Turn Off and Hide sections in the assessment form

Hide/Display Instructions
Form Tool Bar

Tool Bar

Input Fields

Figure 39: Risk Matrix Configuration User Interface

Copyright © 2016 MetricStream Inc. Page 109

 Risk Assessments 6.1 SP2 - User Guide

Instructions
The Risk Matrix configuration interface provides a step-by-step instruction to complete the
configuration. When you access the Risk Matrix configuration interface, by default, the module
displays the first step of the instruction, which enables you to get started with the configuration. The
following table provides the list of icons and descriptions related to the instructions.

Icon/Button Description
To view previous instruction, click this icon.
Note: This icon is made unavailable when you are performing the first
step.

To view the subsequent instruction, click this icon. The instruction

is displayed next to the navigation steps as shown below:

Note: This icon is made unavailable when you are performing the last step.

This arrow is displayed before the field indicating you to fill the
field details. The red arrow automatically moves to the next field
once you complete the previous step.
If you are not performing the configuration sequentially by
following the instructions indicated by this arrow, the arrow does
not move automatically to the next field. This arrow is pointed
always to the first step.
When you are performing the steps such as defining the rating or
score, this arrow is displayed always in the first cell of the X-
coordinate (bottom first cell). This arrow does not move to the next
blocks in the graph when you are defining the rating or scores for
the other cells.
To hide the instructions, click this button.
After you click this button, the navigation Red Arrow is made
(this button interchanges unavailable and step-by-step instructions are hidden.
with the
button)
To enable the instructions, click this button.
After you click this button, the navigation Red Arrow is made
(this button interchanges available and points to the field of the next step that you need to
perform.
with the
button) Note: If you are not following the steps in sequential order, once you
enable the instructions, the Red Arrow points to the first step of the
instruction.

Note: The step-by-step instructions vary based on the Configuration method.

Page 110 Copyright © 2016 MetricStream Inc.

 Configuring Risk Matrices

The following are the step-by-step instructions displayed by the module for the Scoring and Rating
method:
Step 1 Specify a name for the configuration.
Step 2 Select a Method.
Step 3 Select X Coordinate.
Step 4 Select Y Coordinate.
Step 5 Create the rating values.
Step 6 Indicate the rating color by picking a color, click on Set Background Color and apply them
by double clicking on each cell.
Step 7 Select the rating for each cell from the drop down.

Note: This instruction arrow is displayed only in the first block of the X-coordinate.

Step 8 Indicate the rating color by picking a color. Click the Set Background Color and apply them
by double clicking on each cell.
Step 9 Indicate the rating color by picking a color. Click the Set Font Color and apply them by
double clicking on each cell.
Step 10 Enter a unique score for each cell by clicking the .

Note: This instruction arrow is displayed only in the first block of the X-coordinate.

Enabling/Disabling Score Sections

The Risk Matrix configuration interface allows you to enable or disable the following sections in the
Risk Assessment form:

 Inherent section
 Residual section
 Control section

The following table provides the list of buttons related to score sections.
Button Description
By default, the Inherent section is enabled. To disable the inherent
section in the Risk Assessment form, click this button. When you
(this option is not available
click this button, the Open Eye icon changes to Closed Eye
for Scoring Algorithm and
Rating Method) icon. You can disable either the Inherent section or the
Residual section.
If you disable the inherent section, the Inherent tabular format
section is made unavailable and all the associated Quantitative
factors (which are tagged as increases inherent score) are also not
displayed in the Risk Assessment form.

Copyright © 2016 MetricStream Inc. Page 111

 Risk Assessments 6.1 SP2 - User Guide

Button Description
By default, the Control Section is enabled. To disable the Control
section in the Risk Assessment form, click this button. When you
(this option is not available
for Scoring Algorithm and click this button, the Open Eye icon changes to Closed Eye
Rating Method) icon .
If you disable the Control section, the Control tabular format
section is made unavailable and all the associated Controls are also
not displayed in the Risk Assessment form. The Assessor cannot
add additional Controls while assessing the Risks.
By default, the Residual section is enabled. To disable the residual
section in the Risk Assessment form, click this button. When you
(this option is not available
for Scoring Algorithm and click this button, the Open Eye icon changes to Closed Eye
Rating Method) icon . You can only disable either Inherent section or Residual
section.
If you disable the residual section, the Residual tabular format
section is made unavailable and all the associated Quantitative
factors (which are tagged as increases inherent score) are also not
displayed in the Risk Assessment form.

Input Fields
The input fields allows you to provide the inputs for configuring the Risk Matrix. The following table
provides the list of input fields and their description.

Field/List Name Description

Type the name of the Configuration that you want to associate
with the Perspective. You can create multiple profiles for each
method and associate with the required Perspective in the
Perspective form.

Note:
- You can enter same name for multiple Risk Configurations.
- This field accepts a maximum of 60 characters.
Select the method for which you want to configure the rating or
score.
When you switch the method while configuring the Risk Matrix,
the module displays the message “The chart will be reset. Do
you want to continue?”. Click the Yes button to change the
method.
Note: If you want to continue the configuration of the selected
method, click the No button.

For more information on configuration of methods, refer to the

What Is Risk Matrix? section.

Page 112 Copyright © 2016 MetricStream Inc.

 Configuring Risk Matrices

Field/List Name Description

Select the X coordinate factor for which you want to configure
the rating and score.
Note: This field displays only the standard factors.

Based on the responses (drop down values) available for the

selected Quantitative Assessment Factor, the Matrix is formed.
The Matrix is flexible enough to support most common
symmetrical (5X5, 3X3, and so on) as well as asymmetrical (5X4)
formats.
Select the Y coordinate factor for which you want to configure
the rating and score.
Based on the responses (drop down values) available for the
selected Quantitative Assessment Factor, the Matrix is formed.
The Matrix is flexible enough to support the most common
symmetrical (5X5, 3X3, and so on) as well as asymmetrical (5X4)
formats.
Note: The same factor cannot be selected in both the X and Y
Coordinates.

Copyright © 2016 MetricStream Inc. Page 113

 Risk Assessments 6.1 SP2 - User Guide

Tool Bar
The Risk Configuration Matrix interface tool bar provides various options that enable you to complete
the configuration. The following table provides the tool bar options and their description.

Option Description
The Set Rating Values list provides options to define the
rating. The ratings that you define here are available in
each cell of the matrix for selection.
By default, the following options are available:
 Very Low
 Low
 Medium
 High
 Very High
To add other ratings apart from the default ratings,
perform the following steps:
1. Click Other...
The Add Value dialog box appears.

2. Type the rating value that you want to add.

3. Click the OK button.
The newly added rating is made available in the Set Rating
Values drop-down list.

Note: Click the Cancel button to close the Add Value dialog
box.

Page 114 Copyright © 2016 MetricStream Inc.

 Configuring Risk Matrices

Option Description
Editing Existing Ratings

To edit the ratings, perform the following steps:

1. Click the Right-Pointing Arrow next to the rating that
you want to edit.

2. Click the Edit icon

The Edit dialog box appears.

3. Type the required value.

4. Click the Done button.
The edited rating is made available in the Set Rating
Values drop-down list.

Deleting Ratings
To delete the rating, perform the following steps:
1. Click the right-pointing Arrow next to the rating that
you want to delete.

2. Click the Delete icon

The Delete dialog box appears.

3. Click the Yes button.

Note: Click the No button to cancel the deletion.

Copyright © 2016 MetricStream Inc. Page 115

 Risk Assessments 6.1 SP2 - User Guide

Option Description
The Pick Color list provides options to pick the color for
risk rating. You can define the rating font color as well as
the background cell/rating color by selecting the required
color from the Pick color palette.
To define the color for the rating or font for a particular
cell in the matrix, perform the following steps:
1. Select the required color from the Pick Color palette.
The module displays the message “Set Background/Font
Color Button then Double Click on a cell to apply the
chosen color to it”.
Note: After you select the color, the Chosen Color palette
displays the selected color.

2. Select the Set Background Color or Set Font Color but-

ton.
3. Navigate to the cell for which you want to apply the
selected color.
4. Double-click inside the cell. You can continue double-
clicking each cell to apply the same color.
Note: If you want to change the color that you have applied for
a particular cell, perform steps 1 though 4.

This option displays the color that you have chosen in the
Pick Color palette. This is updated automatically based on
the selected color.

Page 116 Copyright © 2016 MetricStream Inc.

 Configuring Risk Matrices

Option Description
Use this option to apply the selected background color to
the cell. The color that you define here is displayed as the
background for the rating in the Risk Assessment form.
For more information on defining the color, refer to the
Pick Color option above.
Once you apply the color by double-clicking the cells, the
cell is colored. By default, the white background is
displayed for all the cells in the matrix.
In the below example, the background is set as Green for
Low rating, If the Risk Rating is Low (in the Risk
Assessment form while performing the assessment), the
rating is displayed with a Green background and black text
'Low' based on the configuration in Risk Matrix as shown
below:

Color Defined for Low Rating in the

Risk Matrix UI

Low rating showing green background in

Risk Assessment form

Copyright © 2016 MetricStream Inc. Page 117

 Risk Assessments 6.1 SP2 - User Guide

Option Description
Use this button to apply the selected font color to the
rating in a cell. The rating is displayed in the color that you
set in the Risk Assessment form. For more information on
defining the color, refer to the Pick Color option above.
Once you apply the color by double-clicking the cells, the
rating font color changes. By default, the black font color
is displayed for all the ratings in the matrix cells.

To hide the Rating icon in the Risk configuration

(this button interchanges with the matrix cells, click this button.

button)

To display the Rating icon in the Risk configuration

(this button interchanges with the matrix cells, click this button.

button)

To hide the Ranking icon in the Risk configuration

(this button is available only for Rank- matrix cells, click this button.
ing and Rating Method and inter-

changes with the

button)

To display the Ranking icon in the Risk configuration

(this button is available only for Rank- matrix cells, click this button.
ing and Rating Method and inter-

changes with the button)

To hide the Score icon in the Risk configuration matrix

cells, click this button.
(this button interchanges with the

button)

To display the Scoring icon in the Risk configuration

matrix cells, click this button.
(this button interchanges with the

button )
To view the Risk Matrix Configuration cells in tabular
format, click this button.
(this button interchanges with the

button)

Page 118 Copyright © 2016 MetricStream Inc.

 Configuring Risk Matrices

Option Description
To hide the Risk Matrix Configuration cells in tabular
format, click this button.
(this button interchanges with the

button)
You need to manually configure the heatmaps for Risk
Scoring Algorithm method. To configure the heat maps for
standard factors, click this button. After you click this
(appears only for Risk Scoring Algo-
button, the HeatMap Configuration For Standard Factors
rithm Method)
appears. For more information on configuring heat maps,
refer to the Configuring Heat Maps for Standard Factors
section.
You need to manually configure the heatmaps for Risk
Scoring Algorithm method. To configure the heat map
(appears only for Risk Scoring Algo- range, click this button.
rithm Method) The MS_RSK_HEATMAP_RANGE table screen opens. You
can configure the heatmap using this data table.
For more information on configuring the data table, refer to
the MetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2

Validate button Click this button to validate the Risk Matrix Configuration
that you have defined in the UI. Once you click this
button, you can see the following changes:

 The module displays the Caution icon in the Risk

Configuration matrix cells where you have not
configured the rating, score, or ranking.
 The red line is displayed in the input fields, where you
have not entered the data.

Note: You can click the Submit icon without validating the data,
the module displays the same validation messages described
above.

Copyright © 2016 MetricStream Inc. Page 119

 Risk Assessments 6.1 SP2 - User Guide

Editing Data Tabular Format

After you click the Edit Data option, the following tabular format is displayed below the Risk
Configuration matrix. By using this tabular format, you can edit or enter the rating and score for each
cell of the X and Y coordinates of the selected factors. You cannot change the rating color and font using
this tabular format. The color coding that you have defined in the Risk Configuration graph is displayed
in this format. The module automatically refreshes the data in this tabular format based on the Risk
Configuration graph settings and vice versa.

Figure 40: Editing Data Tabular Format

Page 120 Copyright © 2016 MetricStream Inc.

 Configuring Risk Matrices

The following table provides the information on the columns available in the edit column tabular
format and their descriptions. The intersection point of the X and Y axis is called as a cell. Each cell has
a unique number.

Column Name Description

< Factor Name selected in X - This column displays sequence of numbers based on available
Coordinate) Coordinate drop-down options or response for a Standard Factor used as X-
Coordinate. This will repeat to form unique combinations with the
numbers in the following column.
Example: If there are 4 values, it will display 1, 2, 3, 4.
< Factor Name> selected in Y This column displays sequence of numbers based on available
- Coordinate) Coordinate drop-down options or response for a Standard Factor used as Y-
Coordinate. This will repeat to form unique combinations with the
numbers in the previous column.
Example: If there are 4 values, it will display 1, 2, 3, 4.
< Factor Responses of the This column displays the corresponding Drop-down/Factor
selected factor in X - Coordi- response to the number in first column (X-Coordinate column).
nate) Display
< Factor Name selected in Y - This column displays the corresponding Drop down/Factor
Coordinate) Display response to the number in second column (Y-Coordinate column).
Rating You can define the rating in this tabular format or in the matrix
using the Rating icon. To enter the rating for a cell, perform the
following:
1. Click inside the column for which you want to define the rating.
2. Select the required rating from the drop-down list.

Score You can define the score in this tabular format or in the matrix
(appears only for Rating and using the Score icon. To enter the score for a cell, perform the
Score and Ranking and Rat- following steps:
ing Method) 1. Click inside the column for which you want to define the score.
2. Type the score.

Note:
- You can enter a fraction number or whole number as a score for a cell.
- You must enter a unique score in each cell in the matrix.

Copyright © 2016 MetricStream Inc. Page 121

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Ranking You can define the score in this tabular format or in the matrix
(appears only for Ranking using the Rating icon. To enter the score for a cell, perform the
and Rating Method) following steps:
1. Click inside the column for which you want to define the score.
2. Type the rating.

Note:
- You can enter a fraction number or whole number as a score for a cell.
- You can enter the same ranking in different cells in the matrix.
Color This column displays the background color of the rating that you
have set for the cell in the matrix. You can select the color here.
Font Color This column displays the font color of the rating that you have set
for the cell in the matrix. You can select the font color here.

Risk Configuration Matrix Workspace

By using the Risk Configuration Matrix, you can define the rating, score, and ranking for different
configuration methods. Based on the responses that are defined for the factors, the matrix can be 2X
2, 4X4, 5X5 and so on. Each intersection point of x and y axis is termed as cell. You can define the
background color for rating, ranking as well as the font color.

This matrix displays the icons inside each cell for selecting the rating, ranking, and for defining the
score. The following table provides the list of icons that are available for different configuration
methods and its usage.

Note: You can also use the Editing Data Tabular format to define the rating, score, and rank.

For more information on Editing tabular format, refer to the Editing Data Tabular Format section.

Page 122 Copyright © 2016 MetricStream Inc.

 Configuring Risk Matrices

Icon Description
To define the rating for a cell, use this icon. All the rating values
that are defined in the Set Rating Values option are available for
(this option is available for all selection.
the methods except the Risk By default, the text “Sample Text” is displayed in each cell. After
Scoring Algorithm Method) you select the rating, the “Sample Text” changes to the rating that
you have selected.
Note: You must enter rating for each cell.

To select the rating for a cell, perform the following:

1. Navigate to the cell for which you want to define the rating.
2. Click the down-pointing arrow next to the Rating icon.
3. Select the required rating from the drop-down.
For more information on defining rating values, refer to the Tool
Bar section
Note: You can select the same rating and color for multiple cells.

Copyright © 2016 MetricStream Inc. Page 123

 Risk Assessments 6.1 SP2 - User Guide

Icon Description
To define the score for a cell, use this icon.
(this icon is available only for Note:
Scoring and Rating method
as well as Ranking and Rating - You must enter a unique score in each cell.
method) - You can enter a fraction or whole number.
- You can enter a maximum of 10 digits.
To define the score for a cell, perform the following:
1. Navigate to the cell for which you want to define the score.
2. Click this icon.
The Score window appears.

3. Type the score.

4. Click the OK button.
Note: you can use the Cancel button to discard the changes and close the
window.

The entered score appears next to the Score icon as shown below:

Editing Scores
To change the score, perform the following:
1. Click the Score icon in the respective cell.
2. Change the score in the Score window.
3. Click the OK button.
If you enter the same score in two different cells, the Score window
turns to Duplicate Score Value window displaying the following
message:

Enter a unique score, and click the OK button.

Page 124 Copyright © 2016 MetricStream Inc.

 Configuring Risk Matrices

Icon Description
To define the ranking for a cell, use this icon.
Note: You must enter ranking for each cell.
(this icon is available only for
Ranking and Rating Method) To define the ranking for a cell, perform the following:
1. Navigate to the cell for which you want to define the ranking.
2. Click this icon.
The Rank window appears.

3. Type the ranking.

Note: You can enter the same ranking for multiple cells.

4. Click the OK button.

Note: You can use the Cancel button to discard the changes and close the
window.

The entered ranking appears next to the Ranking icon as shown

below:

Editing Ranks
To change the rank, perform the following:
1. Click the Rank icon in the respective cell.
2. Change the rank in the Rank window.
3. Click the OK button.

Copyright © 2016 MetricStream Inc. Page 125

Managing Risk Assessment Plans
4
This chapter provides information on how to create and approve Risk Assessment plans, and initiate ad
hoc assessments.

Sections:
1. Creating Risk Assessment Plans
2. Working on Risk Assessment Plans > Owner
3. Working on Risk Assessment Plans > Approver
4. Initiating Ad hoc Risk Assessment Tasks

Page 126 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Creating Risk Assessment Plans

To assess risks, the plan owner (typically Enterprise Risk Manager, Operational Risk Manager, Internal
Audit Group, Risk Manager, Risk Program Manager and so on) must identify the assessable entities
(Entities may be organizations, business units, divisions, Processes, Asset Classes, Assets, Suppliers,
Auditable Entities, objectives, products, and so on) and Risks to be assessed. The plan owner needs to
set up the Risk Assessment Plan using the Risk Assessment Plan form. While setting up the Risk
Assessment Plan, the plan owner can specify the frequency of assessment, Risk Assessors, and
Approvers. The plan owner can create and setup any number of Entities - Risks-Assessor-Approver
combination with the required frequency for each assessment and the period within which it is
expected to be completed. Based on the schedule/frequency that is defined, the module automatically
triggers the Risk Assessment tasks/assignments.

Ongoing Risk Assessments

Ongoing Risk Assessment functionality enables the risk managers, risk champions, risk coordinators,
and risk owners to perform Risk Assessment when ever required without waiting for the set schedule
of assessment. You can enable the ongoing assessment for existing Risk Assessment plans; assess them
any number of times within the specified time frame in the Risk Assessment Plan.

Copyright © 2016 MetricStream Inc. Page 127

 Risk Management 6.1 SP2 - User Guide

Risk Assessment Plan Form

Use the Risk Assessment form to capture the basic information, in-depth details, scheduling details
regarding the Risk assessment plan.

Figure 41: Risk Assessment Plan Form

Header
Use the header section to define the Risk Assessment Plan name and other related information.

Figure 42: Risk Assessment Plan Form > Header

Page 128 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Field/List Name Description

Name Type the name of the Risk Assessment plan.
You can create multiple Risk Assessment plans with the same
name. After providing the name, if you click outside this field, the
entered name appears next to the form title.

Note:
- The maximum limit of characters allowed is 100
- For each qualitative assessment factor, a unique ID is generated, which
is appended to the name that you have entered. The combination of
name and ID is unique for every Risk Assessment plan.

Status The first time when you create a Risk Assessment plan, the status
of this field is displayed as New.
Perspective Select the perspective (point of view of conducting Risk
Assessment) for which you want to create the Risk Assessment
plan.
All the Perspectives in the module are available in this field.
Risk Assessment Type The module populates the type of Risk Assessment in this field
based on the value that you selected in the Assessment Type field
in the Perspectives form.
The possible values in this field are:
 Assessable Entity – Risk
 Org – Assessable Entity – Risk
 Org - Risk

Copyright © 2016 MetricStream Inc. Page 129

 Risk Management 6.1 SP2 - User Guide

Details Tab
Use the Details tab to enter the details of the current Risk Assessment plan.

Figure 43: Risk Assessment Plan Form > Details Tab

Page 130 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Field/List Name Description

General
Use this region to enter general details of the Risk Assessment plan.
Purpose/Scope Type the purpose and scope of conducting Risk Assessment on a

periodic basis by clicking .

Note: You can enter a maximum of 4000 characters in this field.
For more information on RTF functions, refer to the MetricStream
Portal User Guide Release 6.1 SP5

Instruction(s) Type the instructions for assessing the current risk plan. To enter
details, refer to the RTF field description provided above.
Ownership and Security
Use this region to select the owners for the Risk Assessment plan.
Owner Organization(s) Use this field to select one or more organizations responsible for
maintaining this Risk Assessment Plan.
This is not the set of organizations that this plan applies to. This
field controls the workflow (for approvals) and security (for the
plan where security is restricted to Owner Organizations).
Owner(s) Use this to select one or more assessment plan owners.

The users with RSK - Edit Scheduled Risk Assessment access grant
belonging to selected Owner Organizations and their parents are
available for selection in this field. If no owners are explicitly
selected, once the initiator submits the plan form, the same is sent
to all eligible owners from the selected owner organizations and
their parents.

If there are no eligible owners found, the task to approve the plan
goes to users with RSK - Edit All Scheduled Risk Assessments
activity from any organization. If this also fails, then the task to
approve the plan is sent to the initiator.

If the initiator and owner are different, on submission of the Risk

Assessment plan form, an assignment is generated to the Risk
Assessment plan owner to take action on the submitted Risk
Assessment plan. For more information on the approval workflow,
refer to the Configuration Settings for Approval Workflow section.
Level 1 Approver Select the first level approver for this Risk Assessment plan. Level 1
(the display of this field is approver is a user who belongs to the owner organizations with
controlled by the the RSK - Approve Scheduled Risk Assessment activity.
configuration parameter Note: If you select any user in this field, after you submit the form, an
MS_RSK_Display_Owners_A assignment is generated to the selected user to review and approve the
pprovers) current Risk Assessment plan details.

Copyright © 2016 MetricStream Inc. Page 131

 Risk Management 6.1 SP2 - User Guide

Field/List Name Description

Level 2 Approver Select the level 2 approver for this Risk Assessment plan. Level 2
(the display of this field is approver is a user who belongs to the owner organizations with
controlled by the the RSK - Approve Scheduled Risk Assessment activity.
configuration parameter Note: If you select any user in this field, after the first level approval, an
MS_RSK_Display_Owners_A assignment is generated to the selected user to review and approve the
pprovers) current Risk Assessment plan details.

Restrict Access To Use this field to control access rights of users to the current Risk
Assessment plan.
If you select No Restrictions in this field, all users with RSK - View
Scheduled Risk Assessment activity can view this Risk Assessment
plan and all users with RSK- Edit Scheduled Risk Assessment
activity can edit this Risk Assessment plan.
If you select Owner Organization(s) in this field, only users in the
owner organization of the current Risk Assessment plan with RSK -
View Scheduled Risk Assessment activity can view this Risk
Assessment plan and only users in the owner organization of the
current Risk Assessment plan with RSK - Edit Scheduled Risk
Assessment activity can edit this Risk Assessment plan.
Validity (Dates)
Use this region to define the longevity of the Risk Assessment plan.
Valid From Enter the date form which this Risk Assessment plan is valid. On
the selected date, users can use the published Risk Assessment
plan from this date.
Note: You must use MM/DD/YYYY format.

Valid Until Enter the date till which this Risk Assessment plan is valid. This Risk
Assessment plan is not available in the published risk library for
assessment after the selected date.

Note:
- You must use MM/DD/YYYY format.
- You must enter a date which is greater than the entered valid From
date.
- If you do not enter any date in this field, this Risk Assessment plan
possesses perpetual validity.
- The module does not trigger any scheduled Risk Assessment
assignments after the selected date in this field.

Page 132 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Scheduling Tab
Use Scheduling tab to schedule Risk Assessment frequency. Based on the schedule that you specify
here, the module triggers Risk Assessment assignments.

Figure 44: Risk Assessment Plan Form > Scheduling Tab

Copyright © 2016 MetricStream Inc. Page 133

 Risk Management 6.1 SP2 - User Guide

Field/List Name Description

Scheduling
Use this section to define the schedule frequency.
Frequency Select the assessment frequency of the Risk Assessment plan.
The following options are available:
 Specific Date: To execute the Risk Assessment on a specific
date, select this option and then enter the date in the Next
Scheduled Assessment Date field.
 Weekly: To execute the Risk Assessment every week based on
the due by off set value.
 Monthly: To execute the Risk Assessment every month based
on the due by off set value.
 Quarterly: To execute the Risk Assessment every quarter
based on the due by offset value.
 Semi-Annually: To execute the Risk Assessment once in every
six month based on the due by offset value.
 Annually: To execute the Risk Assessment once in a year
based on the due by offset value
 No Scheduling: To execute a Risk Assessment plan without
the frequency schedule.
Note: If you select No Scheduling option in this field, no assessment
assignments are generated, later you can use the Risk Assessment Task
form to trigger the Risk Assessment assignments for the current Risk
Assessment plan.

Page 134 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Field/List Name Description

Start After (Calendar Days) Specify the off-set day by which the Risk Assessment is
(appears only if you select the scheduled. The Start After field specifies a start offset in number
value Weekly/Monthly/ of calendar days for the period selected in the “Frequency” field.
Quarterly/ The following are the range of values that you can enter in this
Semi-Annually /Annually in the field for different types of frequencies:
Frequency field)  Weekly: - 6 to 6
 Monthly: -30 to 30
 Quarterly: - 90 to 90
 Semi-Annually: -180 to 180
 Annually: -365 to 365

Note: This value can also be in the past and has to be used along with
the fiscal year setting for the organization or the business unit.

Scenario: A company's fiscal year ends on March 31, and the

frequency is set to Quarterly in the Frequency field.

Example 1 (Positive value): Considering the above scenario, if the

user enters the value 5 in the Start After (Calendar Days) field,
then the Risk Assessment is triggered on 6April, 6 July, 6 October,
and 6 January, respectively.

Example 2 (Negative value): Considering the above scenario, if

the user enters the value -5 in the Start After (Calendar Days)
field, then the Risk Assessment is triggered on 25 June, 25
September, December 26, and 26 March respectively.
Note: If the entered value is negative, the start date is calculated by
adding the number of days specified in this field with the last day of the
month (calculated based on the scheduling frequency).

Due By (Calendar Days) Specify the off-set day by which the Risk Assessment is due by.
(appears only if you select the This is free entry numeric field. The Due By field specifies a due
value Weekly/Monthly/ offset in number of calendar days for the period selected by you
Quarterly/ in the Frequency field.
Semi-Annually/Annually in the The following are the range of values that you can enter in this
Frequency field) field for different types of frequencies:
 Weekly: 1 to 6
 Monthly: 1 to 30
 Quarterly: 1 to 90
 Semi-Annually: 1 to 180
 Annually:1 to 365
The due date is always calculated by adding the number of days
specified in the Due By (Calendar Days) field with the start date,
irrespective of whether a positive value or negative value is given
in the Start After (Calendar Days) field.

Example: If the start date is April 6, and you enter the value 10 in
the Due By (Calendar Days) field, then the due date is
considered after 10 days from the start date, that is, the Risk
Assessment is due on 16 April, 16 July, 16 October, and 16
January respectively.

Copyright © 2016 MetricStream Inc. Page 135

 Risk Management 6.1 SP2 - User Guide

Field/List Name Description

Next Scheduled Assessment Enter the date on which you want to schedule the Risk
Date Assessment.
(appears only if you select the
value Specific Date in the Note:
Frequency field) - You must enter date in MM/DD/YYYY format.
- On the selected date, the module triggers Risk Assessment
assignment.

Assessments Tab
Use the Assessments tab to specify the list of assessment items that are in current scope for
assessment. You can specify the risk assessor and approver for conducting the Risk Assessments.
Optionally, you can specify assessment item specific schedule frequency; if specified, this overrides the
overall schedule frequency as specified in Scheduling tab. You can specify the ongoing assessment
details and specify the schedule and roles/users that are part of this ongoing assessment in this tab.

Figure 45: Risk Assessment Plan Form > Assessments Tab

Page 136 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Field/List Name Description

Assessments
Default User for All Assess- Use this to determine whether the assessment scope at each level
ments should be defaulted to the user selected in the first row or not. The
following values are available:
 Yes: If you want to set the users selected in the Assessor and
Approver fields as default for the assessment scopes at each
level, select this option.
Note: If you select Yes, the Assessor and Approver fields appear. Also,
when you select Yes, the individual rows do not display the Assessor and
Approver fields.

 No: If you do not want to set the users as default select this
option.
Assessor Select the assessor whom you want to set as the default assessor
(appears only if you selected for the assessment scopes at each level.
Yes in the Default User for all On form submission, the Risk Assessment assignment is generated
Assessments field) to the assessor selected in this field based on the schedule
frequency.
This field displays all the users with RSK – Assess Risks access
activity in any organization.
Approver Select the approver whom you want to set as the default approver
(appears only if you selected for the assessment scopes at each level.
Yes in the Default User for all On form submission, the Risk Assessment assignment is generated
Assessments field) to the approver selected in this field (after the assessment is done
by the assessor) based on the schedule frequency.
This field displays all the users with RSK – Approve Risk
Assessments activities in any organization
Add Assessor link To add assessment, click the Add Assessor link.
The related fields appear.
To add additional assessments, click this link as many times as
required.
Organization(s) Select the one or more organizations assessing the current
assessment plan.
Assessable Entity (ies) Select the assessable entity on which the current Risk Assessment
plan is performed on.
The assessable entities are populated from the GRC Foundation
module and based on the owner organization and the mapping of
Applies To Organization in the Relationships tab in the during the
assessable entity (core objects) creation stage.
Risk(s) Select one or more risks for assessments.
The risks are available based on the assessable entity that you
select in the Assessable Entity (ies) field.
Each risk that you select here is available in the Assessment tab of
the Risk Assessment form at the second/third row level in the
Assessment tab for the risk assessor for assessment.

Copyright © 2016 MetricStream Inc. Page 137

 Risk Management 6.1 SP2 - User Guide

Field/List Name Description

Ongoing Assessment
Use this section to provide the ongoing assessment details.
Note: There is no approval life cycle for ongoing assessments.

Enable Ongoing Assessment Use this field to indicate whether the current risk plan is an
ongoing assessment type or not.
The following options are available in this field:
 Yes: If you want to make the current plan as ongoing
assessment, select this option.
 No: If you do not want to make the current plan as ongoing
assessment, select this option.
If you select Yes, the current plan is available to the selected users
in the Ongoing Assessment infoport always for assessing the risk.
Once the user completes the assessment and submits the Risk
Assessment form, the Risk Assessment assignment is again
generated by the system for this plan and the Risk Assessment
assignment is again available in the Ongoing Assessment infoport.
The ongoing Risk Assessments are generated based on the time
that you specify in the Available From (Calendar Days) and #Of
Days To Be Available (Calendar Days) fields.
Available To Select the role or user groups to whom you want to send the Risk
(this field is made available in assessment assignments for the current plan. For more
the Ongoing Assessment sec- information on field description, refer to the Assessor and
tion only if you select the Approver section.
option Yes in the Enabling Note: Risk Owners and Risk Stakeholders options are not available for
Ongoing Assessment field) Ongoing assessment type.

Roles Select the roles to whom you want to make the assessment
(appears only if you select the assignments available for the current Risk Assessment plan. The
value Role in the Available To roles must be paired with assessed organizations for Org-Risk and
field) Org-Assessable Entity-Risk types. For Assessable Entity-Risk
assessment type role pairing with assessed organization is not
necessary.

The user who first accesses the assignment acquires the lock on
the assessment form.
Note: For ongoing assessment, form lock is not applicable.

For more information on field description, refer to the Assessor

and Approver section.
Users Select the users to whom you want to make the assessment
(appears only if you select the assignments available for the current Risk Assessment plan.
value Users in the Available
To field) All the users with RSK – Assess Risks activity are available in this
field for selection. The users must be from Assessed Organizations
for Org-Risk and Org-Assessable Entity-Risk types. For Assessable
Entity-Risk assessment type, users can be from any organization

The user who first accesses the scheduled assignment acquires the
lock on the assessment form.

Page 138 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Field/List Name Description

Availability The system displays the value Annual in this field.
The ongoing assessment for the current plan is made available.
for a period of one year by default. The availability of the ongoing
assessment is based on the values that you enter in the Available
From (Calendar Days) and #Of Days To Be Available (Calendar
Days) fields.
Available From (Calendar Specify the start date by which the ongoing assessment for the
Days) current plan must be made available to the risk assessors. This is
numeric entry field. You can enter any number between 1 and 364.
#Of Days To Be Available Specify the end date by which the ongoing assessment for the
(Calendar Days) current plan must be made unavailable to the risk assessors.
If you do not enter any value in this field, the system considers the
due date mentioned in the Due By (Calendar Days) field in the
Scheduling tab as the due date for ongoing assessment.
For example,
Scenario-1
Availability = Annual
Available From (Calendar Days) = 2
#Of Days To Be Available (Calendar Days) = 20
Due date = 2+20=22, January
Scenario-2
Availability = Annual
Available From (Calendar Days) = 2
#Of Days To Be Available (Calendar Days) = blank
Due date = 31, December
Assessment Name
Tag/Identifier Use this field to define the assignment text for the ongoing
assessment. By default the system populated the name of the Risk
Assessment Plan. You can edit the details of this field.
The value that you enter here is the name of the ongoing
assessment plan and the user receives an assignment with this
name.
Assessor and Approver
This section is enabled if you select No in the Enable Ongoing Assessment field.

Copyright © 2016 MetricStream Inc. Page 139

 Risk Management 6.1 SP2 - User Guide

Field/List Name Description

Available To Select the role or user groups to whom you want to send the Risk
(this field is made available in assessment assignments for the current plan.
the Assessor and Approver The following options are available:
section only if you select the  Assessor: If you want to send the assessment assignments for
option No in the Enabling the current plan to group of assessors in the selected assessed
Ongoing Assessment field) organization, select this option.
 Risk Owners: If you want to send the assessment assignments
for the current plan to Risk Owners in the selected assessed
organization, select this option.
 Risk Stakeholders: If you want to send the assessment
assignments for the current plan to Risk Stakeholders in the
selected assessed organization, select this option.
Note: If multiple Risk Stakeholders and owners are specified for different
organizations, the Risks are clubbed for a user and assigned for
assessment. The Risk Stakeholders and Risk Owners data is retrieved from
the GRC Foundation module and this is based on options selected in the
Risk form. For more information on how the assessment assignments are
assigned, refer to the Risk Assessment Assignments to Stakeholders and
Risk Owners section.

 Roles: If you want to send the assessment assignments for the

current plan to a particular role in the selected assessed
organization, select this option.
 Users: If you want to send the assessment assignments for the
current plan to a set of users in the selected assessed
organization, select this option.
Note: Risk Owners and Risk Stakeholders options are not available for
Ongoing assessment type.

Assessor Select the assessor whom you want to set as the default assessor
(appears only if you select the for the assessment scopes at each level.
value Assessor in the Avail- On form submission, the Risk Assessment assignment is generated
able To field) to the assessor selected in this field based on the schedule
frequency. This field displays all the users with RSK – Assess Risks
access rights in the module. The assessor must be from the
Assessed Organizations for Org-Risk and Org-Assessable Entity-Risk
types. For Assessable Entity-Risk assessment type, the Assessor
need not be from the assessed organization
Approver (appears if you Select the approver whom you want to set as the default approver
select any value available in for the assessment scopes at each level.
the Available To field) On form submission, the Risk Assessment assignment is generated
to the approver selected in this field (after the assessment is done
by the assessor) based on the schedule frequency.
This field displays all the users with RSK – Approve Risk
Assessments activities in any organization

Page 140 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Field/List Name Description

Role(s) Select the roles to whom you want to make the assessment
(appears only if you select the assignments available for the current Risk Assessment plan. The
value Role in the Available To roles must be paired with assessed organizations for Org-Risk and
field) Org-Assessable Entity-Risk types. For Assessable Entity-Risk
assessment type role pairing with assessed organization is not
necessary.

The user who first accesses the assignment acquires the lock on
the assessment form.
Note: For ongoing assessment, form lock is not applicable.

For more information on field description, refer to the Assessor

and Approver section.
Users Select the users to whom you want to make the assessment
(appears only if you select the assignments available for the current Risk Assessment plan.
value Users in the Available
To field) All the users with RSK – Assess Risks activity are available in this
field for selection. The users must be from Assessed Organizations
for Org-Risk and Org-Assessable Entity-Risk types. For Assessable
Entity-Risk assessment type, users can be from any organization

The user who first accesses the scheduled assignment acquires the
lock on the assessment form.
Scheduling
Frequency Use this field to reset the scheduling frequency of the Risk
Assessment defined in the Scheduling tab of this form. The values
that you select here override the values selected earlier. For more
information on scheduling, refer to the Scheduling Tab section.

Copyright © 2016 MetricStream Inc. Page 141

 Risk Management 6.1 SP2 - User Guide

Field/List Name Description

Start After (Calendar Days) Specify the off-set day by which the Risk Assessment is scheduled.
(appears only if you select the The Start After field specifies a start offset in number of calendar
value Weekly/Monthly/ days for the period selected in the “Frequency” field.
Quarterly/ The following are the range of values that you can enter in this
Semi-Annually/Annually in field for different types of frequencies:
the Frequency field)  Weekly: - 6 to 6
 Monthly: -30 to 30
 Quarterly: - 90 to 90
 Semi-Annually: -180 to 180
 Annually: -365 to 365

Note: This value can also be in the past and has to be used along with the
fiscal year setting for the organization or the business unit.

Scenario: A company's fiscal year ends on March 31, and the

frequency is set to Quarterly in the Frequency field.

Example 1 (Positive value): Considering the above scenario, if the

user enters the value 5 in the Start After (Calendar Days) field, then
the Risk Assessment is triggered on 6 April, 6 July, 6 October, and 6
January respectively.

Example 2 (Negative value): Example 2 (Negative value):

Considering the above scenario, if the user enters the value -5 in
the Start After (Calendar Days) field, then the Risk Assessment is
triggered on 25 June, 25 September, December 26, and 26 March
respectively.
Note: If the entered value is negative, the start date is calculated by
adding the number of days specified in this field with the last day of the
month (calculated based on the scheduling frequency).

Due By (Calendar Days) Specify the off-set day by which the Risk Assessment is due by. This
(appears only if you select the is free entry numeric field. The Due By field specifies a due offset
value Weekly/Monthly/ in number of calendar days for the period selected by you in the
Quarterly/ Frequency field.
Semi-Annually/Annually in The following are the range of values that you can enter in this
the Frequency field) field for different types of frequencies:
 Weekly: 1 to 6
 Monthly: 1 to 30
 Quarterly: 1 to 90
 Semi-Annually: 1 to 180
 Annually:1 to 365
The due date is always calculated by adding the number of days
specified in the Due By (Calendar Days) field with the start date,
irrespective of whether a positive value or negative value is given
in the Start After (Calendar Days) field.

Example: If the start date is April 6, and you enter the value 10 in
the Due By (Calendar Days) field, then the due date is considered
after 10 days from the start date, that is, the Risk Assessment is
due on April 16, July 16, October 16, and January 16 respectively.

Page 142 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Field/List Name Description

Next Scheduled Assessment Enter the date on which want to schedule the Risk Assessment.
Date You must enter date in MM/DD/YYYY format.
(appears only if you select the On the selected date the system triggers Risk Assessment
value Specific Date in the assignment.
Frequency field)
Delete Last Assessor link To delete the last added assessor, click the Delete Last Assessor
link.
Delete check box To delete a particular row, select the Delete check box in line with
the row that you want to delete.
The selected row appears in a different color.
On form submission, the selected row is deleted.
Prior Assessment and Rating Display
Default to Previous Assess- Use this field to enable the system to default response selections
ment made by the assessor for each of the recurring assessments. You
can specify if the next assessments should include the previous
assessments as default values. For example, during the first week,
if the assessor has rated the risk as High, by selecting Yes in this
field, you can enable this previously selected value High to appear
as default in the second week too. The following values are
available:
 Yes: If you want to consider the previous assessment values as
default, select this option. The upcoming Risk Assessments
default to the previous Risk Assessments, that is, displays the
same values as in the previous assessments.
 No: If you do not want to consider the previous assessment
values as default, select this option. The upcoming Risk
Assessments consider the factor values defined in the
Qualitative Assessment Form or Quantitative Assessment
Form.
Note: This is applicable for standard, qualitative and quantitative factors.

Display Previous Rating Use this field to specify whether you want the Prior Inherent Risk,
Prior Residual Risk columns in main section.
The following values are available:
 Yes: If you want to display the previous rating in the Risk
Assessment form, select this option.
 No: If you do not want to display the previous rating in the Risk
Assessment form, select this option.
Display Residual Risk Rating Use this field to specify whether you want to display the residual
risk ratings in the overall score rating table of the Risk Assessment
form or not. The following values available:
 Yes: If you want to display the residual risk ratings, select this
option.
 No: If you do not want to display the residual risk ratings, select
this option.

Copyright © 2016 MetricStream Inc. Page 143

 Risk Management 6.1 SP2 - User Guide

Risk Assessment Assignments to Stakeholders and Risk Owners

The following section describes the scenarios on how the assessment assignments are assigned to the
Risk stakeholders and Owners.

Consider the following scenario in which the user is part of the following Risks:

Legends:

 R: Risks
 U: User
Risk and User Mapping

R1 R2 R3 R4 R5
U1 U1 U1 U1 U1
U2 U2 U3 U5 U5
U4

The following four assignments are assigned to the users with consolidating the Risks that the user is
mapped.

Assignments Generated to the Users

Assignment number Users Risks

A1 U1, U5 R4, R5
A2 U1, U2 R1
A3 U3, U1 R3
A4 U1, U2, U4 R2

Page 144 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Additional Details Tab

Use the Additional Details tab to provide reference details and supporting documents that the user can
refer to. Also, use this tab to specify whether information such as related metric details, related loss
event details, related open issues, and so on need to be displayed in the Risk Assessment form or not.

Figure 46: Risk Assessment Plan Form > Additional Details Tab

Copyright © 2016 MetricStream Inc. Page 145

 Risk Management 6.1 SP2 - User Guide

Field/List Name Description

History
When you are modifying an existing plan, two more additional fields are displayed. For more infor-
mation on these fields, refer to the Risk Assessment Forms - Additional Details Tab section.
Created By The name of the user who created the Risk Assessment plan
appears. At the creation stage, it is the logged in user name
appears.
Created On The date on which the Risk Assessment plan is created appears.

Final Approver for Assess- Select the final approver for Risk Assessments.
ments
Modify Weighting Specify if the risk assessor can modify weighting in the Risk
(This field is visible only for Assessment form or not. The following options are available:
for Risk Scoring Algorithm  Yes: To allow the assessor to modify the weighting, select this
method) option.
 No: If you do not want to allow the assessor to modify the
weighting, select this option.
Assessment Display Settings
Use this section to display/not display specified fields/tabs/hyperlinks in the Risk Assessment form.
Show Related Loss Events Select Yes/No to specify whether to display the related loss events
(Link) for the risks being assessed or not. If you select Yes, the Related
Loss Events hyperlink appears in the Risk Assessment form. Click
this hyperlink to view the respective loss event report.
Show Related Metrics (Link) Select Yes/No to specify whether to display the related metrics for
the risk being assessed or not. If you select Yes, the View Related
Metrics hyperlink appears in the Risk Assessment form. Click this
hyperlink to view the respective metrics report.
Show Related Open Issues Select Yes/No to specify whether to display the related open issues
(Link) for the risk being assessed or not. If you select Yes, the Related
Open Issues hyperlink appears in the Risk Assessment form.
Display Prior Assessment For Select Yes/No to specify whether to display the previous
Factors assessment values or not. If you select Yes, the previous
(This field is visible only for assessment values appear in the Risk Assessment form.
for Risk Scoring Algorithm
method)
Display Risk Scores Select Yes/No to specify whether to display the previous and
assessed risk scores or not. If you select Yes, the previous and
assessed scores along with their ratings are displayed in the Overall
Score Table of the Risk Assessment form.
Display Overall Risk Rating Select Yes/No to specify whether to display the Overall Score
Section or not. If you select Yes, the Overall Score Section appears
in the Risk Assessment form.
Display Findings/issues Select Yes/No to specify whether to display the Findings/Issues
tab in the Risk Assessment form or not.

Page 146 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Field/List Name Description

Standard Factors Display Settings
Use this section to display/not display certain fields/tabs/hyperlinks in the Risk Assessment form.
Display Standard Factors Select Yes/No to specify whether to display the standard factors in
(this field is editable only for the Risk Assessment form or not.
Risk Algorithm mapped Per-
spectives)
Assessor Settings
Use this section to display/not display certain fields/tabs/hyperlinks in the Risk Assessment form.
Allow Assessor to Add Risks Use this field to allow risk assessors to add risks from library or
(this field is editable only for enter new risks on an ad hoc basis or add both. The following
Risk Scoring Algorithm values are available:
method Perspectives)  Library Risks: To allow the assessor to add risks from library,
select this option.
 New Risks: To allow the assessor to add risks on ad hoc basis,
select this option.
 Both: To allow the assessor to add both library risks as well as
new risks, select this option.
 None: If you do not want to allow the assessor to add any risks,
select this option.
Display Controls Select Yes/No to specify whether to display the controls or not. If
you select Yes, the Controls appears in the Risk Assessment form.
Note: This field is not available if the Control Score Formula is disabled in
the Risk Scoring Algorithm form.

Display Default Controls Specify whether you want to display the controls by default or
allow the assessor to select the controls.
If you select Yes, the controls are populated in the Risk Assessment
form by default. If you select No, the module allows the assessor to
select controls from library, select controls related to the risk or
create new controls.
Note: This field is not available if the Control Score Formula is disabled in
the Risk Scoring Algorithm form.

Documents
Attach File(s) To attach a file, perform the following steps:
1. Click the Browse… button.
2. Select the file from your local drive.
The file is attached, and the name of the file that you attached
appears.
Note: You may attach one or more files, as required.

To delete an attached file, click the Delete icon on the right side
of the attached file.

Copyright © 2016 MetricStream Inc. Page 147

 Risk Management 6.1 SP2 - User Guide

Modify/Review/Approve Section
Use the Modify/Review/Approve section to take action on the Risk Assessment plan.

Figure 47: Risk Assessment Plan Form > Modify/Review/Approve Section

Field/List Name Description

Modify/Review/Approve
Action The following action is available in the Risk Assessment Plan form
while you create an assessment plan.
 Send for Approval: To submit the completed form and schedule
the Risk Assessment, select this option.
After you submit the form, the Risk Assessment Plan form is
routed to the owner to take a decision on the created plan. For
more information on Risk Assessment Plan approval workflow,
refer to the Risk Assessments Plan > Approval Workflow section.
Comment(s) Enter your comments regarding the Risk Assessment plan.
On form submission, the Comments History report is updated
with the comments that you enter.
Comments History link To view the Comments History report, click the Comments History
report link.
The Comments History report appears.
This report displays the comments entered by all the users who
worked on this form in a chronological order.
Click the Done button to close the report.
First time when you create the Risk Assessment plan, the
comments history report does not display any details.

Page 148 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Form Submission
For more information on the Form Tool Bar icons, refer to the Form Tool Bar section.

Task Assignments and E-mail Notifications

After you submit the current form, assignments and e-mails are generated to the respective users, as
shown in the following table.

Submitted Action Selected Assigned Form Form Assigned E-Mail

By To Status Sent
Send for Approval Owner Approval Risk Owner
Pending Assessment
Initiator Plan form

Submit Clarifications Owner Approval Risk Owner

(This action is Pending Assessment
available at the Plan form
initiator stage only
when owner has
requested for
clarification and
Initiator sends back
the form to the
owner with the
required
clarifications)

Copyright © 2016 MetricStream Inc. Page 149

 Risk Management 6.1 SP2 - User Guide

Working on Risk Assessment Plans > Owner

As a plan owner, you can review the plan details, and take an appropriate action regarding the Risk
Assessment Plan. The form available at the owner stage is the same as the initiation stage. You can
access the assignment from My Tasks menu.

Accessing Risk Assessment Plan Form

 Click the Approve Assessment Plan “<Assessment Plan Name> [<SCHAMT> <Assessment Plan
ID>] <PID> link in the My Tasks menu.

For more information on the My Tasks menu, see About My Tasks Menu.

Workflow Changes
At this stage, all the tabs, sections, and fields of the Risk Assessment Plan form are the same as
initiation stage except for a few field-level changes, which are captured in the following table. For more
details on the Risk Assessment Plan form, see Risk Assessment Plan Form.

Page 150 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Field/List Name Description

Header Section
Status Status of the Risk Assessment Plan form is automatically updated
as Approval Pending.
Additional Details Tab
Note: The following fields are unavailable at the time owner review stage of the Risk Assessment Plan form.

Created On The date on which the current Risk Assessment Plan form is
(non editable) created appears.
Created By The name of the user who created the Risk Assessment Plan form
(non editable) appears.
Action Section
The options available in the Action field vary at the owner stage.
Action The following actions are available in the Quantitative Assessment
Factor/Qualitative Assessment Factor form while you work on the
quantitative assessment factor/qualitative assessment factor as an
owner.
 Approve: To send the assessment factor to the selected
approver for approval, select this option.
 Request Clarification(s): To get more clarification from the
assessment factor initiator, select this option.
 Cancel: To cancel the assessment factor and close the
assessment factor, select this option.
If you select Cancel, the assessment factor is closed and no
assignments are generated.

Note:
- If no approvers are selected for this assessment factor, the plan is
published when you select the Approve option.
- After you submit the form, the Risk Assessment Plan form is routed to
different users based on the action selected.

Comments Enter your comments regarding the quantitative assessment

factor/qualitative assessment factor.
After you submit the form, the Comments History report is
updated with the comments that you enter.
Comments History link To view the Comments History report, click the Comments History
report link.
The Comments History report appears.
This report displays the comments entered by all the users who
worked on this form in a chronological order.
Click the Done button to close the report.

After entering all the required details in the form, click to submit the form. For more information
on the form toolbar icons, see Form Tool Bar.

Copyright © 2016 MetricStream Inc. Page 151

 Risk Management 6.1 SP2 - User Guide

Task Assignments and E-mail Notifications

After you submit the current form, assignments and e-mails are generated to the respective users, as
shown in the following table.

Submitted Action Assigned To Form Assigned Form Status E-Mail

By Selected Sent
Approve Level 1 Risk Assessment Approval Level 1
Approver Plan form Pending Approver
Owner
Note: If no Level
1 Approver is CC:
specified, then Initiator
the plan is
published
directly

Cancel Not applicable Not applicable. Not applicable Initiator

The form is
canceled and is
no more
available in the
system.
Request Initiator Risk Assessment Clarification Initiator
Clarifications Plan form Requested in
the previous
form (initiator
stage)

Submit Owner Risk Assessment Approval Level 1

Clarifications Plan form Pending Approver
(This action
is available CC:
only when Initiator
level 1/level
2 approver
requested for
clarification
and owner
works on the
form to
provide the
required
clarifications
to the level 1
approver)

Page 152 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Working on Risk Assessment Plans > Approver

When the Risk Assessment plan owner sends the plan for approval, the selected level 1 approver
receives the plan. When the level 1 approver sends the form for approval, the plan is published if no
level 2 approver is selected. Otherwise, the plan is routed to the level 2 approver for approval. If no
approvers are selected when the owner approves the plan, the plan is published automatically.

Note: The approved risk plans are published and are available in the data browser.

Accessing Risk Assessment Plan Form

 Click the Approve Assessment Plan <Assessment Plan Name> [<Assessment Plan ID>] <PID> link
in the My Tasks menu.

For more information on the My Tasks menu, see About My Tasks Menu.

Workflow Changes
At this stage, all the tabs, sections, and fields of the Risk Assessment Plan form are the same as
initiation stage except for a few field-level changes, which are captured in the following table. For more
details on the Risk Assessment Plan form, see Risk Assessment Plan Form.

Field/List Name Description

Header Section
Status Status of the Risk Assessment Plan form is automatically updated
as Approval Pending.
Additional Details Tab
Note: The following fields are unavailable at the time of approval stages of the Risk Assessment Plan form.

Created On The date on which the current Risk Assessment Plan form is
(non editable) created appears.
Created By The name of the user who created the Risk Assessment Plan form
(non editable) appears.
Action Section
The options available in the Action field vary at the approver stage.

Copyright © 2016 MetricStream Inc. Page 153

 Risk Management 6.1 SP2 - User Guide

Field/List Name Description

Action The following actions are available in the Quantitative Assessment
Factor/Qualitative Assessment Factor form while you work on the
quantitative assessment factor/qualitative assessment factor as an
owner.
 Approve: To send the assessment factor to the selected
approver for approval, select this option.
 Request Clarification(s): To get more clarification from the
assessment factor initiator, select this option.
 Cancel: To cancel the assessment factor and close the
assessment factor, select this option.
If you select Cancel, the assessment factor is closed and no
assignments are generated.

Note:
- If no approvers are selected for this assessment factor, the plan is
published when you select the Approve option.
- After you submit the form, the Risk Assessment Plan form is routed to
different users based on the action selected.

Comments Enter your comments regarding the quantitative assessment

factor/qualitative assessment factor.
After you submit the form, the Comments History report is
updated with the comments that you enter.
Comments History link To view the Comments History report, click the Comments History
report link.
The Comments History report appears.
This report displays the comments entered by all the users who
worked on this form in a chronological order.
Click the Done button to close the report.

After entering all the required details in the form, click to submit the form. For more information
on the form toolbar icons, see Form Tool Bar.

Page 154 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Task Assignments and E-mail Notifications

After you submit the current form, assignments and e-mails are generated to the respective users; as
shown in the following table.

Submitted Action Selected Assigned To Form Form Status E-Mail

By Assigned Sent
Approve Level 2 Approver Risk Approval Level 2
if Level 2 Assessm Pending Approver
Level 1 Approver is ent Plan when the
Approver selected in the form form is with CC: Owner
Risk Assessment Level 2 and
Plan form Approver Initiator
Note: If no Level 2
Approver is
specified, then
form is published
directly

Cancel Not applicable Not Not Owner

applicabl Applicable CC:
e. The Initiator
form is
canceled
and is no
more
available
in the
system.
Request Clarifications Owner Risk Clarification Owner
Assessm Requested in
ent Plan the previous
form form (owner
stage)

Submit Clarifications Owner Risk Approval Owner

(This action is Assessm Pending
available only when ent Plan
level 2 approver has form
requested for
clarification and the
owner is sending
back the form to the
level 1 approver with
the required
clarifications)

Copyright © 2016 MetricStream Inc. Page 155

 Risk Management 6.1 SP2 - User Guide

Initiating Ad hoc Risk Assessment Tasks

Using the Risk Assessment Task form, you can create ad hoc Risk Assessments tasks for the existing
Risk Assessment plans. You can create ad hoc tasks for the published plan to meet the immediate
requirements. Once you submit this form, the selected user receives an assignment to complete the
Risk Assessment task.

Risk Assessment Task Form

Use the Risk Assessment Task form to initiate ad hoc Risk assessment tasks.

Figure 48: Risk Assessment Task Form

Page 156 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Header
Use the header section to select the name of Risk assessment plan for which you create the ad hoc task
and other details.

Figure 49: Risk Assessment Task > Header

Field/List Name Description

Risk Assessment Plan Select the name of the Risk Assessment plan for which you want to
create an ad hoc task.
All the published Risk Assessments plans are available in this field
for selection.
You can select only those plans that are currently valid plans where
the current user is a listed owner or that have no owners but
current user has RSK - Edit Scheduled Risk Assessment access
grant in one of the owner organizations.
Perspective The perspective name appears. The value in this field is populated
based on the name of the plan that you selected in the Risk
Assessment Plan field.
Assessment Type The type of Risk Assessment for the selected plan appears. The
value in this field is populated based on the name of the plan that
you selected in the Risk Assessment Plan field.
The possible values in this field are:
 Assessable Entity- Risk
 Org - Assessable Entity - Risk
 Org - Risk

Inherit Assessment Scope Use this field to determine whether you want to inherit the
assessment scope from the selected Risk Assessment plan or not.
Select Yes to inherit the assessment scope. Else, select No.
If you select Yes, the Assessor, Approver and Due Date fields are
displayed and the Items Being Tested tab is hidden.
If you select No, you need to provide the details in the Items Being
Tested tab.

Copyright © 2016 MetricStream Inc. Page 157

 Risk Management 6.1 SP2 - User Guide

Items Being Assessed Tab

Use the Items Being Assessed tab to enter the details of the items for Risk Assessment.

Figure 50: Risk Assessment Task Form > Items Being Assessed Tab

Field/List Name Description

Add Assessment link To add the assessments for the ad hoc task, click the Add
Assessment link.
The assessment related fields appear.
To add additional assessments, click this link as many times as
required.
Organization(s) Select the organizations on which the Risk Assessment is
(appears only if the linked performed.
Perspective is Org –
Assessable Entity – Risk or
Or-Risk type)
Assessable Entity (ies) Select the assessable entities on which the Risk Assessment is
performed.
Available To Use this field to select the role or user groups to whom you want to
send the Risk assessment assignments for the current plan.

For more information on field descriptions, refer to the Assessor

and Approver section.
Role(s) Select the roles to whom you want to make the assessment
(appears only if you select the assignments available for the current Risk Assessment plan.
value Role in the Available To
field) For more information on field descriptions, refer to the Assessor
and Approver section.
Users Select the users to whom you want to make the assessment
(appears only if you select the assignments available for the current Risk Assessment plan.
value Users in the Available All the users with RSK – Assess Risks activity are available in this
To field) field for selection.

Page 158 Copyright © 2016 MetricStream Inc.

 Managing Risk Assessment Plans

Field/List Name Description

Risk(s) Select the risks that you want the assessor to assess.
The risks that you select here are available at the third-hierarchical
level in the Risk Assessment form.
Assessor Use this field to select an assessor to assess the risk.
Approver Use this field to select an approver to approve the risk.
Due Date Select the date on or before which the Risk Assessment task needs
to be completed.
Delete Last Row link To delete the last added row, click the Delete Last Row link.
Delete check box To delete a particular row, select the Delete corresponding to the
row that you want to delete.
The selected row appears in a different color.
After you submit the form, the selected row is deleted.

Form Submission
For more information on the Form Tool Bar icons, refer to the Form Tool Bar section.

Task Assignments and E-mail Notifications

There are no email notifications for risk assessment tasks. For information on task assignments, refer
to task assignments sections in the Risk Assessment Form.

Copyright © 2016 MetricStream Inc. Page 159

Performing Risk Assessments
5
This chapter provides information on the Risk assessment form functions that are common across all
the Risk assessment methods, it also provides information on how to approve and review the
assessment details.

Sections:
1. Assessing Risks
2. Reviewing Risk Assessments
3. Approving Risk Assessments

Page 160 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Assessing Risks
Based on the schedule and frequency that is set in the Risk Assessment plan, the risk assessor receives
an assignment to perform Risk Assessment. The assigned risks need to be assessed for one or more
assessable entities that they are mapped to. This section provides information on the common
functions that you can perform while assessing the Risks that are part of different methods of
assessment.

Accessing Ongoing Risk Assessment Assignments

The Ongoing risk assignments are available in the Ongoing Assessment infoport of the Risks infocenter
>> My Risk Assessments sub-infocenter.

 Click the Assess link in the Assess column corresponding to the Risk Assessment plan name to
assess the risk.

Figure 1: Ongoing Assessment Infoport

These are ongoing Risk Assessment assignments that are available for logged-in assessors and the
assessors can assess these risks when ever required. After you assess the Risk available for ongoing
assessment, the Ongoing Risk Assessments infoport displays the most recent assessment details.

Note: The ongoing assessment task assignments are not available in the My Tasks menu.

Copyright © 2016 MetricStream Inc. Page 161

 Risk Management 6.1 SP2 - User Guide

Risk Assessment Form

Use the Risk Assessment form to perform the Risk assessment and record the details.

Figure 2: Risk Assessment Form

Page 162 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Header
Use the header section to view the details of the Risk Assessment.

Figure 3: Risk Assessment Form > Header

Field/List Name Description

Name The Risk Assessment name appears.

Perspective The perspective for which you are assessing the risk appears.

Assessment Due Date The date by which you need to complete the Risk Assessment
appears.
The value in this field is populated based on the schedule defined
in the Risk Assessment Plan form.
Status The module displays the status of the Risk Assessment. The first
time when you work on this form, the value in this field is always
Sent For Assessment.

Copyright © 2016 MetricStream Inc. Page 163

 Risk Management 6.1 SP2 - User Guide

Details Tab
The Details tab displays the general details of the Risk Assessment.

Figure 4: Risk Assessment Form > Details Tab

Field/List Name Description

General
Assessment Type The type of Risk Assessment appears.
The module populates the type of Risk Assessment in this field
based on the value that you selected in the Assessment Type field
in the Perspectives form.
The Risk Assessment Plan is linked to the Perspective and the Risk
Assessment Type is defined in the Perspective form.
The possible values in this field are:
 Assessable Entity – Risk
 Org – Assessable Entity – Risk
 Org - Risk

Frequency The frequency (Monthly, Quarterly, Annually, and so on) of the

Risk Assessment appears.
Purpose/Scope This field displays the purpose/scope of the Risk Assessment.
To view the details, perform the following:

1. Click the RTF icon next to this field.

The RTF editor appears in browser window displaying the details.

2. Click the Close button to close the RTF editor window.

Note: The details entered by the Risk Assessment plan initiator in the
Purpose/Scope field appear here.

Page 164 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Field/List Name Description

Instruction(s) This field displays the instructions to be followed to assess the
current risk.
Note: To view the details, perform the steps provided in the Purpose/
Scope field.

The details entered by the Risk Assessment plan initiator in the

Instruction field appear here.

Assessments Tab
The Assessments tab displays the related Entities and Risks that are selected while creating the Risk assessment plan.

Figure 5: Risk Assessment Form > Assessments Tab

Copyright © 2016 MetricStream Inc. Page 165

 Risk Management 6.1 SP2 - User Guide

When you access the Assessments tab for the first time, the tabular format view is collapsed and displays the First tabular format option. The tabular format is organized in the
following way:
First Hierarchical Level - Business Units

Second Hierarchical Level - Assessable

Entities

Last Hierarchical Level - Risks to be Assessed

Figure 6: Risk Assessment Form > Assessment Tab > Different Tabular Format Levels

Tabular Format columns common across the hierarchical levels Third hierarchical tabular format options

Figure 7: Risk Assessment Form

 First hierarchal level: All the business units for which you are assessing the risks.

Note: This tabular format row is available only for Org -Assessable Entity– Risk assessments. The other two types of Risk Assessments (Assessable Entity-Risk and Org-Risk) contain only two levels
in tree structure.

Page 166 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

 Second hierarchical level: All the assessable entities such as process, auditable entities, IT assets
and, so on.
 This hierarchical level is available for Org - Assessable Entity– Risk and Assessable Entity - Risk
(process, auditable entities or IT assets, and so on).
 Third hierarchical level – Assessable entities related risks to be assessed.

Note: If the Risk Assessment Plan consists of only one risk for assessment, when you access the Risk Assessment
form, the Assessment tab is expanded and all the hierarchical levels are expanded by default to display the Risks
related to the Assessable Entity.

Expanding/Collapsing Tree Tabular Format

To expand the items defined in the Assessments tab tabular format and see different layers of
information, click the Plus icon to the left of the business unit. The tree tabular format displays all
objects defined under the business unit in different tabular hierarchical levels. If there is a plus icon on
the left side of a particular item, it means there are one or more sub items defined under the main item.
To access and work on each item, click the required item name link. The related tabular format appears
at the bottom of the assessment tabular format. To collapse the expanded region, click the Minus icon
.

Assessments Tab > Organization to be Assessed

Note: Organizations to be assessed are applicable for assessment types Org-Assessable Entity-Risk and Org-Risk.

This hierarchical level displays the organization details. The organization details are populated based
on the organizations that are selected during the Risk Assessment plan creation stage. If there are two
organizations selected during the plan creation stage, the module displays the organization details in a
separate row. Using this tabular format row, you can perform the following:

 View prior Inherent and residual risk rating

 View rolled up inherent and residual scores
 View previous control effectiveness rating
 Override Control scores and rating
 View the trend of risk
 View number of open issues
 View number of loss events
 View number of metrics that are breached
 View Risk owners detail

Copyright © 2016 MetricStream Inc. Page 167

 Risk Management 6.1 SP2 - User Guide

Column Name Description

Organization Name The business unit that is being assessed. The business unit name
selected in the Organization(s) field in the Assessments tab of the
Risk Assessment Plan form appears. For example, If the plan
initiator has added 2 organizations, both the organizations are
displayed in the first 2 rows. When you move the mouse pointer
over the tabular format, the organization name is displayed as a
tooltip.
Assessable Entity The entity that is being assessed. The business unit name selected
in the Assessable Entity (ies) field in the Assessments tab of the
Risk Assessment Plan form appears. For example, If the plan
initiator has added two assessable entities, both the assessable
entities are displayed in the first 2 rows. When you move the
mouse pointer over the tabular format, the assessable entity name
is displayed as a tooltip.
Note: Based on the type of assessment the entities are made available in
the first or second hierarchical level.

Level 2 Parent Risk The parent risk at level 2, if any, appears in this field.
Level 1 Parent Risk The parent risk at level 1, if any, appears in this field.
Prior Inherent Risk The previous inherent risk rating and score for the organization
(appears only if you select Yes being assessed appears. The module populates the roll-up score
in the Display Previous (by Org) in this field based on the previous risk rating scored by the
Rating? field of the Risk current organization.
Assessment Plan form)
This column will be blank for Organizations, and Assessable
Entities. This column displays data only at Risk level.
The Rating followed by the score in parenthesis is displayed.
Example:
Note: This field does not display any value, if you are assessing the risk for
the first time.

Page 168 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Column Name Description

Inherent Risk This field displays the inherent Risk Assessment score and rating
based on the assessment value that you provide for factors in the
Inherent Risk For tabular format. The Rating followed by the score
in parenthesis is displayed.
Example:
Note: The background color for rating and font color are displayed based
on the Risk Matrix Configuration for all the methods except for the Risk
Scoring Algorithm method.

When you access the form for the first time, based on the plan
setup this column displays the previous rating or rating based on
the default values that is defined for each factor.

The score and rating is refreshed (automatically or manually based

on the plan form settings) after you start assessing the factors
associated with the Risks.
The score that is displayed at each hierarchical level in this column
is the overall roll up rating and roll up score (by Org) for the current
Risk Assessment.
Override The module populates the overridden inherent rating. The
overridden rating is populated based on the control score that you
enter in the Override Control Score field. The overridden control
score is populated based on the value range that is defined in the
MS_RSK_CONTROL_OVERRIDE data table.
For more information on configuring the data table values, refer to
the MetricStream Risk Assessments System Administrator Guide
Release 6.1 SP2.

Prior Control Effectiveness This field displays the effectiveness of the controls that are used
(This appears only if you for mitigating the risks in the previous assessment. Each rating
select Yes in the Display displays the score corresponding to it.
Previous Rating? field of the Note: This field does not display any value, if you are assessing the risk for
Risk Assessment Plan form) the first time.

Copyright © 2016 MetricStream Inc. Page 169

 Risk Management 6.1 SP2 - User Guide

Column Name Description

Overall Control Score This field displays the overall control score based on the
assessment value that you provide for controls in the Control
tabular format.
When you access the form for the first time, this column does not
display any score. The score that you see in this column is a
combination of overall roll up score from all the controls related to
a particular Risk that you are assessing.
For the following methods the Overall Control score is calculated
as “Sum of all Controls”:
 Rating Method
 Scoring and Rating Method
 Ranking and Rating Method

For the following methods the Control Score is calculated based on

the Control formula defined in the Risk Scoring Algorithm
interface:
 Scoring Algorithm and Rating Method
 Risk Scoring Algorithm

The overall control score is populated based on the value range

that is defined in the MS_RSK_CONTROL_EFFECTIVENESS data
table.
.For more information on configuring the data table values, refer to
the MetricStream Risk Assessments System Administrator Guide
Release 6.1 SP2
Note: The overall control score displayed only ore at the last child
hierarchical level, that is, the Risk hierarchical level as the controls are
related to Risks and not to organization and assessable entities.

Control Effectiveness This field displays the effectiveness of the controls that are used
for mitigating the Risks. Each rating displays the score
corresponding to it.
The values that appear in this field are populated based on the
value that is defined in the MS_RSK_CONTROL_EFFECTIVENESS
data table. The display of this column is based on the Risk
Assessment Plan setting.
For more information on configuring the data table values, refer to
the MetricStream Risk Assessments System Administrator Guide
Release 6.1 SP2.

Note: The control effectiveness rating is displayed only at the last child
hierarchical level, that is, the Risk hierarchical level as the controls are
related to Risks and not to organization and assessable entities.

Page 170 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Column Name Description

Override Control Score Using this column you can override the control score populated by
the module. By default, the Risk Assessments module displays the
text Enter Score in this column.
To override the control score, perform the following:
1. Click the column.
2. Type the overridden control score.

Note:
- You can enter any numeric value as a score in this column.
- You can enter the overridden Control score only at the last child
hierarchical level, that is, Risk hierarchical level as the Controls are
related to Risks and not to organization and assessable entities.

Override The module populates the overridden inherent rating. The

overridden rating is populated based on the inherent score that
you select in the Override field. The overridden inherent score is
populated based on the value range that is defined in the
MS_RSK_OVERRIDE_SCORE data table.
For more information on configuring the data table values, refer to
the MetricStream Risk Assessments System Administrator Guide
Release 6.1 SP2.

Prior Residual Rating The previous residual risk rating and score for the organization
being assessed appears. The module populates the roll-up score
(by Org) in this field based on the previous risk rating scored by the
current organization.
This column will be blank for Organizations, and Assessable
Entities. This displays data only at the Risk level.

The rating followed by the score in parenthesis is displayed.

Example:
Note: This field does not display any value, if you are assessing the risk for
the first time.

Copyright © 2016 MetricStream Inc. Page 171

 Risk Management 6.1 SP2 - User Guide

Column Name Description

Residual Risk This field displays the residual Risk Assessment score and rating
based on the assessment value that you provide for factors in the
Residual Risk For tabular format. The Rating followed by the score
in parenthesis is displayed.
Example:
Note: The background color for rating and font color are displayed based
on the Risk Matrix Configuration for all the methods except for the Risk
Scoring Algorithm method.

When you access the form for the first time, based on the plan
setup this column displays the previous rating or rating based on
the default values that is defined for each factor.

The score and rating is refreshed (automatically or manually based

on the plan form settings) after you start assessing the factors
associated with the Risks.
The score that is displayed at each hierarchical level in this column
is the overall roll up rating and roll up score (by Org) for the current
Risk Assessment.
Override The module populates the overridden residual rating. The
overridden rating is populated based on the residual score that
you select in the Override field. The overridden residual score is
populated based on the value range that is defined in the
MS_RSK_OVERRIDE_SCORE data table.
For more information on configuring the data table values, refer to
the MetricStream Risk Assessments System Administrator Guide
Release 6.1 SP2.

Comments/Justification Provide your comments/justification for overriding the value in

this value. This is a mandatory field. You cannot submit the form
without providing details in this field.
Trend Provide your judgement on the trend of the risk based on the
current and previous assessment ratings.

The following options are available:

 Upwards: If the assessment rating is showing increasing trend,
select this option.
 Downwards: If the assessment rating is showing decreasing
trend, select this option.
 Stable: If the trend of assessment rating is stable, select this
option.
Note: You can select the risk trend only at the last child hierarchical level,
that is, the Risk hierarchical level.

Page 172 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Column Name Description

Threat /Opportunity Specify if the assessed Risk is a thread or an Opportunity to the
business unit or any assessable entity.
The following options are available:
 Threat: Represented as negative based Risks.
 Opportunity: Represented as positive based Risks.

Note: Positive Risks can be considered as opportunities which can have a

positive impact on the project.

The main objective of risk management is to increase the

probability and impact of positive outcomes and decrease the
probability and impact of negative outcomes. Hence, the Risks can
be positive or negative or viewed as opportunities or threats.
Note: You can enter the threat or opportunity details only at the last child
hierarchical level, that is, Risk hierarchical level.

Threat /Opportunity Level Specify the level of thread or opportunity of the assessed Risk on
your business unit or assessable entity.
This column is editable after you select the value in the Threat /
Opportunity column. The following options are available:
 High
 Medium
 Low

Copyright © 2016 MetricStream Inc. Page 173

 Risk Management 6.1 SP2 - User Guide

Column Name Description

Risk Response / Treatment Using this column the Risk owner can record the decision and the
Strategy treatment that is applied to the threat or opportunity Risks.
The following options are available if you select the value Threat in
the Threat /Opportunity field:
 Mitigate: If you have implementing a corrective action to
eliminate or reduce the Impact or likelihood, select this option.
 Accept: If you are ceasing the activity to eliminate the Risk,
select this option.
 Transfer: If you have shifting the Impact to another entity,
select this option.
 Avoid: If you are not implementing any corrective actions and
documenting the rationals on why the Risk should be avoided,
select this option.

The following options are available if you select the value

Opportunity in the Threat /Opportunity field:
 Enhance: If you have allocated the resources to develop a
treatment Plan to increase the Likelihood and/benefit, select
this option.
 Accelerate: If you have allocated resources to analyze the
opportunity, select this option.
 Share: If you have allocated the resources to share the befit
with the third parties such as, insurance or contract, select this
option.
 Ignore: If you want to allocate resource and miss the
opportunity, select this option.

Note:
- The strategy that you provide in this column is used in the Risk
Register report.
- The display of column values is configurable. The values in this field
are populated from the MS_RSK_THREAT_OPPORTUNITY data table.

#Open Issues To view the related issue details, click View link corresponding to
(made available only if you the risk name. The Open Issues Report appears. This report
select Yes in the Show displays all the issues that are open (active) for the Risk being
Related Open Issues field of assessed.
the Risk Assessment Plan The report is populated from the Issue Management module.
form) For more information, refer to the MetricStream Issue Management
User Guide Release 6.1 SP2.
Note: You can view this detail only at the last child hierarchical level.

Page 174 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Column Name Description

#Metric Breaches To view the related metric details, click View link corresponding to
(made available only if you the risk name. The Metric Trends (By Assessment) Report
select Yes in the Show appears.
Related Metrics field of the This report displays all the metrics that are breached for the
Risk Assessment Plan form) current Risk.
The report is populated from the Metrics module of GRC
Foundation module.
For more information on the Metrics module, refer to the
MetricStream Metrics User Guide Release 6.1 SP2.

#Loss Events To view the related internal loss events details, click View link
(made available only if you corresponding to the risk name. The Internal Loss-Gain Event List
select Yes in the Show Report appears.
Related Loss Events field of This report displays all the internal loss events that were
the Risk Assessment Plan associated with the current risk during the previous assessment.
form) The report is populated from the Loss Event Management
module.
For more information on the Loss Event Management module, refer
to the MetricStream Loss Event Management User Guide Release 6.1
SP3.

Risk Owner(s) One or more names of the risk owners appear.

The values in this field are populated from the corresponding Risk
details from the GRC Foundation module.

Override Feature
Users have the ability to override Inherent / Residual / Control ratings if they feel that the calculated
rating is not appropriate. This functionality is available for both assessors as well as assessment
approvers. However, this feature is currently limited to only assessments performed using Risk Scoring
Algorithm.

For Inherent and Residual sections, rating is overridden. For Control section, score is overridden. For
Inherent and Residual sections, the overridden rating is translated into a score as configured in the
MS_RSK_OVERRIDE_SCORE data table. Similarly, for Control section, the overridden Control Score is
translated into a rating as per what is configured in the MS_RSK_CONTROL_OVERRIDE data table.

Note: When you override the scores and publish the Risk Assessment form, the overridden values are shown with
a * mark adjacent to the overridden score and rating in reports.

Example:

The following figure shows the Risk Assessment form assessed using the RISA method.

Copyright © 2016 MetricStream Inc. Page 175

 Risk Management 6.1 SP2 - User Guide

At organization level - only inherent At process level - no scores are At risk level - inherent, control,
risk is overridden. Residual risks are overridden. The calculated values and residual risk are overridden.
not overridden are retained

Figure 8: Risk Assessment Form using RISA method > values overridden

In the above figure, the following values are overridden at different levels:

 Organization level: Only inherent risk score is overridden. For example, the calculated inherent risk score and rating ‘High [85]’ is overridden with the value ‘Medium [85]’
 Process level: No risk scores and ratings are overridden. The existing scores and ratings are retained.
 Risk level: The inherent, overall control, and residual score are overridden.

Page 176 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

For example, the calculated inherent risk score and rating ‘High [85]’ is overridden with the value ‘Medium [85]’, the overall control score 128 is overridden with the value 10, and
residual risk score and rating ‘High 75’ is overridden with the value ‘Low 22’.

Example:

In the below figure, the Organizations at Risk (By Individual Assessment) report shows the overridden scores with a * mark.

Figure 9: Organizations at (by Individual Assessment)

In the above figure, inherent score and rating are marked with a * mark, as the values are overridden in the Risk Assessment form, whereas the residual score value is the calculated
score without a * mark, since the calculated value is not overridden in the Risk Assessment form.

The following are areas that are impacted by the override feature:

 Risk Register report

 Risk Register Detailed report
 Organizations at Risk (By Individual Assessment)

Note: The override feature is not applicable for roll-up reports. It is only applicable for non roll-up reports. Even though Risk Control Assessments report is a non roll-up report, and Heat Map (Risks
Directly Assessed) is a non roll-up heat map, the override feature is not applicable for this report and heat map.

Copyright © 2016 MetricStream Inc. Page 177

 Risk Management 6.1 SP2 - User Guide

Display of Prior Values for Risk Assessment Triggered Using the Same Scope
If you trigger another Risk Assessment assignment with the same scope, for example, same organization-process-risk combination from the same Risk Assessment plan, it shows
the prior assessment values that are overridden with a * mark, as shown in the following figure.

Figure 10: Risk Assessment triggered with the same scope > overridden prior values

In the above figure, Medium [85] is the inherent risk score and rating value that is overridden during the prior assessment, Partially Ineffective is the control effectiveness value
that is overridden during the prior assessment, and Low [22] is the residual risk score and rating value that is overridden during the prior assessment.

Note: The overridden values at the risk level (prior assessment) are displayed with a * mark.

Page 178 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Adding Ad Hoc Risks at First Child Hierarchical Level

While performing the Risk Assessments, if you want to add some risks that are not part of the original
Risk Assessment plan scope, you can add or create risks using the Add Risk option available in this form.
This option is made available based on the Risk Assessment Plan setting. If the Allow Assessor to Add
Risks field is set to Both, you can add Risks from GRC Library as well as create new risks. For more
information on this field setting, refer to the Assessments Tab section.

Note: This functionality is available only for Risk Algorithm method.

When you add or create new risks, the risks are added at the risk node. Newly added risks are
represented with Star icon . If you have added a new risk, the View List of Risk(s) report is updated
with the newly added risk details. You can access this assessment form any time and can view the list
of newly added risk that are part of this assessment. You can only provide the overridden scores for
newly added library Risks as well as newly created Risks. These risk details are populated during the
next assessment as a prior assessment details to the assessor.

You can create new Risks or add Risks from GRC Library in the second hierarchical level or first
hierarchical level based on the type of Risk Assessment. In the following level the Add Risk option is
available for different types of Risk Assessment:

 Org-Assessable Entity-Risk: Second tabular format hierarchical level

 Org-Risk: First tabular format hierarchical level
 Assessable Entity- Risk: First tabular format hierarchical level

To add new Risks, perform the following steps:

Step 1 Right-click the assessable entity name/organization name in the first/second tabular
format hierarchical level.
The following context-sensitive menu appears.

Figure 11: Adding New Risks

Step 2 Click the Add Risk link.

Copyright © 2016 MetricStream Inc. Page 179

 Risk Management 6.1 SP2 - User Guide

The following dialog box appears.

Figure 12: Add Risk Dialog Box

You can perform the following actions in the Add Risk dialog box:

 Add new Risks from GRC Library

 Create new Risks

For more information on adding new Risks from library, refer to the Adding New Risks from GRC
Library section.

For more information on adding new Risks, refer to the Adding New Risks section.

Adding New Risks from GRC Library

To add Risks from GRC Library, perform the following steps:
Step 1 In the Add Risk dialog box, click the From Library option box.
The Risk Name field appears.

Figure 13: Add Risk Dialog Box > From Library

Step 2 Select the required Risk name.

Note:
- The Risks are populated from the GRC Foundation module. The risks are filters based on the
logged-in user profile and security access rights.
- You can add only one Risk at a time.
Step 3 Click the Add button.

Page 180 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

The newly added Risk appears in the tabular format.

Newly Added Risk

Figure 14: Newly Added GRC Library Risk

Adding New Risks

To create new Risks, perform the following steps:
Step 1 In the Add Risk dialog box, click the Enter New Risk option box.
Step 2 Click the Enter New Risk option box.
The Risk Name field appears.

Figure 15: Add Risk Dialog Box > Adding New Risks
Step 3 Type the Risk name in the Risk Name field.

Note:
- You can enter the same risk name multiple times.
- You can add only one Risk at a time.
Step 4 Click the Add button.

Copyright © 2016 MetricStream Inc. Page 181

 Risk Management 6.1 SP2 - User Guide

The newly added Risk appears in the tabular format.

Newly Added Risk

Figure 16: Newly Added GRC Library Risk

To view the list of Risks that are newly added for the current assessment, click the View List of Risk(s)
link. The View New Risks report appears.

Note: You can view the newly created risk only after you submit this form.

Page 182 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Viewing Assessable Entity and Risk Details

You can view the assessable entity and risk details in the tabular format by using the Show Details
option available in the respective tabular formats.

To view the assessable entity or risk details, perform the following steps:
Step 1 To view the details, right-click the name of the assessable entity or risk.
The following context-sensitive menu appears.

Figure 17: Viewing Assessable Entity/Risk Details

Step 2 Click the Show Details option.
The respective form appears in read-only mode.
Note: The details are populated from the GRC Foundation module.

Risk Tabular Format Hierarchical Level

When you click the Risk name in the risk hierarchical level, the following tabular formats appear below
the Assessment tab:

 Inherent Risk for <Risk Name>

 Control Risk for <Risk Name>
 Residual Risk for <Risk Name>

The tabular format header name varies based on the risk that you are assessing. For example, risk name
that you are assessing is Compliance; the module displays the <Risk name> as Compliance in italics in
all the above mentioned tabular formats.

Copyright © 2016 MetricStream Inc. Page 183

 Risk Management 6.1 SP2 - User Guide

Tabular Format Functionality

All the tabular formats consists of a common tabular format function, the following section describes
the common functions that you can perform in different tabular formats.
Risk Tabular Formats
Floating Summary Window
Options

Floating Risk Rating Window

Figure 18: Common Risk Tabular Format Interface

Collapsing and Expanding Tabular Formats

When you access the Risk hierarchical level all the tabular formats are displayed in expanded view. To
collapse a particular tabular format, click the Collapse icon available in the left of the tabular format
title. The Expand icon appears, you can click the Expand icon to expand the selected tabular
format.

Figure 19: Collapsed Inherent Risk Tabular Format View

Floating Risk Rating Window

The Floating Risk Rating Window is available on the lower-right corner of the Assessments tab in the
Risk Assessment form. This window displays the overall inherent risk rating and residual risk rating
based on the tabular format hierarchical level that you are working on. The numbers of levels that are
displayed in this window vary based on the type of Risk Assessment that you are performing. If you are
performing the Org-Assessable Entity- Risk assessment, this window displays the Overall organization
risk rating in the first row, Assessable Entity risk rating in the second row and overall risk rating in the
third row.

Page 184 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

To collapse this window, click the Collapse icon .

Collapse Icon
Business Unit being
Assessed

Assessed Entity

Risk being Assessed

Figure 20: Floating Risk Rating Window Displaying Three Levels Rating

When you access the first risk hierarchical level in the tree tabular format, this window displays the
previous risk ratings or default risk ratings based on the Risk Assessment Plan settings. When you
perform the assessment of factors associated with the selected risk, this window is refreshed and
updated with the latest ratings based on the assessment value that you provide for each factor. The
display of hierarchical level details is updated in this window only when you navigate to the risk
hierarchical levels available in the tree tabular format.

For example, in the below screen there are two organizations that are assessed. When the user has
selected the Finance-NFL which is the first hierarchical level; the module does not refresh the details in
this window. When the user navigates to the Risk hierarchical level, based on the selected risk the
module refreshes this tabular format and displays the latest risk rating, organization, and the core-
object details. The floating risk rating window is automatically updated when the Calculate Scores by
Default field is set to Yes in the Perspective form on which the Risk assessment is based. If the Calculate
Scores by Default field is set to No in the Perspective form, this floating window does not update the

Copyright © 2016 MetricStream Inc. Page 185

 Risk Management 6.1 SP2 - User Guide

scores automatically and a Calculate button is displayed in the Floating Risk Rating Window options.
You need the Calculate button to view the rolled-up score in the Floating Risk Rating window.

Figure 21: Floating Risk Rating Window > Example

The following table provides information on the Floating Risk Rating widow.

Column Displays the....

The first column displays the selected tree hierarchical level names.
Inherent Inherent score for the respective tree hierarchical level.
Residual Residual score for the respective tree hierarchical level.

Floating Risk Rating Window Options

The Floating Risk Rating Window Options enables you scroll the assessment window, minimize and
maximize the Floating Risk Rating Window. The following table provides the list of options that are
available in this window.

Figure 22: Floating Risk Rating Window Options

Page 186 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Icons Use this icon to....

Scroll horizontally towards the left side of the screen.

Scroll upward.

Expand all the hierarchical levels in the tree tabular format.

Collapse the child hierarchical levels.

Note: The child hierarchical levels are collapsed based on the selected
parent hierarchical level. For example, in the Figure 92: Floating Risk
Rating Window Option, if you have selected the Enterprise Risk
Assessments hierarchical level, all the child hierarchical levels within this
hierarchical level are collapsed.

Use this icon to scroll horizontally towards the right side of the
screen.
Hide the Floating Risk Rating window as well as the Floating Risk
Rating window options.

Once the Floating Risk Rating window/options are hidden, the

Show icon appears on the right bottom of the screen.

Click the Show icon to view the Floating Risk Rating window/
options window.
Scroll downward.

To maximize the Floating Risk Rating window.

Note: This option is available only if you have minimized the Floating Risk
Rating window.

Calculate and display the rolled-up risk scores in the Floating Risk
Rating Window.
This button is displayed based on the Perspective settings.

For more information on settings, refer to the Perspectives section.

Hierarchical Factors
If the factors are of hierarchical type, all the sub factors that are mapped to the hierarchical factor are
displayed in an expandable tree tabular format. Based on the categorization of Perspective and factors
all the associated sub factors are displayed below the main hierarchical factor. After you assess sub
factors, based on the computation logic defined for the hierarchical factor a hierarchical consolidated
factor score is populated by the module. Based on the settings while creating the quantitative factors
the respective section displays the hierarchical factor details. You cannot provide ratings for the
hierarchical factors and the text NA is displayed in the Rating column.

Copyright © 2016 MetricStream Inc. Page 187

 Risk Management 6.1 SP2 - User Guide

Expanding and Collapsing Hierarchical Tabular Format

To expand and view the sub factors under the hierarchical factor, click the Plus icon . The following
figure depicting the expanded sub factors, which are under the Inherent Factor hierarchical factor.

Hierarchical Factor - Parent Factor

Sub Factors

To collapse the expanded hierarchical factor section, click the Minus icon .

Assessments Tab > Inherent Risk For Tabular Format

This tab is made available when you click the Risk name in the Assessment main tabular format at the
third hierarchical level. After you click the particular risk name for assessment, the Inherent Risk For
<Risk Name> tabular format appears displaying all the factors that you need to assess for the selected
risk name.

This tabular format displays all the standard factors, quantitative non-standard factors and qualitative
factors.

The factors appear in this field based on the sort order that you defined during the factor creation. If
no sort order is defined during the factor creation, the factors are listed in alphabetical order. The
tabular format displays the factors in the following order:

 All standard factors are displayed first

 All the quantitative factors that increases and reduces inherent risk are displayed next and then all
the qualitative factors that are associated with the selected risk are displayed

Page 188 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Based on the assessment value that you provide in this section, the inherent risk score is calculated.
The inherent Risk score is calculated based on the Perspective for which the Risk Assessment is
performed and the method related to that Perspective. The input value that you can provide in this
tabular format for different factors vary based on the response type that is defined during the factor
creation.

Figure 23: Risk Assessment Form > Assessments Tab > Inherent Risk For Tabular Format

Qualitative Assessment Factor Response Columns

The following table provides the different type of response fields that are available for Qualitative Risk
Assessment Factors.

Type Description
You can enter amount as assessment value.

You can select date as assessment value. To select

a date, click the Calendar icon next to this

column. The Calendar window appears. Select the
required date.
You can select any defined LOV as assessment
value. The values that appear in this field are
based on the list of values defined during the
factor creation stage.
You can enter number as assessment value.

You can enter text as assessment value.

You can enter a maximum of four thousand
characters. Press the BACKSPACE/DELETE key to clear
the typed text.

Assessments Tab > Controls For Tabular Format

This tabular format displays all the controls that are related to the risk that you are assessing. The
association of Risk with Controls is performed during the Risk creation stage in the GRC Foundation
module. If a risk is associated with three controls, all the three controls are populated in this section.
For the Controls that are populated from the GRC Foundation module, you can provide control
assessment rating, modify weighting value, and enter comments. While performing the risk-control

Copyright © 2016 MetricStream Inc. Page 189

 Risk Management 6.1 SP2 - User Guide

assessment, you can add related controls that mitigate the risk that you are assessing in this tabular
format.

Figure 24: Risk Assessment Form > Assessments Tab > Controls For Tabular Format (Reducing Inher-
ent Risk Screen)

Column Name Description

Control The control name appears. Click the interlinked Control name to view
the control details. The details of the Control appear in read-only

mode. Click Close button to close the Control form. The

hyperlink is not available for newly added GRC Library Controls and
newly created Controls.
Control Type The type of Control appears. The following are the possible values in
this column:
 Related To Risk: The module populates this value if the Control is
associated with the selected Risk during the Risk creation stage.
 Library Control: The module populates this value for newly added
GRC Library Controls.
 New Control: The module populates this value for newly created
Controls.
View Tests link Click this link to view the test execution results of the controls that is
assessed. The View Test Results report appears with details such as
test execution ID, test plan name and so on. The details in this report
are populated from Compliance Management module.
Note: This link is available only for those Controls that are pre-populated
based on the Risk -Control association.

Key Control Select Yes/No to specify whether this control is a key control or not.
This column is editable only for newly added GRC Library Controls and
newly created Controls.
Purpose Use this field to select the purpose. The following options are available
in this field:
 Compliance
 Financial
 Operational
 Preventive
 Detective

Note: Control category is pre-populated for New controls/related controls of

the risk that is assessed and you cannot edit the details.

Page 190 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Column Name Description

Rating Select the control rating.
The following options are available in this field:
 High
 Medium
 Low
The values in this field are populated from the
MS_RSK_CONTROL_OVERRIDE data table. The display of this column
is based on the Risk Assessment Plan setting.
the MetricStream Risk Assessments System Administrator Guide
Release 6.1 SP2.

Score The assessed factor score based on the control effectiveness rating
appears.
The values in this field are populated from the
MS_RSK_CONTROL_OVERRIDE data table based on the value range
defined for each rating. For example, for High rating, score is 3.
Weighting This column displays the weighting score for the control. The module
displays this value based on the value that weighting that is defined in
the MS_RSK_CONTROL_OVERRIDE data table.
You can edit this value only when the Modify Weighting field is set to
Yes in the Risk Assessment Plan form.
The weighting is considered as number or percentage based on the
settings of the MS_RSK_CONTROL_OVERRIDE data table.
Control Score% The control effectiveness score appears.

Comments To enter comments regarding the controls use this column. To enter
comments, perform the following steps:

1. Click the Comments icon next to this column.

The Comments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments column in the
tabular format.
3. Click the Cancel button to cancel the entered comments.
To edit the comments, follow steps from 1 to 3.
Overall Score and Rating
The overall score and rating is displayed at the bottom of the tabular format in the following col-
umns.

Copyright © 2016 MetricStream Inc. Page 191

 Risk Management 6.1 SP2 - User Guide

Column Name Description

Rating The overall control rating appears.
The overall control rating is calculated based on the rating that you
select in the Rating field.
The values in this field are populated from the
MS_RSK_CONTROL_OVERRIDE data table based on the value range
defined for each rating. For example, for High rating, score is 3.
Control Score% The overall control score appears.
For the following methods the Overall Control score is calculated as
“Sum of all Controls”:
 Rating Method
 Scoring and Rating Method
 Ranking and Rating Method

For the following methods the Control Score is calculated based on the
Control formula defined in the Risk Scoring Algorithm interface:
 Scoring Algorithm and Rating Method
 Risk Scoring Algorithm

Adding New Controls

While performing the control Assessments, you can add or create controls over and above what is
already available as part of the original scope using the Add Control option available in this tabular
format. This option is made available based on the Risk Assessment Plan setting. When you add or
create new Control, the Controls are added to the Controls For tabular format. If you have added a new
Control the View New Control(s) report is updated with the newly added Control details after the user
submits the form. The user can any time access this assessment form and can view the list of newly
added Controls that are part of this assessment. You can only provide the mitigated scores/rating for
newly added library Controls as well as newly created Controls.

To add /create new Controls, perform the following step:

 To add/Create Control, click the button in the Controls For <Risk name> tabular for-
mat title. The following context-sensitive menu appears.

Figure 25: Add Control Dialog Box

You can perform the following actions in the Add Risk dialog box:

Page 192 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

 Add new Risks from GRC Library

 Create new Risks

For more information on adding new Controls from library, refer to the Adding GRC Library Controls
section.

For more information on adding new Risks, refer to the Adding New Controls section.

Adding GRC Library Controls

To add Controls from GRC Library, perform the following steps:
Step 1 In the Add Control dialog box, click the From Library option box
The Control Name field appears.

Figure 26: Add Risk Dialog Box > From Library

Step 2 Select the required Control name.

Note: The Controls are populated from the GRC Foundation module. The Controls are filters based
on the logged-in user profile and security access rights.

Note: You can add only one Control at a time.

The newly added Control name appears in the Control Name field.
Step 3 Click the Add button.
The newly added Control appears in the tabular format with the Category details.

Copyright © 2016 MetricStream Inc. Page 193

 Risk Management 6.1 SP2 - User Guide

Adding New Controls

To create new Controls, perform the following steps:
Step 1 In the Add Control dialog box, click the Enter New Control option box
The Control Name field appears.

Figure 27: Add Risk Dialog Box > Adding New Controls
Step 2 Type the Control name.

Note: You can enter the same Control name multiple times.

Note: You can add only one Control at a time.

The newly added Control name appears in the Control Name field.
Step 3 Click the Add button.
The newly added Control appears in the tabular format with the Category details.

To view the list of Controls that are newly added for the current assessment, click the View List of
Control(s) link. The View New Control report appears. For more information on the report columns,
refer to View New Controls Report.

Note: You can view the newly created Control details only after you submit this form.

Deleting Controls
To delete a control, perform the following steps:
Step 1 Select the Control column that you want to delete.
The selected row is highlighted.
Step 2 Click .
Step 3 The Confirmation message “Are you sure you want to delete the selected control?”
appears. Click the Yes button.

Assessments Tab > Residual Risk For Tabular Format

This tab is made available when you click the risk name in the Assessment main tabular format at the
third hierarchical level. After you click the particular risk name for assessment, the Residual Risk For

Page 194 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

<Risk Name> tabular format appears displaying all the factors that you need to assess for the selected
risk name.

This tabular format displays all the standard factors, quantitative non-standard factors.

The factors appear in this field based on the sort order that you defined during the factor creation. If
no sort order is defined during the factor creation, the factors are listed in alphabetical order. The
tabular format displays the factors in the following order:

 All standard factors are displayed first

 All the quantitative factors that reduces residual risk are displayed next

Based on the assessment value that you provide in this tabular format, the residual risk score is
calculated based on the Perspective selected and mapped risk scoring algorithm to the Perspective.
The input value that you can provide in this tabular format for different factors vary based on the
response type that is defined during the factor creation stage.

Figure 28: Risk Assessment Form > Assessments Tab > Residual Risk For Tabular Format

Copyright © 2016 MetricStream Inc. Page 195

 Risk Management 6.1 SP2 - User Guide

Findings and Observations Tab

While conducting the Risk Assessment, the assessor may notice some serious issues/findings that
affect the organization. Using the Findings and Observations tab, you can add one or more findings and
you can trigger an issue to the Issue Management module that might mitigate the risk. The finding
details are organized in a tree structure. You can add multiple findings in this tab.

Figure 29: Risk Assessment Form > Findings and Observations Tab

To add the finding details, click the “Findings and Observations” link as shown in the below screen. The
first hierarchical level is added in the tree structure displaying the related fields on the right of the tree
structure.

Figure 30: Risk Assessment Form > Findings and Observations Tab > Default Finding/Issues Hierar-
chical Level

Page 196 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Adding, Deleting and Renaming Findings and Observations

To add, delete or rename findings and observations, right-click the finding/issue hierarchical level in
the tree structure. The context-sensitive menu options appear.

Figure 31: Risk Assessment Form > Findings and Observations Tab > Context-Sensitive Options

The following table describes the context-sensitive menu options available in the findings tree
hierarchical level.
Hierarchical Level Options Description
Findings hierarchical level  Add Findings: To add a finding, select this option.
 Delete Findings: To delete a finding, select this option.
 Rename Findings: To rename a finding, select this option.

Findings Related Fields

Figure 32: Risk Assessment Form > Findings and Observations Tab > Findings Fields

Copyright © 2016 MetricStream Inc. Page 197

 Risk Management 6.1 SP2 - User Guide

Field/List Name Description

Findings/Issues
Finding/Issue Title Type the name of the finding or issue noticed during Risk
Assessment.
Finding Detail(s)
Type the description about the finding by clicking .
Note: You can enter a maximum of 4000 characters in this field.
For more information on RTF functions, refer to the MetricStream
Portal User Guide Release 6.1 SP5

Finding Type A company can have different categorization for findings. You need
to select the relevant finding type in this field. The following
options are available:
 Control Failure
 Data Breach
 Deviation from Policy
 Deviation from Process
 Documentation
 Fraud
 Misstatement
 Training
 Other

Note: This field is configurable.

Exception Type Specify the type of exception. The following options are available.
 Design and Operating Exception: If the current finding is
related to both design and operation exception, select this
option.
 Design Exception: If the current finding is related to design
exception, select this option.
 Operating Exception: If the current finding is related to
operational exception, select this option.
Resolution, Rating and Issue Rating
Use this region to rate the issue and enter details about the issue.
Issue Resolution Select an action to address the issue.
The following options are available:
 Non-reportable (Consolidated): To consolidate this issue with
other issues.
 Non-reportable (Discussion Only): Issue is not very serious and
can be discussed internally
 Reportable: If the issue needs to be addressed immediately,
select this option.
 Reportable (already addressed): If the issues are serious issues
need to be reported but no issue management is triggered
through Issue Management.
Note: The Risk Assessments triggers the Issue to the Issue Management
module; only when you select the option 'Reportable' in this field. The
reportable issues are available in the Review Issue infoport.

Page 198 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Field/List Name Description

Issue Rating Use this field to rate the recorded Risk Assessment finding. You can
rate the finding as High, Medium, and Low based on the severity
of the issue.
Issue Due Date Enter the date by which the issue must be addressed.

Note:
- You must enter a future date.
- Use MM/DD/YYYY format to enter the date.
Recommendation
Type your recommendation regarding the finding by clicking .
Note: You can enter a maximum of 4000 characters in this field.
For more information on RTF functions, refer to the MetricStream
Portal User Guide Release 6.1 SP5

Ownership
Use this region to select the owners of the issue.
Owner Organization Select the organization responsible for maintaining this issue.
This is not the set of organizations that this issue applies to.
Issue Owner Select the owner of this issue. After you submit the form, the
selected issue owner receives an assignment to review the issue.
Approver Organization Select the organization to which the approver belongs to.
Issue Approver Select the approver this issue. After you submit the form, the
submission of the issue implementation the selected approver
receives an assignment to approve the issue.
Related To
Use this region to select the related organizations and other details of the issue.
Related Organization(s) Select the organization to which this finding related to. This field
displays all the organizations on which the current Risk Assessment
is performed.
Related Assessable Entity Select the assessable entities that are related to this finding. This
(ies) field displays all the items which are under the scope of the
current assessment.
Related Risks You can relate the current finding to the risks that may occur.
The risks are populated based on the user access rights.
Related Control(s) Select the controls related to this finding.
This field displays all the controls which are under the scope of the
current assessment.

Copyright © 2016 MetricStream Inc. Page 199

 Risk Management 6.1 SP2 - User Guide

Additional Details Tab

Use the Additional Details tab to provide additional details and attach documents that the user can
refer to.

Figure 33: Risk Assessment Form > Additional Details Tab

Field/List Name Description

History
Assessed By The name of the assessor appears.
Assessed On The date on which the assessment is done appears.
Reviewed By The name of the reviewer appears.
Reviewed On The date on which the assessment is reviewed appears.
Assessment Approver The name of the assessment approver appears.
Final Approver The name of the final approver appears.
Additional Information
Additional Note(s) and Com- Type additional information regarding the assessment by clicking
ment(s)
.
For more information on RTF functions, refer to the MetricStream
Portal User Guide Release 6.1 SP5

Documents

Page 200 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Field/List Name Description

Attach File(s) To attach a file, perform the following steps:
1. Click the Browse… button.
2. Select the file from your local drive.
The file is attached, and the name of the file that you attached
appears.
Note: You may attach one or more files, as required.

To delete an attached file, click the Delete icon on the right side
of the attached file.

Modify/Review/Approve Section
Use the Modify/Review/Approve section to take action on the Risk Assessment form.

Figure 34: Risk Assessment Form > Modify/Review/Approve Section

Copyright © 2016 MetricStream Inc. Page 201

 Risk Management 6.1 SP2 - User Guide

Field/List Name Description

Modify/Review/Approve
Action The following actions are available in the Risk Assessment form
while you assess the risk.
 Reassign to User: To reassign the current assessment to
different user, select this option.
Note: On submission of the Risk Assessment form, an assignment is
generated to the assessor selected in the Assessor field.

 Cancel Assessment: To cancel the assessment and close the

workflow
Note: The assessment is closed and no assignments are triggered once the
assessor selects this option.

 Send for Approval: To send the form to the approver for

approval, select this option.
Note: All the users who have the access to this assessment plan can view
the updated details.

 Send to Reviewer: To send the Risk Assessment form to a

reviewer, select this option.
Note: After you submit the form, the Risk Assessment form is routed to
different users based the action selected.

For more information on the approval workflow, refer to the

Configuration Settings for Approval Workflow section
Assessor Select an assessor to reassign the current assessment assignment.
(appears only If you select the After you submit the form, the Risk Assessment assignment is
value Reassign To User in generated to the assessor selected in this field.
Action field) This field displays all the users with RSK – Assess Risks access rights
in the module.
Reviewer Select a reviewer for the current assessment.
(appears only If you select the This field displays all the users with RSK – Approve Risk
value Send to Reviewer in Assessments access rights in the module.
Action field)
Comments History link To view the Comments History report, click the Comments History
report link.
The Comments History report appears.
This report displays the comments entered by all the users who
worked on this form in a chronological order.
Click the Done button to close the report.
Comments Type your comments regarding the assessment.

Form Submission
For more information on the Form Tool Bar icons, refer to the Form Tool Bar section.

Page 202 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Alert
If you submit the Risk Assessment form without filling the mandatory field values, the module displays
the alert message “Please enter the values in the mandatory fields.” appears.

When you see this alert message, perform the following steps:
Step 1 Click the OK button.
The warning message disappears. You can see Red Flag icon corresponding to the tree tabular
format hierarchical level where you need to provide the details.

Figure 35: Hierarchical Level Displaying Red Flag

Step 2 Click the respective tree tabular format hierarchical level.
The columns that need inputs are underlined (red) in the respective tabular formats.

Figure 36: Underlined Columns

Step 3 Navigate to the respective columns and provide the details.
Step 4 Submit the form.

Copyright © 2016 MetricStream Inc. Page 203

 Risk Management 6.1 SP2 - User Guide

Task Assignments and E-mail Notifications

After you submit the current form, assignments and e-mails are generated to the respective users, as
shown in the following table.

Submitted Action Selected Assigned To Form Assigned E-Mail Sent

By
Send for Review Reviewer Risk Reviewer
Assessment CC: Plan
Assessor form Owner

Send for Approval Approver Risk Approver

Assessment CC: Plan
form Owner

Cancel Not Not applicable. Plan Owner

Applicable The form is
canceled and is
no more
available in the
system.

Related Reports
Risk Assessment Status Details Report

Page 204 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Reviewing Risk Assessments

Using the Risk Assessments form you can review the findings and Risk Assessment results. Once you
complete the review and submit the form, it is routed back to the assessor.

The details in this form are populated from the Risk Assessments form while assessing the risks.
You can edit the details of this form. To work on the Risk Assessments form as a reviewer, refer to the
Assessing Risks section.

You can edit the details of this form. To work on the Risk Assessments form as a reviewer, refer to the
Assessing Risks section.

Copyright © 2016 MetricStream Inc. Page 205

 Risk Management 6.1 SP2 - User Guide

Risk Assessment Form > Reviewer

Use the Risk Assessment form to review the assessment details submitted by the assessor and approve
the details.

Figure 37: Risk Assessment Form > Assigned to Reviewer

Modify/Review/Approve Section
Use the Modify/Review/Approve section to take action on the Risk Assessment form.

Figure 38: Risk Assessment Form > Modify/Review/Approve Section (Reviewer Stage)

Field/List Name Description

Modify/Review/Approve
Action The following action is available in the Risk Assessment form while
you work on the Risk Assessment as a reviewer.
 Submit: To submit the form back to the assessor, select this
option.
After you submit the form, the Risk Assessment form is routed to
back to the assessor. For more information on Risk Assessment
workflow, refer to the Risk Assessments Workflow section.
Comments Enter your comments regarding the Risk Assessment.
After you submit the form, the Comments History report is
updated with the comments that you enter.

Page 206 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Field/List Name Description

Comments History link To view the Comments History report, click the Comments History
report link.
The Comments History report appears.
This report displays the comments entered by all the users who
worked on this form in a chronological order.
Click the Done button to close the report.

Form Submission
For more information on the Form Tool Bar icons, refer to the Form Tool Bar section.

Task Assignments and E-mail Notifications

After you submit the current form, assignments and e-mails are generated to the respective users, as
shown in the following table.

Submitted Action Selected Assigned To Form Assigned E-Mail Sent

By
Reviewer Submit Review Assessor Risk Assessor
Assessment CC: Plan
form Owner

Copyright © 2016 MetricStream Inc. Page 207

 Risk Management 6.1 SP2 - User Guide

Approving Risk Assessments

Using the Risk Assessments form you can approve the findings and Risk Assessments result. If you have
any disagreement with any of the findings/Risk Assessment result, you can reject the form to the
assessor for additional information. Once you approve the assessment, the assessment is published in
the Risk library.

The details in this form are populated from the Risk Assessments form while assessing the risks. You
can edit the details of this form. To work on the Risk Assessment form as an approver, refer to the
Assessing Riskssection.

Page 208 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Risk Assessment Form > Approver

Use the Risk Assessment form to review the assessment details submitted by the assessor and approve
the details.

Figure 39: Risk Assessment Form > Assigned to Reviewer

Modify/Review/Approve Section
Use Modify/Review/Approve section to take action on the Risk Assessment form.

Figure 40: Risk Assessment Form > Modify/Review/Approve Section

Copyright © 2016 MetricStream Inc. Page 209

 Risk Management 6.1 SP2 - User Guide

Field/List Name Description

Modify/Review/Approve
Action The following actions are available in the Risk Assessment form
while you work on the Risk Assessment as an approver.
 Approve: To approve the Risk Assessment and publish it, select
this option.
 Request Clarification: To get more clarification from the
assessor, select this option.
 Cancel Assessment: To cancel the Risk Assessment, select this
option.
Note: If you select Cancel Assessment, the Risk Assessment is closed and
no assignments are generated.

After you submit the form, the Risk Assessment form is routed to
different users based on the action selected. For more information
on Risk Assessments Workflow, refer to the Risk Assessments
Workflow section.
Comments Enter your comments regarding the Risk Assessment.
After you submit the form, the Comments History report is
updated with the comments that you enter.
Comments History link To view the Comments History report, click the Comments History
report link.
The Comments History report appears.
This report displays the comments entered by all the users who
worked on this form in a chronological order.
Click the Done button to close the report.

Form Submission
For more information on the Form Tool Bar icons, refer to the Form Tool Bar section.

Page 210 Copyright © 2016 MetricStream Inc.

 Performing Risk Assessments

Task Assignments and E-mail Notifications

After you submit the current form, assignments and e-mails are generated to the respective users, as
shown in the following table.

Submitted Action Selected Assigned To Form Assigned E-Mail Sent

By
Approve Plan Owner Risk Plan Owner
(Scenario: Final Approver is Assessment
the Plan Owner) form

Approver
Approve None Risk Plan Owner
(Scenario: Assessment Assessment
Approver is the Final form
Approver)

Copyright © 2016 MetricStream Inc. Page 211

Rating Method
6
The following chapter provides information on Rating method configuration, how to assess Risks
associated with this method, and related heat map.

Sections:
1. What Is Risk Rating Method?
2. How can I perform Risk Rating Assessment?
3. Assessing Risks - Rating Method
4. Heat Maps

Page 212 Copyright © 2016 MetricStream Inc.

 Rating Method

What Is Risk Rating Method?

You can perform a simple Risk Assessment by rating the factors. Consider a scenario where Impact of
a risk is Catastrophic and the Likelihood is Almost Certain, then the Rating is Very High.

How can I perform Risk Rating Assessment?

You can perform this assessment by creating a Risk Matrix Configuration profile comprising the factors
that contribute to the rating. Also, specify the rating for the risk based on the combination of factor
response.

Copyright © 2016 MetricStream Inc. Page 213

 Risk Assessments 6.1 SP2 - User Guide

The following figure depicts the Impact X Likelihood 5X5 matrix defined for the Risk Rating method.

Figure 41: Risk Rating Method Matrix

For more information on Risk Matrix Configuration user interface and defining the matrix, refer to the Configuring Risk Matrices section.

Page 214 Copyright © 2016 MetricStream Inc.

 Rating Method

Assessing Risks - Rating Method

By using the Risk Assessment form, you can assess the Risks that are part of the assessment. The
factors that are a part of Risk matrix Configuration must be assessed to arrive at a Risk rating. To
achieve this output, assessing the factors that are part of the Risk Configuration Matrix configuration
is mandatory. This simple way of Risk Assessment does not roll up to assessable entity or organization
since there are no scores associated with the risk.

If Controls are available for Risks, you can provide the Control scores in the Control tabular format, as
required. The overall control score is calculated based on the logic “sum of all Controls”.

Note: For assessments using Rating Method, the Inherent and Residual score fields / columns appear as blank
after the assessment is performed.

Risk Assessment Form

Use the Risk Assessment form to perform the Risk assessment and record the details. For more
information, refer to Risk Assessment Form.

Header
Use the header section to view the assessment details. For more information on field descriptions,
refer to Header.

Details Tab
Use the Details tab to view the general details of the Risk Assessment. For more information on field
description, refer to the Details Tab section.

Assessments Tab
The Assessments tab displays the related organizations, assessable entities, and risks that are selected
while creating the Risk assessment plan. This tab is organized in a tree tabular format. For more
information on tabular format and tree structure organization, refer to the Viewing Assessable Entity
and Risk Details section.

Note: Based on the Risk Configuration setup, the Inherent Risk, Control, and Residual Risk tabular formats are
made available in this tab.

Assessments Tab > Inherent Risk For Tabular Format

This tab is made available when you click the Risk name in the Assessment main tabular format at the
third hierarchical level in the Risk Assessment form. After you click the particular risk name for
assessment, the Inherent Risk For <Risk Name> tabular format appears displaying all the factors that

Copyright © 2016 MetricStream Inc. Page 215

 Risk Assessments 6.1 SP2 - User Guide

you need to assess for the selected risk name. The standard factors are populated from the Risk Matrix
Configuration setup form.

For more information on how this tabular format is organized, refer to the Assessments Tab > Inherent
Risk For Tabular Format section.

Based on the assessment value that you provide in this tabular format, the inherent risk rating is
calculated. The input value that you can provide in this tabular format for different factors vary based
on the response type that is defined during the factor creation.

For more information on Control tabular format columns, refer to the Assessments Tab > Controls For
Tabular Format section.

Page 216 Copyright © 2016 MetricStream Inc.

 Rating Method

Standard Factors from Risk Matrix

Configuration

Quantitative Factors

Overall Inherent Risk Rating based on the assessment values and

Risk Matrix Configuration

Rating defined in the Risk Matrix configuration

Figure 42: Risk Assessment Form > Assessments Tab > Inherent Risk For Tabular Format

Copyright © 2016 MetricStream Inc. Page 217

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Factor Name Displays the factor names. To view the factor details, click the
hyperlinked factor name in this column. The respective factor form
appears in read-only mode in a new window.
Click this icon to view the Risk Rating Guidance report. This report
displays the list of values and respective scores defined for the

Standard or Quantitative factors. Click the Close button to

close the report.

Note:
- This icon is available only for those Quantitative and Standard factors
that consists LOV values as the assessment response.
- This icon is not available for Qualitative factors.
Prior Assessment The prior assessment rating appears. This field displays the prior
assessment values only if the value Yes is selected in the Display
Prior Assessment field of the Risk Assessment Plan form.
Note: If you are assessing the Risk for the first time, this column does not
display any assessment rating.

Page 218 Copyright © 2016 MetricStream Inc.

 Rating Method

Column Name Description

Assessment Select the current Risk Assessment. You can provide assessment
values for the quantitative, standard and qualitative risk
assessment factors.

For quantitative and standard factors, you can provide any one of
the following as your assessment value:

The values that are available in this field are based on the value
entered in the List Of Values tab or the Scoring Rules defined in
the Quantitative Assessment Factor form.
If the assessment is scoring rules based, you can enter only number
in this field as your response. To enter the assessment value, click
the Enter Score column and type the value.

If the assessment response is set as List Of Values, you can enter

the values defined in the Response field of the Quantitative
Assessment Factor form as the current assessment for the factor.
This field displays the default rating or the previous assessment
rating based on the Risk Assessment Plan for settings. For more
information on the Risk Assessment plan, refer to the Creating Risk
Assessment Plans section.

For Qualitative Risk Assessment Factors, you can provide any one
of the value as your assessment response. The values in this region
vary based on the response type that is selected in the Qualitative
Assessment Form for this factor.
 Amount: Enter number as your response for the qualitative
factor.
 Date: Enter date as your response for the qualitative factor.
 List Of Values: Select the values from the drop-down
 Number: Enter number as your response for the qualitative
factor.
 Text: Enter the description for the qualitative factor.

For more information on the qualitative assessment factor

responses, refer to the Qualitative Assessment Factor Response
Columns
Rating The module displays the rating for the factors.
This is not applicable for factor type List Of Values. The module
displays the rating for Rules Based type of Standard/Quantitative
factors based on the value specified in the Rating field of the
Quantitative Assessment Factor form.

Copyright © 2016 MetricStream Inc. Page 219

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Comments Use this column to enter comments regarding the factor
assessment.

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments/Justification
column in the tabular format.
3. Click the Cancel button to cancel the entered comments.
To edit the comments, repeat the steps from 1 through 3.
Overall Score and Rating
The overall score and rating is displayed at the bottom of the tabular format in the following col-
umns.
Rating The overall rating for the inherent risk appears.
The rating is populated based on the rating defined in the Risk
Configuration Matrix.

Assessments Tab > Controls For Tabular Format

This tabular format displays all the controls that are related to the risk that you are assessing. The
association of Risk with Controls is performed during the Risk creation stage in the GRC Foundation
module. If a risk is associated with three controls, all the three controls are populated in this tabular
format. For the Controls that are populated from the GRC Foundation module, you can provide control
assessment rating, modify weighting value, and enter comments. While performing the risk-control
assessment, you can add related controls that mitigate the risk that you are assessing in this tabular
format.

Page 220 Copyright © 2016 MetricStream Inc.

 Rating Method

Mapped Controls for a Risk

Overall Control Score

Overall Control Rating

Figure 43: Risk Assessment Form > Assessments Tab > Controls For Tabular Format (Reducing Inherent Risk Screen)

Copyright © 2016 MetricStream Inc. Page 221

 Risk Assessments 6.1 SP2 - User Guide

Assessments Tab > Residual Risk For Tabular Format

This tab is made available when you click the Risk name in the Assessment main tabular format at the
third hierarchical level. After you click the particular risk name for assessment, the Residual Risk For
<Risk Name> tabular format appears displaying all the factors that you need to assess for the selected
risk name. The standard factors are populated from the Risk Matrix Configuration setup form. For
more information on how this tabular format is organized, refer to the Assessments Tab > Residual Risk
For Tabular Format section.

Based on the assessment value that you provide in this tabular format, the residual risk rating is
calculated. The residual Risk rating is calculated based on the rating that is defined in the Risk Matrix
Configuration setup form. The input value that you can provide in this tabular format for different
factors vary based on the response type that is defined during the factor creation.

Page 222 Copyright © 2016 MetricStream Inc.

 Rating Method

Standard Factors from Risk Matrix

Configuration

Overall Inherent Risk Rating based on the assessment values and Risk
Matrix Configuration

Rating defined in the Risk Matrix configuration

Figure 44: Risk Assessment Form > Assessments Tab > Residual Risk For Tabular Format

Copyright © 2016 MetricStream Inc. Page 223

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Factor Name Displays the factor names. To view the factor details, click the
hyperlinked factor name in this column. The respective factor form
appears in read-only mode in a new window.
Click this icon to view the Risk Rating Guidance report. This report
displays the list of values and respective scores defined for the

Standard or Quantitative factors. Click the Close button to

close the report.
Note: This icon is available only for those Quantitative and Standard
factors that consists LOV values as the assessment response.

Prior Assessment The prior assessment rating appears. This field displays the prior
assessment values only if the value Yes is selected in the Display
Prior Assessment field of the Risk Assessment Plan form.
Note: If you are assessing the Risk for the first time, this column does not
display any assessment rating.

Assessment Select the current Risk Assessment. You can provide assessment
values for the Quantitative, and Standard factors.
For Quantitative and Standard Factors, you can provide any one of
the following as your assessment value:

The values that are available in this field are based on the value
entered in the List Of Values tab or the Scoring Rules defined in
the Quantitative Assessment Factor form.
If the assessment is scoring rules based, you can enter only number
in this field as your response. To enter the assessment value, click
the Enter Score column and type the value.

If the assessment response is set as List Of Values, you can enter

the values defined in the Response field of the Quantitative
Assessment Factor form as the current assessment for the factor.
This field displays the default rating or the previous assessment
rating based on the Risk Assessment Plan for settings. For more
information on the Risk Assessment plan, refer to the Creating Risk
Assessment Plans section.

Rating The module displays the rating for the factors.

This is not applicable for factor type List Of Values. The module
displays the rating for Rules Based type of Standard/Quantitative
factors based on the value specified in the Rating field of the
Quantitative Assessment Factor form.

Page 224 Copyright © 2016 MetricStream Inc.

 Rating Method

Column Name Description

Comments Use this column to enter comments regarding the factor
assessment.

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments/Justification
column in the tabular format.
3. Click the Cancel button to cancel the entered comments.
To edit the comments, repeat the steps from 1 through 3.
Overall Score and Rating
The overall score and rating is displayed at the bottom of the tabular format in the following col-
umns.
Rating The overall residual rating appears.
The rating is populated based on the Risk Matrix Configuration set
up.

Findings and Observations Tab

While conducting the Risk Assessment, the assessor may notice some serious issues/findings that
affect the organization. Using the Findings and Observations tab, you can add one or more findings and
you can trigger an issue to the Issue Management module to resolve it. For more information on
adding issues, refer to the Findings and Observations Tab section.

Additional Details Tab

Use the Additional Details tab to provide additional details and attach documents that the user can
refer to. For more information on additional details tab, refer to the Additional Details Tab section.

Copyright © 2016 MetricStream Inc. Page 225

 Risk Assessments 6.1 SP2 - User Guide

Modify/Review/Approve Section
Use the Modify/Review/Approve section to take action on the Risk Assessment form. For more
information on additional details tab, refer to the Modify/Review/Approve Section section.

Form Submission
For more information on the Form Tool Bar icons, refer to the Form Tool Bar section.

Task Assignments and E-mail Notifications

After you submit the current form, no task assignments and e-mails are generated.

Page 226 Copyright © 2016 MetricStream Inc.

 Rating Method

Heat Maps
Based on the Risk Matrix configuration, the heat map displays the Risks in different zones of the matrix
based on the assessment values. You can view the Risk trend based on the inherent and residual
ratings.

You can view the Risk direction by tracing its movement from Inherent to Residual. For more
information on heat map reports functions, refer to the Heat Maps section.

Inherent Risks

Residual Risks

Figure 45: Heat Map

Copyright © 2016 MetricStream Inc. Page 227

Scoring and Rating Method
7
The following chapter provides information on Scoring and Rating method configuration, how to assess
Risks associated with this method, and related heat map.

Sections:
1. What Is Scoring and Risk Rating Method?
2. How Can I perform Scoring and Risk Rating Assessment?
3. Assessing Risks - Scoring and Rating Method
4. Heat Maps

Page 228 Copyright © 2016 MetricStream Inc.

 Scoring and Rating Method

What Is Scoring and Risk Rating Method?

The Scoring and Rating method allows you to perform a Risk assessment based on the unique score and
rating input for each cell. That is, the intersection point of factor coordinates. The scores and rating is
rolled up to the assessable entity and organization based on this configuration. You can define the
rating, score, background color, and rating font color for each cell in the matrix. For more information
on Risk score roll up, refer to the Risk Score and Rating Roll Up section.

How Can I perform Scoring and Risk Rating Assessment?

You can create a Profile through the Risk Matrix by choosing factors as X and Y coordinates. You can
then enter the unique scores for each cell according to your Risk Matrix. The cells having same rating
should have same color. For example, if three cells have rating as low, then the color can be same for
all those three cells. The assessments associated with this profile is done based on the combination of
factor response.

Copyright © 2016 MetricStream Inc. Page 229

 Risk Assessments 6.1 SP2 - User Guide

The following figure depicts the Impact X Likelihood 5X5 matrix defined for the Scoring and Risk Rating method.

Figure 46: Scoring and Rating Method Matrix

For more information on Risk Matrix Configuration user interface and defining the matrix, refer to the Configuring Risk Matrices section.

Page 230 Copyright © 2016 MetricStream Inc.

 Scoring and Rating Method

Assessing Risks - Scoring and Rating Method

By using the Risk Assessment form, you can assess the Risks that are part of the assessment. You must
access the quantitative factors that are part of the Risk Matrix Configuration and these factors are
selected while creating the Risk Matrix. You cannot exclude these factors from assessment. Based on
the rating that you provide for these two factors, the score is calculated. The rating and score is rolled
up to the assessable entity and displayed while performing the assessment.

If the Controls are available for the Risks, you can provide the Control scores in the Control tabular
format, as required. The overall control score is calculated based on the logic “sum of all Controls”.

Risk Assessment Form

Use the Risk Assessment form to perform the Risk assessment and record the details.

For more information, refer to Risk Assessment Form.

Header
Use the header section to view the assessment details. For more information on field descriptions,
refer to Header.

Details Tab
Use the Details tab to view the general details of the Risk Assessment. For more information on field
description, refer to the Details Tab section.

Copyright © 2016 MetricStream Inc. Page 231

 Risk Assessments 6.1 SP2 - User Guide

Assessments Tab
The Assessments tab displays the related Entities and Risks that are selected while creating the Risk
assessment plan. This tab is organized in a tree tabular format. For more information on tabular format
and tree structure organization, refer to the Viewing Assessable Entity and Risk Details section.

Note: Based on the Risk Configuration setup, the Inherent Risk, Control, and Residual Risks tabular formats are
made available in this tab.

Risk Assessments Form > Assessments Tab > Inherent Risk For Tabular
Format
This tab is made available when you click the Risk name in the Assessment main tabular format at the
third hierarchical level. After you click the particular risk name for assessment, the Inherent Risk For
<Risk Name> tabular format appears displaying all the factors that you need to assess for the selected
risk name. The standard factors are populated from the Risk Matrix Configuration setup form.

For more information on how this tabular format is organized, refer to the Assessments Tab > Inherent
Risk For Tabular Format section.

The Inherent Risk Score and rating is based on the assessment value provided in this tabular format.
The inherent Risk score is calculated based on the rating and score that is defined in the Risk Matrix
Configuration setup form. The factor input value is based on the response type defined during factor
creation.

Page 232 Copyright © 2016 MetricStream Inc.

 Scoring and Rating Method

Standard Factors from Risk Matrix Factor scores based on the assessment values
Configuration

Quantitative Factors

Overall Inherent Risk Rating and score based on the assessment

values and Risk Matrix Configuration

Score and rating defined in the Risk Matrix configuration

Figure 47: Risk Assessment Form > Assessments Tab > Inherent Risk For Tabular Format

Copyright © 2016 MetricStream Inc. Page 233

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Factor Name Displays the factor names. To view the factor details, click the
hyperlinked factor name in this column. The respective factor form
appears in read-only mode in a new window.
Click this icon to view the Risk Rating Guidance report. This report
displays the list of values and respective scores defined for the

Standard or Quantitative factors. Click the Close button to

close the report.

Note:
- This icon is available only for those Quantitative and Standard factors
that consists LOV values as the assessment response.
- This icon is not available for Qualitative factors.
Prior Assessment The prior assessment rating appears. This field displays the prior
assessment values only if the value Yes is selected in the Display
Prior Assessment field of the Risk Assessment Plan form.

Note:
- If you are assessing the Risk for the first time, this column does not
display any assessment rating.
- This is not applicable for standard factors.

Page 234 Copyright © 2016 MetricStream Inc.

 Scoring and Rating Method

Column Name Description

Assessment Select the current Risk Assessment. You can provide assessment
values for the Quantitative, Standard and Qualitative Risk
Assessment factors.
For Quantitative and Standard Factors, you can provide any one of
the following as your assessment value:

The values that are available in this field are based on the value
entered in the List Of Values tab or the Scoring Rules defined in
the Quantitative Assessment Factor form.
If the assessment is scoring rules based, you can enter only number
in this field as your response. To enter the assessment value, click
the Enter Score column and type the value.

If the assessment response is set as List Of Values, you can enter

the values defined in the Response field of the Quantitative
Assessment Factor form as the current assessment for the factor.
This field displays the default rating or the previous assessment
rating based on the Risk Assessment Plan for settings. For more
information on the Risk Assessment plan, refer to the Creating Risk
Assessment Plans section.

For Qualitative Risk Assessment Factors, you can provide any one
of the value as your assessment response. The values in this region
vary based on the response type that is selected in the Qualitative
Assessment Form for this factor.
 Amount: Enter number as your response for the qualitative
factor.
 Date: Enter date as your response for the qualitative factor.
 List of Values: Select the values from the list.
 Number: Enter number as your response for the qualitative
factor.
 Text: Enter the description for the qualitative factor.

For more information on the qualitative assessment factor

responses, refer to the Qualitative Assessment Factor Response
Columns
Score This field displays the assessed score for the standard factor. The
module calculates this score based on the value that you enter in
the Assessment field.
Note: The score is calculated and displayed based on the score defined for
a particular response in the Quantitative Factor form.

Weighted Score This field displays the weighted score. The module displays the
score of the factor as the weighted score in this column.

Copyright © 2016 MetricStream Inc. Page 235

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Rating The module displays the rating for the factors.
This is not applicable for factor type List Of Values. The module
displays the rating for Rules Based type of Standard/Quantitative
factors based on the value specified in the Rating field of the
Quantitative Assessment Factor form.
Comments Use this column to enter comments regarding the factor
assessment.

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments/Justification
column in the tabular format.
3. Click the Cancel button to cancel the entered comments.
To edit the comments, repeat the steps from 1 through 3.
Overall Score and Rating
The overall score and rating is displayed at the bottom of the tabular format in the following col-
umns.
Weighted Score The overall weighted score appears.
Example:
Impact = 5
Likelihood=5
Weighted score=5*5=25

Note:
- The score is displayed based on the assessment value provided for
each standard factor.
- The scores from the factors that are used in the Risk Matrix
Configuration set up form are only considered for overall inherent risk
score calculation.

Rating The overall rating for the inherent risk score appears.
The rating is populated based on the overall score. Based on the
Risk Matrix Configuration set up, the rating is displayed. For
example, if the score is 25, the rating defined in the matrix for the
score 25 is very high and red color, the overall rating is populated
as Very High with red background color.

Page 236 Copyright © 2016 MetricStream Inc.

 Scoring and Rating Method

Assessments Tab > Controls For Tabular Format

This tabular format displays all the controls that are related to the risk that you are assessing. The
association of Risk with Controls is performed during the Risk creation stage in the GRC Foundation
module. If a risk is associated with three controls, all the three controls are populated in this tabular
format. For the Controls that are populated from the GRC Foundation module, you can provide control
assessment rating, modify weighting value, and enter comments. While performing the risk-control
assessment, you can add related controls that mitigate the risk that you are assessing in this tabular
format. For more information on Control tabular format columns, refer to the Assessments Tab >
Controls For Tabular Format section.

Copyright © 2016 MetricStream Inc. Page 237

 Risk Assessments 6.1 SP2 - User Guide

Mapped Controls for a Risk

Overall Control Score

Overall Control Rating

Figure 48: Risk Assessment Form > Assessments Tab > Controls For Tabular Format (Reducing Inherent Risk Screen)

Page 238 Copyright © 2016 MetricStream Inc.

 Scoring and Rating Method

Assessments Tab > Residual Risk For Tabular Format

This tab is made available when you click the Risk name in the Assessment main tabular format at the
third hierarchical level. After you click the particular risk name for assessment, the Residual Risk For
<Risk Name> tabular format appears displaying all the factors that you need to assess for the selected
risk name. The standard factors are populated from the Risk Matrix Configuration setup form. For
more information on how this tabular format is organized, refer to the Assessments Tab > Residual Risk
For Tabular Format section.

Based on the assessment value that you provide in this tabular format, the residual risk score is
calculated. The residual Risk score is calculated based on the rating and score that is defined in the Risk
Matrix Configuration setup form. The input value that you can provide in this tabular format for
different factors vary based on the response type that is defined during the factor creation.

Copyright © 2016 MetricStream Inc. Page 239

 Risk Assessments 6.1 SP2 - User Guide

Standard Factors from Risk Matrix

Factor scores based on the assessment values
Configuration

Overall Inherent Risk Rating and score based on the assessment

values and Risk Matrix Configuration

Score and rating defined in the Risk Matrix configura-

tion

Figure 49: Risk Assessment Form > Assessments Tab > Residual Risk For Tabular Format

Page 240 Copyright © 2016 MetricStream Inc.

 Scoring and Rating Method

Column Name Description

Factor Name Displays the factor names. To view the factor details, click the
hyperlinked factor name in this column. The respective factor form
appears in read-only mode in a new window.
Click this icon to view the Risk Rating Guidance report. This report
displays the list of values and respective scores defined for the

Standard or Quantitative factors. Click the Close button to

close the report.
Note: This icon is available only for those Quantitative and Standard
factors that consists LOV values as the assessment response.

Prior Assessment The prior assessment rating appears. This field displays the prior
assessment values only if the value Yes is selected in the Display
Prior Assessment field of the Risk Assessment Plan form.
Note: If you are assessing the Risk for the first time, this column does not
display any assessment rating.

Assessment Select the current Risk Assessment. You can provide assessment
values for the Quantitative, and Standard factors.
For Quantitative and Standard Factors, you can provide any one of
the following as your assessment value:

The values that are available in this field are based on the value
entered in the List Of Values tab or the Scoring Rules defined in
the Quantitative Assessment Factor form.
If the assessment is scoring rules based, you can enter only number
in this field as your response. To enter the assessment value, click
the Enter Score column and type the value.

If the assessment response is set as List Of Values, you can enter

the values defined in the Response field of the Quantitative
Assessment Factor form as the current assessment for the factor.
This field displays the default rating or the previous assessment
rating based on the Risk Assessment Plan for settings. For more
information on the Risk Assessment plan, refer to the Creating Risk
Assessment Plans section.

Score This field displays the assessed score for the standard factor. The
module calculates this score based on the value that you enter in
the Assessment field.
Note: The score is calculated and displayed based on the score defined for
a particular response in the Quantitative Factor form.

Weighted Score This field displays the weighted score. The module displays the
score of the factor as the weighted score in this column.

Copyright © 2016 MetricStream Inc. Page 241

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Rating The module displays the rating for the factors.
This is not applicable for factor type List Of Values. The module
displays the rating for Rules Based type of Standard/Quantitative
factors based on the value specified in the Rating field of the
Quantitative Assessment Factor form.
Comments Use this column to enter comments regarding the factor
assessment.

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

1. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments/Justification
column in the tabular format.
Note: If you want to cancel the entered comments, click the Cancel
button.

To edit the comments, repeat the steps from 1 through 3.

Overall Score and Rating
The overall score and rating is displayed at the bottom of the tabular format in the following col-
umns.
Weighted Score The overall weighted residual score appears.
Example:
Impact = 5
Likelihood=5
Weighted score=5*5=25

Note:
- The score is displayed based on the assessment value provided for
each standard factor.
- The scores from the factors that are used in the Risk Matrix
Configuration set up form are only considered for overall inherent risk
score calculation.

Page 242 Copyright © 2016 MetricStream Inc.

 Scoring and Rating Method

Column Name Description

Rating The overall residual rating appears.
The rating is populated based on the overall score and also, based
on the Risk Matrix Configuration set up.
For example, if the score is 25, the rating defined in the matrix for
the score 25 is very high and red color, the overall rating is
populated as Very High with red background color.

Copyright © 2016 MetricStream Inc. Page 243

 Risk Assessments 6.1 SP2 - User Guide

Findings and Observations Tab

While conducting the Risk Assessment, the assessor may notice some serious issues/findings that af-
fect the organization. Using the Findings and Observations tab, you can add one or more findings and
you can trigger an issue to the Issue Management module to resolve it. For more information on add-
ing issues, refer to the Findings and Observations Tab section.

Additional Details Tab

Use the Additional Details tab to provide additional details and attach documents that the user can
refer to. For more information on additional details tab, refer to the Additional Details Tab section.

Risk Assessment Form > Modify/Review/Approve Section

Use the Modify/Review/Approve section to take action on the Risk Assessment form. For more
information on additional details tab, refer to the Modify/Review/Approve Section section.

Form Submission
For more information on the Form Tool Bar icons, refer to the Form Tool Bar section.

Task Assignments and E-mail Notifications

After you submit the current form, no task assignments and e-mails are generated.

Page 244 Copyright © 2016 MetricStream Inc.

 Scoring and Rating Method

Heat Maps
Based on the Risk Matrix configuration, the heat map displays the Risks in different zones of the matrix
based on the assessment values. You can view the Risk trend based on the inherent and residual scores.

You can view the Risk direction by tracing its movement from Inherent to Residual. For more
information on heat map reports functions, refer to the Heat Maps section.
Residual Risks

Inherent Risks

Figure 50: Heat Map

Copyright © 2016 MetricStream Inc. Page 245

Ranking and Rating Method
8
The following chapter provides information on ranking and rating method configuration, how to assess
risks associated with this method, and related heat map.

Sections:
1. What Is Ranking and Rating Method?
2. How Can I perform Ranking and Rating Assessment?
3. Assessing Risks - Ranking and Rating Method
4. Heat Maps

Page 246 Copyright © 2016 MetricStream Inc.

 Ranking and Rating Method

What Is Ranking and Rating Method?

This method enables you to rank the risks based on the Risk Assessment. The Risk ranks can be
specified per cell in the Risk Matrix Configuration. For example, if the impact Catastrophic and the
Likelihood is Almost Certain, then the Risk Rating is Very High, Score is 25, and Risk rank is one. You can
have the same rank for multiple cells. This indicates that the risks that are ranked number 1 needs to
be addressed.

The scores are rolled up to assessed entity and organization based on the configuration. The ranking is
for the risks. For more information on Risk score roll up, refer to the Risk Score and Rating Roll Up
section.

How Can I perform Ranking and Rating Assessment?

You can create a profile using the Risk Matrix Configuration interface by choosing factors as X and Y
coordinates. You can then enter the unique scores, rating, and rank and specify color for each cell
according to your Risk Matrix. The assessments associated with this profile are done based on the
combination of factor response.

Copyright © 2016 MetricStream Inc. Page 247

 Risk Assessments 6.1 SP2 - User Guide

The following figure depicts the Impact X Likelihood 5X5 matrix defined for the Ranking and Rating method.

Figure 51: Ranking and Rating Method Matrix

For more information on Risk Matrix Configuration user interface and defining the matrix, refer to the Configuring Risk Matrices section.

Page 248 Copyright © 2016 MetricStream Inc.

 Ranking and Rating Method

Assessing Risks - Ranking and Rating Method

By using the Risk Assessment form, you can assess the Risks that are part of the assessment. You must
access the standard factors that are part of the Risk Matrix Configuration and these factors are selected
while creating the Risk Matrix. The rating and score is rolled up to the assessable entity and displayed
while performing the assessment. This method enables the organization to mitigate the Risks that are
highly ranked.

If the Controls are available for the Risks, you can provide the Control scores in the Control tabular
format, as required. The overall control score is calculated based on the logic “sum of all Controls”.

Risk Assessment Form

Use the Risk Assessment form to perform the Risk assessment and record the details.

For more information, refer to Risk Assessment Form.

Header
Use the header section to view the assessment details. For more information on field descriptions,
refer to Header.

Copyright © 2016 MetricStream Inc. Page 249

 Risk Assessments 6.1 SP2 - User Guide

Details Tab
Use the Details tab to view the general details of the Risk Assessment. For more information on field
description, refer to the Details Tab section.

Assessments Tab
The Assessments tab displays the related Entities and Risks that are selected while creating the Risk
assessment plan. This tab is organized in a tree tabular format. For more information on tabular format
and tree structure organization, refer to the Viewing Assessable Entity and Risk Details section.

Note: Based on the Risk Configuration setup, the Inherent Risk, Control, and Residual Risk tabular formats are
made available in this tab.

For Ranking and Rating method, the following additional columns are displayed at the Risk hierarchal
level:

 Inherent Risk Rank

 Residual Risk Rank

Residual Risk Ranking

Inherent Risk Ranking

The following table provides the description of the above columns.

Column Name Description
Inherent Risk Rank The inherent ranking of the Risk that is assessed appears.
This information is displayed next to the Prior Inherent Risk
column. The Risks are ranked based on the overall inherent score
and rating. The rank is populated based on the Risk configuration
matrix.
Note: One or more Risks can have the same inherent Risk ranking.

Page 250 Copyright © 2016 MetricStream Inc.

 Ranking and Rating Method

Column Name Description

Residual Risk Rank The inherent ranking of the Risk that is assessed appears.
This information is displayed next to the Prior Residual Risk
column. The Risks are ranked based on the overall residual score
and rating. The rank is populated based on the Risk configuration
matrix.
Note: One or more Risks can have the same residual Risk ranking.

Assessments Tab > Inherent Risk For Tabular Format

This tab is made available when you click the Risk name in the Assessment main tabular format at the
third hierarchical level. After you click the particular risk name for assessment, the Inherent Risk For
<Risk Name> tabular format appears displaying all the factors that you need to assess for the selected
risk name. The standard factors are populated from the Risk Matrix Configuration setup form.

For more information on how this tabular format is organized, refer to the Assessments Tab > Inherent
Risk For Tabular Format section.

Based on the assessment value that you provide in this tabular format, the inherent risk score is
calculated. The inherent Risk score is calculated based on the rating and score that is defined in the Risk
Matrix Configuration setup form. The input value that you can provide in this tabular format for
different factors vary based on the response type that is defined during the factor creation. Based on
the Overall inherent score, the Risks are ranked and this information is displayed in the Risk hierarchical
level.

Copyright © 2016 MetricStream Inc. Page 251

 Risk Assessments 6.1 SP2 - User Guide

Standard Factors from Risk

Factor scores based on the Inherent Risk Rank
Matrix Configuration
assessment values

Quantitative Factors

Overall Inherent Risk Rating and score based on the assessment

values and Risk Matrix Configuration

Score and rating defined in the Risk Matrix configuration

Figure 52: Risk Assessment Form > Assessments Tab > Inherent Risk For Tabular Format

Page 252 Copyright © 2016 MetricStream Inc.

 Ranking and Rating Method

Column Name Description

Factor Name Displays the factor names. To view the factor details, click the
hyperlinked factor name in this column. The respective factor form
appears in read-only mode in a new window.
Click this icon to view the Risk Rating Guidance report. This report
displays the list of values and respective scores defined for the

Standard or Quantitative factors. Click the Close button to

close the report.

Note:
- This icon is available only for those Quantitative and Standard factors
that consists LOV values as the assessment response.
- This icon is not available for Qualitative factors.
Prior Assessment The prior assessment rating appears. This field displays the prior
assessment values only if the value Yes is selected in the Display
Prior Assessment field of the Risk Assessment Plan form.

Note:
- If you are assessing the Risk for the first time, this column does not
display any assessment rating.
- This functionality is not applicable for standard factors.

Copyright © 2016 MetricStream Inc. Page 253

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Assessment Select the current Risk Assessment. You can provide assessment
values for the Quantitative, Standard and Qualitative Risk
Assessment factors.
For Quantitative and Standard Factors, you can provide any one of
the following as your assessment value:

The values that are available in this field are based on the value
entered in the List Of Values tab or the Scoring Rules defined in
the Quantitative Assessment Factor form.
If the assessment is scoring rules based, you can enter only number
in this field as your response. To enter the assessment value, click
the Enter Score column and type the value.

If the assessment response is set as List Of Values, you can enter

the values defined in the Response field of the Quantitative
Assessment Factor form as the current assessment for the factor.
This field displays the default rating or the previous assessment
rating based on the Risk Assessment Plan for settings. For more
information on the Risk Assessment plan, refer to the Creating Risk
Assessment Plans section.

For Qualitative Risk Assessment Factors, you can provide any one
of the value as your assessment response. The values in this region
vary based on the response type that is selected in the Qualitative
Assessment Form for this factor.
 Amount: Enter number as your response for the qualitative
factor.
 Date: Enter date as your response for the qualitative factor.
 List of Values: Select the values from the list
 Number: Enter number your response for the qualitative factor.
 Text: Enter the description for the qualitative factor.
For more information on the qualitative assessment factor
responses, refer to the Qualitative Assessment Factor Response
Columns.
Score This field displays the assessed score for the standard factor. The
module calculates this score based on the value that you enter in
the Assessment field.
Note: The score is calculated and displayed based on the score defined for
a particular response in the Quantitative Factor form.

Weighted Score This field displays the weighted score. The module displays the
score of the factor as the weighted score in this column.

Page 254 Copyright © 2016 MetricStream Inc.

 Ranking and Rating Method

Column Name Description

Rating The module displays the rating for the factors.
This is not applicable for factor type List Of Values. The module
displays the rating for Rules Based type of Standard/Quantitative
factors based on the value specified in the Rating field of the
Quantitative Assessment Factor form.
Comments Use this column to enter comments regarding the factor
assessment.

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
3. The entered comments appear in the Comments/Justification
column in the tabular format.
4. Click the Cancel button to cancel the entered comments.
To edit the comments, repeat the steps from 1 through 3.
Overall Score and Rating
The overall score and rating is displayed at the bottom of the tabular format in the following col-
umns.
Weighted Score The overall weighted score appears.
Example:
Impact = 5
Likelihood=5
Weighted score=5*5=25

Note:
- The score is displayed based on the assessment value provided for
each standard factor.
- The scores from the factors that are used in the Risk Matrix
Configuration set up form are only considered for overall inherent risk
score calculation.

Rating The overall rating for the inherent risk score appears.
The rating is populated based on the overall score. Based on the
Risk Matrix Configuration set up, the rating is displayed. For
example, if the score is 25, the rating defined in the matrix for the
score 25 is very high, rank is 2, and red color, the overall rating is
populated as Very High with red background color and the Risk is
ranked as 2.

Copyright © 2016 MetricStream Inc. Page 255

 Risk Assessments 6.1 SP2 - User Guide

Assessments Tab > Controls For Tabular Format

This tabular format displays all the controls that are related to the risk that you are assessing.The
association of Risk with Controls is performed during the Risk creation stage in the GRC Foundation
module. If a risk is associated with three controls, all the three controls are populated in this tabular
format. For the Controls that are populated from the GRC Foundation module, you can provide control
assessment rating, modify weighting value, and enter comments. While performing the risk-control
assessment, you can add related controls that mitigate the risk that you are assessing in this tabular
format. For more information on Control tabular format columns, refer to the Assessments Tab >
Controls For Tabular Format section.

Page 256 Copyright © 2016 MetricStream Inc.

 Ranking and Rating Method

Mapped Controls for a Risk

Overall Control Score

Overall Control Rating

Figure 53: Risk Assessment Form > Assessments Tab > Controls For Tabular Format (Reducing Inherent Risk Screen)

Copyright © 2016 MetricStream Inc. Page 257

 Risk Assessments 6.1 SP2 - User Guide

Assessments Tab > Residual Risk For Tabular Format

This tab is made available when you click the Risk name in the Assessment main tabular format at the
third hierarchical level. After you click the particular risk name for assessment, the Residual Risk For
<Risk Name> tabular format appears displaying all the factors that you need to assess for the selected
risk name. The standard factors are populated from the Risk Matrix Configuration setup form. For
more information on how this tabular format is organized, refer to the Assessments Tab > Residual Risk
For Tabular Format section.

Based on the assessment value that you provide in this tabular format, the residual risk score is
calculated. The residual Risk score is calculated based on the rating and score that is defined in the Risk
Matrix Configuration setup form. The input value that you can provide in this tabular format for
different factors vary based on the response type that is defined during the factor creation.

Page 258 Copyright © 2016 MetricStream Inc.

 Ranking and Rating Method

Standard Factors from Risk Matrix Factor scores based on the assessment values
Configuration

Overall Inherent Risk Rating and score based on the assessment

values and Risk Matrix Configuration

Score, rank, and rating defined in the Risk Matrix configuration

Figure 54: Risk Assessment Form > Assessments Tab > Residual Risk For Tabular Format

Copyright © 2016 MetricStream Inc. Page 259

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Factor Name Displays the factor names. To view the factor details, click the
hyperlinked factor name in this column. The respective factor form
appears in read-only mode in a new window.
Click this icon to view the Risk Rating Guidance report. This report
displays the list of values and respective scores defined for the

Standard or Quantitative factors. Click the Close button to

close the report.
Note: This icon is available only for those Quantitative and Standard
factors that consists LOV values as the assessment response.

Prior Assessment The prior assessment rating appears. This field displays the prior
assessment values only if the value Yes is selected in the Display
Prior Assessment field of the Risk Assessment Plan form.
Note: If you are assessing the Risk for the first time, this column does not
display any assessment rating.

Assessment Select the current Risk Assessment. You can provide assessment
values for the Quantitative, and Standard factors.
For Quantitative and Standard Factors, you can provide any one of
the following as your assessment value:

The values that are available in this field are based on the value
entered in the List Of Values tab or the Scoring Rules defined in
the Quantitative Assessment Factor form.
If the assessment is scoring rules based, you can enter only number
in this field as your response. To enter the assessment value, click
the Enter Score column and type the value.

If the assessment response is set as List Of Values, you can enter

the values defined in the Response field of the Quantitative
Assessment Factor form as the current assessment for the factor.
This field displays the default rating or the previous assessment
rating based on the Risk Assessment Plan for settings. For more
information on the Risk Assessment plan, refer to the Creating Risk
Assessment Plans section.

Score This field displays the assessed score for the standard factor. The
module calculates this score based on the value that you enter in
the Assessment field.
Note: The score is calculated and displayed based on the score defined for
a particular response in the Quantitative Factor form.

Weighted Score This field displays the weighted score. The module displays the
score of the factor as the weighted score in this column.

Page 260 Copyright © 2016 MetricStream Inc.

 Ranking and Rating Method

Column Name Description

Rating The module displays the rating for the factors.
This is not applicable for factor type List Of Values. The module
displays the rating for Rules Based type of Standard/Quantitative
factors based on the value specified in the Rating field of the
Quantitative Assessment Factor form.
Comments Use this column to enter comments regarding the factor
assessment.

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments/Justification
column in the tabular format.
Note: If you want to cancel the entered comments, click the Cancel
button.

To edit the comments, repeat the steps from 1 through 3.

Overall Score and Rating
The overall score and rating is displayed at the bottom of the tabular format in the following col-
umns.
Weighted Score The overall weighted residual score appears.
Example:
Impact = 5
Likelihood=5
Weighted score=5*5=25

Note:
- The score is displayed based on the assessment value provided for
each standard factor.
- The scores from the factors that are used in the Risk Matrix
Configuration set up form are only considered for overall inherent risk
score calculation.

Copyright © 2016 MetricStream Inc. Page 261

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Rating The overall residual rating appears.
The rating is populated based on the overall weighted score and
also, based on the Risk Matrix Configuration set up.
For example, if the score is 25, the rating defined in the matrix for
the score 25 is very high and red color, the overall rating is
populated as Very High with red background color.

Page 262 Copyright © 2016 MetricStream Inc.

 Ranking and Rating Method

Findings and Observations Tab

While conducting the Risk Assessment, the assessor may notice some serious issues/findings that af-
fect the organization. Using the Findings and Observations tab, you can add one or more findings and
you can trigger an issue to the Issue Management module to resolve it. For more information on add-
ing issues, refer to the Findings and Observations Tab section.

Additional Details Tab

Use the Additional Details tab to provide additional details and attach documents that the user can
refer to. For more information on additional details tab, refer to the Additional Details Tab section.

Modify/Review/Approve Section
Use the Modify/Review/Approve section to take action on the Risk Assessment form. For more
information on additional details tab, refer to the Modify/Review/Approve Section section.

Form Submission
For more information on the Form Tool Bar icons, refer to the Form Tool Bar section.

Task Assignments and E-mail Notifications

After you submit the current form, no task assignments and e-mails are generated.

Copyright © 2016 MetricStream Inc. Page 263

 Risk Assessments 6.1 SP2 - User Guide

Heat Maps
Based on the Risk Matrix configuration, the heat map displays the Risks in different zones of the matrix
based on the assessment values. You can view the Risk trend based on the inherent and residual scores.

You can view the Risk direction by tracing its movement from Inherent to Residual. For more
information on heat map reports functions, refer to the Heat Maps section.

Residual Risks

Inherent Risks

Figure 55: Heat Map

Page 264 Copyright © 2016 MetricStream Inc.

Scoring Algorithm and Rating Method
9
The following chapter provides information on scoring algorithm and rating method configuration, how
to assess risks associated with this method, and related heat map.

Sections:
1. What Is Scoring Algorithm and Rating Method?
2. How Can I perform Scoring Algorithm and Rating Assessment?
3. Assessing Risks - Scoring Algorithm and Rating Method
4. Score Roll Up Scenario
5. Heat Maps

Copyright © 2016 MetricStream Inc. Page 265

 Risk Assessments 6.1 SP2 - User Guide

What Is Scoring Algorithm and Rating Method?

The Scoring Algorithm and Rating method allows you to perform a Risk Assessment based on the
algorithm set up and the Risk Configuration Matrix. For example, the Impact of a Risk is Catastrophic
and Likelihood is Almost Certain, then the risk score is 25 (Impact X Likelihood) this is done based on
the Risk Scoring Algorithm and the Risk Rating being Very High is based on the Risk Matrix
Configuration. The Heat Map configuration for the 16 variations of the heat map is based on the Risk
Matrix configuration.

The roll up of scores to the Assessable Entity and Organization is based on the 2 factors that are set as
X and Y coordinates. This ensures that the Heat Maps remain two dimensional.

For more information on Risk score roll up, refer to the Risk Score and Rating Roll Up section.

How Can I perform Scoring Algorithm and Rating Assessment?

You can create a profile by specifying the Risk Rating based on the coordinate responses. For example,
if the Impact is Catastrophic and Likelihood is Almost Certain, then the Risk Rating is Very High with
Heat Map background color to be Red that can be configured using the Risk Matrix Configuration.

You can define the Risk Scoring Algorithm based on your requirement. You can enter the factor
responses while doing an assessment, risk scores are calculated based on the scoring algorithm and risk
rating is populated based on the Risk Matrix configuration.

Page 266 Copyright © 2016 MetricStream Inc.

 Scoring Algorithm and Rating Method

The following figure depicts the Impact X Likelihood 5X5 matrix defined for the Scoring Algorithm and Risk Rating method.

Figure 56: Scoring Algorithm and Rating Method Matrix

Copyright © 2016 MetricStream Inc. Page 267

 Risk Assessments 6.1 SP2 - User Guide

For more information on Risk Matrix Configuration user interface and defining the matrix, refer to the
Configuring Risk Matrices section.
The following figure depicts the Risk Scoring Algorithm defined using the Risk Scoring Algorithm
interface.

Figure 57: Risk Scoring Algorithm Snapshot

Page 268 Copyright © 2016 MetricStream Inc.

 Scoring Algorithm and Rating Method

Assessing Risks - Scoring Algorithm and Rating Method

By using the Risk Assessment form, you can assess the Risks that are part of the assessment. The score
is populated based on the Risk scoring algorithm and the rating based on the Risk Configuration Matrix
settings respectively. The score is rolled up to the assessable entity and then to an organization while
performing the assessment. The roll ups are done for the 2 coordinates that are part of Risk Matrix
Configuration and based on this the risk rating is picked up from Risk Matrix Configuration.

Risk Assessment Form

Use the Risk Assessment form to perform the Risk assessment and record the details.

For more information, refer to Risk Assessment Form.

Header
Use the header section to view the assessment details. For more information on field descriptions,
refer to Header.

Copyright © 2016 MetricStream Inc. Page 269

 Risk Assessments 6.1 SP2 - User Guide

Details Tab
Use the Details tab to view the general details of the Risk Assessment. For more information on field
description, refer to the Details Tab section.

Assessments Tab
The Assessments tab displays the related Entities and Risks that are selected while creating the Risk
assessment plan. This tab is organized in a tree tabular format. For more information on tabular format
and tree structure organization, refer to the Viewing Assessable Entity and Risk Details section.

Note: Based on the Risk Algorithm settings, the Inherent Risk, Control, and Residual Risk tabular formats are
made available in this tab.

Assessments Tab > Inherent Risk For Tabular Format

This tab is made available when you click the Risk name in the Assessment main tabular format at the
third hierarchical level. After you click the particular risk name for assessment, the Inherent Risk For
<Risk Name> tabular format appears displaying all the factors that you need to assess for the selected
risk name. The standard factors are populated from the Risk Matrix Configuration setup form.

For more information on how this tabular format is organized, refer to the Assessments Tab > Inherent
Risk For Tabular Format section.

Based on the assessment value that you provide in this tabular format, the inherent risk score is
calculated. The overall inherent Risk score is calculated based on the Inherent formula defined in the
Risk Algorithm interface. The rating is populated by comparing the scores of the two factors that are
part of the Risk Matrix Configuration setup form. The input value that you can provide in this tabular
format for different factors vary based on the response type that is defined during the factor creation.

Page 270 Copyright © 2016 MetricStream Inc.

 Scoring Algorithm and Rating Method

Standard Factors from Risk

Algorithm Factor scores based on the
assessment values

Quantitative Factors

Overall Inherent Risk Score (Impact * Likelihood) based on the Algo-

rithm logic and the rating based on the intersection of two factor
responses from the Risk Matrix Configuration

Rating defined in the Risk Matrix configuration

Figure 58: Risk Assessment Form > Assessments Tab > Inherent Risk For Tabular Format

Copyright © 2016 MetricStream Inc. Page 271

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Factor Name Displays the factor names. To view the factor details, click the
hyperlinked factor name in this column. The respective factor form
appears in read-only mode in a new window.
Click this icon to view the Risk Rating Guidance report. This report
displays the list of values and respective scores defined for the

Standard or Quantitative factors. Click the Close button to

close the report.

Note:
- This icon is available only for those Quantitative and Standard factors
that consists LOV values as the assessment response.
- This icon is not available for Qualitative factors.
Prior Assessment The prior assessment rating appears. This field displays the prior
assessment values only if the value Yes is selected in the Display
Prior Assessment field of the Risk Assessment Plan form.

Note:
- If you are assessing the Risk for the first time, this column does not
display any assessment rating.
- This functionality is not applicable for standard factors.

Page 272 Copyright © 2016 MetricStream Inc.

 Scoring Algorithm and Rating Method

Column Name Description

Assessment Select the current Risk Assessment. You can provide assessment
values for the Quantitative, Standard and Qualitative Risk
Assessment factors.
For Quantitative and Standard Factors, you can provide any one of
the following as your assessment value:

The values that are available in this field are based on the value
entered in the List Of Values tab or the Scoring Rules defined in
the Quantitative Assessment Factor form.
If the assessment is scoring rules based, you can enter only number
in this field as your response. To enter the assessment value, click
the Enter Score column and type the value.

If the assessment response is set as List Of Values, you can enter

the values defined in the Response field of the Quantitative
Assessment Factor form as the current assessment for the factor.
This field displays the default rating or the previous assessment
rating based on the Risk Assessment Plan for settings. For more
information on the Risk Assessment plan, refer to the Creating Risk
Assessment Plans section.

For Qualitative Risk Assessment Factors, you can provide any one
of the value as your assessment response. The values in this region
vary based on the response type that is selected in the Qualitative
Assessment Form for this factor.
 Amount: Enter number your response for the qualitative factor.
 Date: Enter date as your response for the qualitative factor.
 List of Values: Select the values from the drop-down
 Number: Enter number your response for the qualitative factor.
 Text: Enter the description for the qualitative factor.
 Yes or No: Select Yes or No as your response.

For more information on the qualitative assessment factor

responses, refer to the Qualitative Assessment Factor Response
Columns.
Score This field displays the assessed score for the standard factor. The
module calculates this score based on the value that you enter in
the Assessment field.
Note: The score is calculated and displayed based on the score defined for
a particular response in the Quantitative Factor form.

Weighted Score This field displays the weighted score. The module displays the
score of the factor as the weighted score in this column.

Copyright © 2016 MetricStream Inc. Page 273

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Rating The module displays the rating for the factors.
This is not applicable for factor type List Of Values. The module
displays the rating for Rules Based type of Standard/Quantitative
factors based on the value specified in the Rating field of the
Quantitative Assessment Factor form.
Comments Use this column to enter comments regarding the factor
assessment.

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments/Justification
column in the tabular format.
3. Click the Cancel button to cancel the entered comments.
To edit the comments, repeat the steps from 1 through 3.
Overall Score and Rating
The overall score and rating is displayed at the bottom of the tabular format in the following col-
umns.
Weighted Score The overall weighted score appears.
Example:
Impact = 5
Likelihood=5
(Inherent score formula = Impact*Likelihood) Weighted
score=5*5=25
Note: The score is displayed based on the assessment value provided for
each standard factor and the scoring algorithm defined in the Risk Scoring
algorithm interface.

Rating The overall rating for the inherent risk score appears.
The rating is populated based on responses for the two standard
factors that are part of the Risk Matrix Configuration set up.
For example,
Impact = Catastrophic
Likelihood = Likely
Rating = Very High (from the Risk Matrix Configuration set up).

Page 274 Copyright © 2016 MetricStream Inc.

 Scoring Algorithm and Rating Method

Assessments Tab > Controls For Tabular Format

This tabular format displays all the controls that are related to the risk that you are assessing. The
association of Risk with Controls is performed during the Risk creation stage in the GRC Foundation
module. If a risk is associated with three controls, all the three controls are populated in this tabular
format. For the Controls that are populated from the GRC Foundation module, you can provide control
assessment rating, modify weighting value, and enter comments. While performing the risk-control
assessment, you can add related controls that mitigates the risk that you are assessing in this tabular
format. The number of columns that are available in this tabular format vary based on Scoring
algorithm that is defined for calculating the control scores.

If the scoring algorithm is Based On Controls Mitigating Standard Factors, you can provide the
mitigated percentage value for each control by selecting the factors that are mitigated using the
control.

If the scoring algorithm is Based On Overall Control Score Reducing Inherent Risk, this tabular format
displays the rating and other score related columns.

Figure 59: Risk Assessment Form > Assessments Tab > Controls For Tabular Format (Mitigates screen)

Risk Assessment Form > Assessments Tab > Controls For Tabular Format (Reducing Inherent Risk
Screen)

Copyright © 2016 MetricStream Inc. Page 275

 Risk Assessments 6.1 SP2 - User Guide

Mapped Controls for a Risk

Overall Control Score based on the Algo-

rithm (Average of all Controls)
Overall Control Rating

Figure 60: Risk Assessment Form > Assessments Tab > Controls For Tabular Format (Reducing Inherent Risk Screen)

Page 276 Copyright © 2016 MetricStream Inc.

 Scoring Algorithm and Rating Method

Column Name Description

Add Control and Delete Con- You can add additional controls while assessing the Risks.
trol buttons For more information on adding and deleting Controls, refer to the
Adding New Controls section.
Control The control name appears. Click the hyperlinked Control name to
view the control details. The details of the Control appear in read-

only mode. Click Close button to close the Control form.

Note: The hyperlink is not available for newly added GRC Library Controls
and newly created Controls.

Type The type of Control appears. The following are the possible values
in this column:
 Related To Risk: The module populates this value if the Control
is associated with the selected Risk during the Risk creation
stage.
 Library Control: The module populates this value for newly
added GRC Library Controls while assessing the Risks.
 New Control: The module populates this value for newly
created ad hoc Controls while assessing the Risks.
View Tests link Click this link to view the test execution results of the controls that
is assessed. The View Test Results report appears with details such
as test execution ID, test plan name and so on. The details in this
report are populated from Compliance Management module.
Note: This link is available only for those Controls that are pre-populated
based on the Risk -Control association.
For more information on View Test Results report, refer to the
MetricStream Compliance Management User Guide Release 6.1 SP4.

Key Control Select Yes/No to specify whether this control is a key control or
not.
This column is editable only for newly added GRC Library Controls
and newly created Controls.
Purpose Select the control category. The following options are available in
this field:
 Compliance
 Financial
 Operational
 Preventive
 Detective

Note: Control category is pre-populated for New controls/related controls

of the risk that is assessed and you cannot edit the details.

Copyright © 2016 MetricStream Inc. Page 277

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Mitigates Select and provide the mitigation value by which you are mitigating
(available only for those the Standard factors using this control. To select the standard
assessments which are Based factors and provide the mitigation value, perform the following
On Controls Mitigating steps:
Standard Factors scoring
algorithm) 1. Click the Comments icon next to this column.
The Mitigates Factor window appears.

2. Enter the value by which you are mitigating the risk associated
with standard factor corresponding to the Factor name in the
Enter Value field.

Note:
- You can enter a value between 0 and 100. The value that you enter is
used for calculating the residual risk score based on the Pre-Residual
Score Formula defined in the Risk Scoring Algorithm interface.
- The Mitigate Factors widow displays all the Standard Factors and
Quantitative non-Standard Factors that reduces inherent risk.
3. After entering the mitigated value, click the check boxes for
which you have entered the value.
4. Click the Save button to save the entered mitigated values.
The selected Factor name and corresponding value appears as a
comma separated values in the tabular format column.
5. Click the Cancel button to cancel the selection.

To edit the values and select another Factor, repeat steps from 1 to
5.
For example,
Pre-Residual Score Formula = Standard Factors - Standard Factors
Mitigated By Controls
Financial Factor Inherent Score=30
Mitigated Factor Value=10
Residual Score for Financial Factor=30-10=20

Page 278 Copyright © 2016 MetricStream Inc.

 Scoring Algorithm and Rating Method

Column Name Description

The following columns are available for those assessments which are Based On Overall Control
Score Reducing Inherent Risk scoring algorithm:
• Rating
• Score
• Weighting
• Control Score%
Rating Select the control rating.
The following options are available in this field:
 High
 Medium
 Low
The values in this field are populated from the
MS_RSK_CONTROL_OVERRIDE data table. The display of this
column is based on the Risk Assessment Plan setting.
For more information on configuring the data table values,
refer to the MetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2.

Score The assessed factor score based on the control effectiveness rating
appears.
The values in this field are populated from the
MS_RSK_CONTROL_OVERRIDE data table based on the value
range defined for each rating. For example, for High rating, score is
3.
Weighting This column displays the weighting score for the control. The
module displays this value based on the value that weighting that is
defined in the MS_RSK_CONTROL_OVERRIDE data table.
You can edit this value only when the Modify Weighting field is set
to Yes in the Risk Assessment Plan form.
The weighting is considered as number or percentage based on the
settings of the MS_RSK_CONTROL_OVERRIDE data table.
Control Score% The control effectiveness score appears.

Copyright © 2016 MetricStream Inc. Page 279

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Comments To enter comments regarding the controls use this column. To
enter comments, perform the following steps:

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments column in the
tabular format.
3. Click the Cancel button to cancel the entered comments.
To edit the comments, follow steps from 1 to 3.
Overall Score and Rating
The overall score and rating is displayed at the bottom of the grid in the following columns.
Mitigates The module populates the value based on the mitigated value that
(available only for those is entered in the Mitigation column. For example, for Financial
assessments which are Based factor entered mitigated value is 30, this column displays the value
On Controls Mitigating Financial:30. If the mitigated value is entered for more than one
Standard Factors scoring factor, the module displays the factors mitigated percentage by
algorithm) comma separated values.
Rating The overall control rating appears.
(available only for those The overall control rating is calculated based on the rating that you
assessments which are Based select
On Controls Mitigating The values in this field are populated from the
Standard Factors scoring MS_RSK_CONTROL_OVERRIDE data table based on the value
algorithm) range defined for each rating. For example, for High rating, score is
3.
Control Score% The overall control score appears. The Control score is calculated
based on the Control formula defined in the Risk Scoring Algorithm
interface. For example= Control Score formula = Average (All
Controls).
Example:
Control 1 = 35
Control 2 = 50
Control =13
Overall Control score = 35+50+13/ 3 = 33

Page 280 Copyright © 2016 MetricStream Inc.

 Scoring Algorithm and Rating Method

Assessments Tab > Residual Risk For Tabular Format

This tab is made available when you click the Risk name in the Assessment main tabular format at the
third hierarchical level. After you click the particular risk name for assessment, the Residual Risk For
<Risk Name> tabular format appears displaying all the factors that you need to assess for the selected
risk name. The standard factors are populated from the Risk Matrix Configuration setup form.

For more information on how this tabular format is organized, refer to the Assessments Tab > Residual
Risk For Tabular Format section.

Based on the assessment value that you provide in this tabular format, the inherent risk score is
calculated. The overall residual Risk score is calculated based on the residual formula defined in the
Risk Algorithm interface. The rating is populated by comparing the scores of the two factors that are
part of the Risk Matrix Configuration setup form. The input value that you can provide in this tabular
format for different factors vary based on the response type that is defined during the factor creation.

The mitigated score and the overall risk score is calculated based on the pre-residual calculation (if the
algorithm is Based On Controls Mitigating Standard Factors). The risk rating is applicable only if the
factors are rated.

Copyright © 2016 MetricStream Inc. Page 281

 Risk Assessments 6.1 SP2 - User Guide

Standard Factors from Risk Matrix Factor scores based on the assessment values
Configuration

Overall Inherent Risk Score (Impact * Likelihood) based on the Algo-

rithm logic and the rating based on the intersection of two factor
responses from the Risk Matrix Configuration

Rating defined in the Risk Matrix configuration

Figure 61: Risk Assessment Form > Assessments Tab > Residual Risk For Tabular Format

Page 282 Copyright © 2016 MetricStream Inc.

 Scoring Algorithm and Rating Method

Column Name Description

Factor Name Displays the factor names. To view the factor details, click the
hyperlinked factor name in this column. The respective factor form
appears in read-only mode in a new window.
Click this icon to view the Risk Rating Guidance report. This report
displays the list of values and respective scores defined for the

Standard or Quantitative factors. Click the Close button to

close the report.
Note: This icon is available only for those Quantitative and Standard
factors that consists LOV values as the assessment response.

Prior Assessment The prior assessment rating appears. This field displays the prior
assessment values only if the value Yes is selected in the Display
Prior Assessment field of the Risk Assessment Plan form.
Note: If you are assessing the Risk for the first time, this column does not
display any assessment rating.

Assessment Select the current Risk Assessment. You can provide assessment
values for the Quantitative, and Standard factors.
For Quantitative and Standard Factors, you can provide any one of
the following as your assessment value:

The values that are available in this field are based on the value
entered in the List Of Values tab or the Scoring Rules defined in
the Quantitative Assessment Factor form.
If the assessment is scoring rules based, you can enter only number
in this field as your response. To enter the assessment value, click
the Enter Score column and type the value.

If the assessment response is set as List Of Values, you can enter

the values defined in the Response field of the Quantitative
Assessment Factor form as the current assessment for the factor.
This field displays the default rating or the previous assessment
rating based on the Risk Assessment Plan for settings. For more
information on the Risk Assessment plan, refer to the Creating Risk
Assessment Plans section.

Score This field displays the assessed score for the standard factor. The
module calculates this score based on the value that you enter in
the Assessment field.
Note: The score is calculated and displayed based on the score defined for
a particular response in the Quantitative Factor form.

Weighted Score This field displays the weighted score. The module displays the
score of the factor as the weighted score in this column.

Copyright © 2016 MetricStream Inc. Page 283

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Rating The module displays the rating for the factors.
This is not applicable for factor type List Of Values. The module
displays the rating for Rules Based type of Standard/Quantitative
factors based on the value specified in the Rating field of the
Quantitative Assessment Factor form.
Comments Use this column to enter comments regarding the factor
assessment.

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments/Justification
column in the tabular format.
3. Click the Cancel button to cancel the entered comments.
To edit the comments, repeat the steps from 1 through 3.
Overall Score and Rating
The overall score and rating is displayed at the bottom of the tabular format in the following col-
umns.
Weighted Score The overall weighted score appears.
Example:
Impact = 5
Likelihood=5
(Residual score formula = Impact*Likelihood) Weighted
score=5*5=25
Note: The score is displayed based on the assessment value provided for
each standard factor and the scoring algorithm defined in the Risk Scoring
algorithm interface.

Rating The overall rating for the residual risk score appears.
The rating is populated based on responses for the two standard
factors that are part of the Risk Matrix Configuration set up.
For example,
Impact = Catastrophic
Likelihood = Likely
Rating = Very High (from the Risk Matrix Configuration set up).

Page 284 Copyright © 2016 MetricStream Inc.

 Scoring Algorithm and Rating Method

Findings and Observations Tab

While conducting the Risk Assessment, the assessor may notice some serious issues/findings that af-
fect the organization. Using the Findings and Observations tab, you can add one or more findings and
you can trigger an issue to the Issue Management module to resolve it. For more information on add-
ing issues, refer to the Findings and Observations Tab section.

Additional Details Tab

Use the Additional Details tab to provide additional details and attach documents that the user can
refer to. For more information on additional details tab, refer to the Additional Details Tab section.

Modify/Review/Approve Section
Use the Modify/Review/Approve section to take action on the Risk Assessment form. For more
information on additional details tab, refer to the Modify/Review/Approve Section section.

Form Submission
For more information on the Form Tool Bar icons, refer to the Form Tool Bar section.

Task Assignments and E-mail Notifications

After you submit the current form, no task assignments and e-mails are generated.

Copyright © 2016 MetricStream Inc. Page 285

 Risk Assessments 6.1 SP2 - User Guide

Score Roll Up Scenario

The following table provides an example on how the Risk score and rating is rolled up to assessable entity and organization for Algorithm and Rating method.

The scores are populated based on the algorithm and the ratings from the Risk Configuration Matrix which are rolled up to the assessable entity and organization as shown below.

Assessable Entity Risks Impact Response and Score Likelihood Response and Score Residual Score Rating (from the Risk
Configuration Matrix)
A1 (Algorithm =Impact * R1 Catastrophic = 5 Likely = 4 5*4=20 High
Likelihood)
R2 Catastrophic = 5 Possible = 3 5*3=15 Medium
R3 Catastrophic = 5 Unlikely = 2 5*2=10 Low
Overall Score 5 (this is the average score of 3 (this is the average score of 45/ 3 =15 (this is based 5*3 (is compared in the Risk
impact from R1, R2, and R3) impact from R1, R2, and R3) on the Algorithm) Matrix Configuration to arrive
at rating) = Very High
The following figure describes the Tabular format view of Risk Configuration Matrix defined for Impact and Likelihood:

A2(Algorithm =Impact * R1 Moderate = 3 Unlikely = 2 3*2 = 6 Low

Likelihood)
Overall Score 3 2 6 3*2 (is compared in the Risk
Matrix Configuration to arrive
at rating) = Low
The following figure describes the Tabular format view of Risk Configuration Matrix defined for Impact and Likelihood:

Overall Roll up for Organization 1

Page 286 Copyright © 2016 MetricStream Inc.

 Scoring Algorithm and Rating Method

Assessable Entity Risks Impact Response and Score Likelihood Response and Score Residual Score Rating (from the Risk
Configuration Matrix)
A1 + A2 5 +3 /2 = 4 3 +2 / 2= 3 15 + 6 / 2 = 11 4 *3 (is compared in the Risk
Matrix Configuration to arrive
at rating) = High
The following figure describes the Tabular format view of Risk Configuration Matrix defined for Impact and Likelihood:

Copyright © 2016 MetricStream Inc. Page 287

 Risk Assessments 6.1 SP2 - User Guide

Heat Maps
Based on the Risk Matrix configuration, the heat map displays the Risks in different zones of the matrix
based on the assessment values. You can view the Risk trend based on the inherent and residual scores.

You can view the Risk direction by tracing its movement from Inherent to Residual. The heat map zones
are displayed based on the Risk Matrix Configuration settings. For more information on heat map
reports functions, refer to the Heat Maps section.

Residual Risks

Inherent Risks

Figure 62: Heat Map

Page 288 Copyright © 2016 MetricStream Inc.

Risk Scoring Algorithm Method
10
The following chapter provides information on scoring algorithm method, how to assess Risks
associated with this method, and related heat map.

Sections:
1. What Is Risk Algorithm Method?
2. How can I perform Risk Algorithm Method Assessment?
3. Assessing Risks - Algorithm Method
4. Heat Maps

Copyright © 2016 MetricStream Inc. Page 289

 Risk Assessments 6.1 SP2 - User Guide

What Is Risk Algorithm Method?

The Risk Algorithm method allows you to perform a Risk assessment based on the defined algorithm
and arrive at a score and rating for standard as well as non-standard factors. The scores and ratings are
rolled up to the assessable entity and then to organization by averaging the scores. The rating is
populated from the score range table.
For more information on data table, refer to the MetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2.
For

How can I perform Risk Algorithm Method Assessment?

You can create a scoring algorithm by defining the logic for calculating the following scores:

 Inherent
 Control
 Pre-residual
 Residual

The following figure depicts the Risk Scoring Algorithm defined using the Risk Scoring Algorithm
interface.

Figure 63: Risk Scoring Algorithm Snapshot

For more information on defining the algorithm, refer to the Risk Scoring Algorithm section.

Page 290 Copyright © 2016 MetricStream Inc.

 Risk Scoring Algorithm Method

Assessing Risks - Algorithm Method

By using the Risk Assessment form, you can assess the Risks that are part of the assessment. The score
is populated based on the Risk scoring algorithm and the rating based on the score range stored in the
data table. The score is rolled up to the assessable entity and then to organization while performing the
assessment. The heat maps are displayed based on the rolled up scores and rating.

Risk Assessment Form

Use the Risk Assessment form to perform the Risk assessment and record the details. For more
information, refer to Risk Assessment Form.

Header
Use the header section to view the assessment details. For more information on field descriptions,
refer to Header.

Copyright © 2016 MetricStream Inc. Page 291

 Risk Assessments 6.1 SP2 - User Guide

Details Tab
Use the Details tab to view the general details of the Risk Assessment. For more information on field
description, refer to the Details Tab section.

Assessments Tab
The Assessments tab displays the related Entities and Risks that are selected while creating the Risk
assessment plan. This tab is organized in a tree tabular format. For more information on tabular format
and tree structure organization, refer to the Viewing Assessable Entity and Risk Details section.

Note: Based on the Risk Algorithm settings, the Inherent Risk, Control, and Residual Risk tabular formats are
made available in this tab.

Risk Assessments Form > Assessments Tab > Organization to be Assessed

Note: Organizations to be assessed are applicable for assessment types Org-Assessable Entity-Risk and Org-Risk.

This hierarchical level displays the organization details. The organization details are populated based
on the organizations that are selected during the Risk Assessment plan creation stage. If there are two
organizations selected during the plan creation stage, the module displays the organization details in a
separate rows. Using this tabular format row, you can perform the following:

 View prior Inherent risk rating

 Overall Inherent Risk rating
 Override the residual and inherent risk rating
 View previous control effectiveness rating
 Provide comments for overriding the ratings
 View the trend of risk
 Number of open issues
 Number of loss events
 Number of metrics that are breached
 Risk owners
Column Name Description
Organization Name The business unit that is being assessed. The business unit name
selected in the Organization(s) field in the Assessments tab of the
Risk Assessment Plan form appears. For example, If the plan
initiator has added 2 organizations, both the organizations are
displayed in the first 2 rows. When you move the mouse pointer
over the tabular format, the organization name is displayed as a
tooltip.

Page 292 Copyright © 2016 MetricStream Inc.

 Risk Scoring Algorithm Method

Column Name Description

Assessable Entity The entity that is being assessed. The business unit name selected
in the Assessable Entity (ies) field in the Assessments tab of the
Risk Assessment Plan form appears. For example, If the plan
initiator has added two assessable entities, both the assessable
entities are displayed in the first 2 rows. When you move the
mouse pointer over the tabular format, the assessable entity name
is displayed as a tooltip.
Prior Inherent Risk The previous inherent risk rating for the organization being
(appears only if you select Yes assessed appears. The module populates the roll-up score (by Org)
in the Display Previous in this field based on the previous risk rating scored by the current
Rating? field of the Risk organization.
Assessment Plan form) This field does not display any value, if you are assessing the risk
for the first time.
The possible values in this field are:
 High
 Medium
 Low

Inherent Risk This field displays the inherent Risk Assessment score based on the
assessment value that you provide for factors in the Inherent Risk
For tabular format. When you access the form for the first time,
based on the plan setup this column displays the previous rating or
rating based on the default values that is defined for each factor.
The score that you see in this tabular format column is the
combination of overall roll up rating, roll up score (by Org) and the
current Risk Assessment.

The overall inherent score is populated based on the responses

and scores from each of the factors as well as the scoring
algorithm. The rating is populated based on the score and the
corresponding rating in the MS_RSK_HEATMAP_RANGE table.

The overall factor score is calculated based on risk scoring

algorithm during the Risk Assessment planning. For more
information on defining scoring algorithm, refer to the Risk Scoring
Algorithm section.

The following values are available in this field:

 High
 Medium
 Low
The values that appear in this field can be configured using the
MS_RSK_HEATMAP_RANGE data table. Each rating carries a
particular score and color coding. The module populates the color
code and rating based on the rating range configured in this data
table.
For example, for High risk rating, the color coding of the column is
red.
For more information on configuring the data table values,
refer to the MetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2.

Copyright © 2016 MetricStream Inc. Page 293

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Override Using this column you can override the inherent risk rating
(the Override column populated by the module. By default, the value Select one
available next to the Inherent appears. You can select the appropriate rating from the drop-down
Risk column is for overriding list by clicking the drop-down arrow corresponding to the
the inherent risk score) organization name or assessable entity in the tabular format.
You need to provide justification for overriding the inherent risk
score.
The possible values in this field are:
 High
 Medium
 Low
The values that appear in this field can be configured using the
MS_RSK_OVERRIDE_SCORE data table. Based on the value that
you select in this field, the module populates the overridden
inherent score based on the value range defined in the data table.
For more information on configuring the data table values,
refer to the MetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2.

Prior Control Effectiveness This field displays the effectiveness of the controls that are used
(This appears only if you for mitigating the risks in the previous assessment. Each rating
select Yes in the Display displays the score corresponding to it.
Previous Rating? field of the The values that appear in this field are populated based on the
Risk Assessment Plan form) value that is defined in the MS_RSK_CONTROL_EFFECTIVENESS
data table. The display of this column is based on the Risk
Assessment Plan setting.
For more information on configuring the data table values,
refer to the MetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2.

Overall Control Score This field displays the overall control score based on the
assessment value that you provide for controls in the Control
tabular format.
When you access the form for the first time, this column does not
display any rating. The score that you see in this tabular format
column is a combination of overall roll up score from all the
controls related to a particular risk. This is based on the scoring
logic defined for calculating scores.
The overall control score is populated based on the value range
that is defined in the MS_RSK_CONTROL_EFFECTIVENESS data
table.
For more information on configuring the data table values,
refer to the MetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2.

Page 294 Copyright © 2016 MetricStream Inc.

 Risk Scoring Algorithm Method

Column Name Description

Control Effectiveness This field displays the effectiveness of the controls that are used
for mitigating the Risks. Each rating displays the score
corresponding to it.
The values that appear in this field are populated based on the
value that is defined in the MS_RSK_CONTROL_EFFECTIVENESS
data table. The display of this column is based on the Risk
Assessment Plan setting.
For more information on configuring the data table values,
refer to theMetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2.

Note: The control effectiveness rating is displayed only at the last child
hierarchical level, that is, the Risk hierarchical level as the controls are
related to Risks and not to organization and assessable entities.

Override Control Score Using this column you can override the control score populated by
the module. By default, the Risk Assessments module displays the
text Enter Score in this column.
To override the control score, click the column and type the
overridden control score. You can enter any numeric value as score
in this column.
Note: You can enter the overridden Control score only at the last child
hierarchical level, that is, Risk hierarchical level as the Controls are related
to Risks and not to organization and assessable entities.

Override The module populates the overridden control rating. The

overridden rating is populated based on the control score that you
enter in the Override Control Score field. The overridden control
score is populated based on the value range that is defined in the
MS_RSK_CONTROL_OVERRIDE data table.
For more information on configuring the data table values,
refer to the MetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2.

Prior Residual Rating This field displays the previous residual assessment. Each rating
displays the score corresponding to it.
The values that appear in this field are populated based on the
value that is defined in the MS_RSK_HEATMAP_RANGE data table.
The display of this column is based on the Risk Assessment Plan
setting.

Copyright © 2016 MetricStream Inc. Page 295

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Residual Risk This field displays the residual Risk Assessment score based on the
assessment value that you provide for factors in the Residual Risk
For tabular format. When you access the form for the first time,
based on the plan setup, this column displays the previous rating
or rating based on the default values that is defined for each factor.
This is the auto populated number. The score that you see in this
tabular format column is the combination of overall roll up rating,
roll up score (by Org) and the current Risk Assessment.

The overall residual score is populated based on the responses and

scores from each of the factors as well as the scoring algorithm.
The rating is populated based on the score and the corresponding
rating in the MS_RSK_HEATMAP_RANGE table

The overall factor score is calculated based on risk scoring

algorithm during the Risk Assessment planning. For more
information on defining scoring algorithm, refer to the Risk Scoring
Algorithm section.
The following values are available in this field:
 High
 Medium
 Low
The values that appear in this field can be configured using the
MS_RSK_HEATMAP_RANGE data table. Each rating carries a
particular score and color coding. The module populates the color
code and rating based on the rating range configured in this data
table.
For example, for High risk rating, the color coding of the column is
red.
For more information on configuring the data table values,
refer to the MetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2.

Override Using this column you can override the residual risk rating
(the Override column populated by the module. By default, module populates the value
available next to the Inherent Select one. You can select the appropriate rating from the drop-
Risk column is for overriding down list by clicking the drop-down arrow corresponding to the
the inherent risk score) organization name or assessable entity in the tabular format.
You need to provide justification for overriding the residual risk
rating.
The possible values in this field are:
 High
 Medium
 Low
The values that appear in this field can be configured using the
MS_RSK_OVERRIDE_SCORE data table. Based on the value that
you select in this field, the module populates the overridden
residual score based on the value range defined in the data table.
For more information on configuring the data table values,
refer to the MetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2.

Page 296 Copyright © 2016 MetricStream Inc.

 Risk Scoring Algorithm Method

Column Name Description

Comments/Justification If you override the inherent/residual score populated by the
module, you must provide justification for overriding the inherent/
residual risk score in this column. To enter comments, perform the
following steps:

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments/Justification
column in the tabular format.
3. Click the Cancel button to cancel the entered comments.
To edit the comments, repeat the steps from 1 through 3.
Trend, Threat /Opportunity, For more information on descriptions for these columns, refer to
Threat /Opportunity Level, the Assessments Tab > Organization to be Assessed section.
Risk Response / Treatment
Strategy, #Open Issues,
#Metric Breaches, #Loss
Events, and Risk Owner(s)

Assessments Tab > Controls For Tabular Format

This tabular format displays all the controls that are related to the risk that you are assessing.The
association of Risk with Controls is performed during the Risk creation stage in the GRC Foundation
module. If a risk is associated with three controls, all the three controls are populated in this tabular
format. For the Controls that are populated from the GRC Foundation module, you can provide control
assessment rating, modify weighting value, enter comments and attach evidence. While performing
the risk-control assessment, you can add related controls that mitigates the risk that you are assessing
in this tabular format. The number of columns that are available in this tabular format vary based on
Scoring algorithm that is defined for calculating the control scores.

If the scoring algorithm is Based On Controls Mitigating Standard Factors, you can provide the
mitigated percentage value for each control by selecting the factors that are mitigated using the
control.

Copyright © 2016 MetricStream Inc. Page 297

 Risk Assessments 6.1 SP2 - User Guide

If the scoring algorithm is Based On Overall Control Score Reducing Inherent Risk, this tabular format
displays the rating and other score related columns.

Figure 64: Risk Assessment Form > Assessments Tab > Controls For Tabular Format (Mitigates screen)

Risk Assessment Form > Assessments Tab > Controls For Tabular Format (Reducing Inherent Risk
Screen)

Page 298 Copyright © 2016 MetricStream Inc.

 Risk Scoring Algorithm Method

Mapped Controls for a Risk

Overall Control Score based on the Algo-

rithm (Average of all Controls)
Overall Control Rating

Figure 65: Risk Assessment Form > Assessments Tab > Controls For Tabular Format (Reducing Inherent Risk Screen)

Copyright © 2016 MetricStream Inc. Page 299

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Add Control and Delete Con- You can add additional controls while assessing the Risks. For more
trol buttons information on adding and deleting Controls, refer to the Adding
New Controls section.
Control The control name appears. Click the hyperlinked Control name to
view the control details. The details of the Control appear in read-

only mode. Click Close button to close the Control form.

Note: The hyperlink is not available for newly added GRC Library Controls
and newly created Controls.

Control Type The type of Control appears. The following are the possible values
in this column:
 Related To Risk: The module populates this value if the Control
is associated with the selected Risk during the Risk creation
stage.
 Library Control: The module populates this value for newly
added GRC Library Controls while assessing the Risks.
 New Control: The module populates this value for newly
created ad hoc Controls while assessing the Risks.
View Tests link Click this link to view the test execution results of the controls that
is assessed. The View Test Results report appears with details such
as test execution ID, test plan name and so on. The details in this
report are populated from Compliance Management module.
Note: This link is available only for those Controls that are pre-populated
based on the Risk -Control association.
For more information on View Test Results report, refer to the
MetricStream Compliance Management User Guide Release 6.1 SP1.

Key Control Select Yes/No to specify whether this control is a key control or
not.
This column is editable only for newly added GRC Library Controls
and newly created Controls.
Control Category Select the control category. The following options are available in
this field:
 Compliance
 Financial
 Operational
 Preventive
 Detective

Note: Control category is pre-populated for New controls/related controls

of the risk that is assessed and you cannot edit the details.

Page 300 Copyright © 2016 MetricStream Inc.

 Risk Scoring Algorithm Method

Column Name Description

Mitigates Select and provide the mitigation value by which you are mitigating
(available only for those the Standard factors using this control. To select the standard
assessments which are Based factors and provide the mitigation value, perform the following
On Controls Mitigating steps:
Standard Factors scoring
algorithm) 1. Click the Comments icon next to this column.
The Mitigates Factor window appears.

2. Enter the value by which you are mitigating the risk associated
with standard factor corresponding to the Factor name in the
Enter Value field.

Note:
- You can enter a value between 0 and 100. The value that you enter is
used for calculating the residual risk score based on the Pre-Residual
Score Formula defined in the Risk Scoring Algorithm interface.
- The Mitigate Factors widow displays all the Standard Factors and
Quantitative non-Standard Factors that reduces inherent risk.
3. After entering the mitigated value, click the check boxes for
which you have entered the value.
4. Click the Save button to save the entered mitigated values.
The selected Factor name and corresponding value appears as a
comma separated values in the grid column.
5. Click the Cancel button to cancel the selection.

To edit the values and select another Factor, repeat steps from 1 to
5.
For example,
Pre-Residual Score Formula = Standard Factors - Standard Factors
Mitigated By Controls
Financial Factor Inherent Score=30
Mitigated Factor Value=10
Residual Score for Financial Factor=30-10=20

Copyright © 2016 MetricStream Inc. Page 301

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

The following columns are available for those assessments which are Based On Overall Control
Score Reducing Inherent Risk scoring algorithm:
• Rating
• Score
• Weighting
• Control Score%
Rating Select the control rating.
The following options are available in this field:
 High
 Medium
 Low
The values in this field are populated from the
MS_RSK_CONTROL_OVERRIDE data table. The display of this
column is based on the Risk Assessment Plan setting.
For more information on configuring the data table values,
refer to the MetricStream Risk Assessments System Administrator
Guide Release 6.1 SP2.

Score The assessed factor score based on the control effectiveness rating
appears.
The values in this field are populated from the
MS_RSK_CONTROL_OVERRIDE data table based on the value
range defined for each rating. For example, for High rating, score is
3.
Weighting This column displays the weighting score for the control. The
module displays this value based on the value that weighting that is
defined in the MS_RSK_CONTROL_OVERRIDE data table.
You can edit this value only when the Modify Weighting field is set
to Yes in the Risk Assessment Plan form.
The weighting is considered as number or percentage based on the
settings of the MS_RSK_CONTROL_OVERRIDE data table.
Control Score% The control effectiveness score appears.

Page 302 Copyright © 2016 MetricStream Inc.

 Risk Scoring Algorithm Method

Column Name Description

Comments To enter comments regarding the controls use this column. To
enter comments, perform the following steps:

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments column in the
grid.
3. Click the Cancel button to cancel the entered comments.
To edit the comments, follow steps from 1 to 3.
Overall Score and Rating
The overall score and rating is displayed at the bottom of the grid in the following columns.
Mitigates The module populates the value based on the mitigated value that
(available only for those is entered in the Mitigation column. For example, for Financial
assessments which are Based factor entered mitigated value is 30, this column displays the value
On Controls Mitigating Financial:30. If the mitigated value is entered for more than one
Standard Factors scoring factor, the module displays the factors mitigated percentage by
algorithm) comma separated values.
Rating The overall control rating appears.
(available only for those The overall control rating is calculated based on the rating that you
assessments which are Based select
On Controls Mitigating The values in this field are populated from the
Standard Factors scoring MS_RSK_CONTROL_OVERRIDE data table based on the value
algorithm) range defined for each rating. For example, for High rating, score is
3.
Control Score% The overall control score appears. The Control score is calculated
based on the Control formula defined in the Risk Scoring Algorithm
interface. For example= Control Score formula = Average (All
Controls).
Example:
Control 1 = 35
Control 2 = 50
Control =13
Overall Control score = 35+50+13/ 3 = 33

Copyright © 2016 MetricStream Inc. Page 303

 Risk Assessments 6.1 SP2 - User Guide

Assessments Tab > Inherent Risk For Tabular Format

This tab is made available when you click the Risk name in the Assessment main grid at the third
hierarchical level. After you click the particular risk name for assessment, the Residual Risk For <Risk
Name> grid appears displaying all the factors that you need to assess for the selected risk name.

This grid displays all the standard factors, quantitative non-standard factors.

The factors appear in this field based on the sort order that you defined during the factor creation. If
no sort order is defined during the factor creation, the factors are listed in alphabetical order. The grid
displays the factors in the following order:

 All standard factors are displayed first

 All the quantitative factors that reduces residual risk are displayed next

Based on the assessment value that you provide in this grid, the residual risk score is calculated based
on the Perspective selected and mapped risk scoring algorithm to the Perspective. The input value that
you can provide in this grid for different factors vary based on the response type that is defined during
the factor creation stage.

Figure 66: Risk Assessment Form > Assessments Tab > Residual Risk For Grid

Column Name Description

Factor Name Displays the factor names. To view the factor details, click the
hyperlinked factor name in this column. The respective factor form
appears in read-only mode in a new window.
Click this icon to view the Risk Rating Guidance report. This report
displays the list of values and respective scored defined for the

Standard or Quantitative factors. Click Close button to

close the factor form.
Note: This icon is available only for those Quantitative and Standard
factors that consists LOV values as the assessment response.

Use this icon to indicate whether to include the factor score for
residual risk score calculation or not. If you do not want to include
(this icon interchanges with the factor score for risk calculation, click this icon corresponding to
icon) the factor name. The message “The Factor “Financial” in Inherent
& Residual will not be part of calculations” appears. Click OK. After
you click the OK button, the icon appears.
Note: This icon appears only if the Display ‘Not Applicable’ as a choice to
Assessor field check box is selected during the factor creation stage.

Page 304 Copyright © 2016 MetricStream Inc.

 Risk Scoring Algorithm Method

Column Name Description

Use this icon to include the factor score for residual risk score
calculation. To include the factor score for risk calculation, click this
(this icon interchanges with icon corresponding to the factor name. The message “The Factor
icon) “Financial” in Residual & Inherent will be part of calculations”
appears. Click OK. After you click the OK button, the icon
appears.
This icon appears for all Quantitative and Standard factors. This
icon indicates that you can cannot indicate whether to include the
factor score for residual risk score calculation or not. By default,
the module considers the score of this factor for risk score
calculation.
Note: This icon appears, if the Display ‘Not Applicable’ as a choice to
Assessor field check box is not selected during the factor creation stage.

Prior Assessment The prior assessment details appear. This field displays the prior
assessment values only if the value Yes is selected in the Display
Prior Assessment field of the Risk Assessment Plan form.
Mitigated Score The mitigated score appears for respective factors based on the
(available only for those mitigated value that is entered in the Mitigation column and based
assessments which are Based on the Pre-Residual Control Formula defined in the Risk Scoring
On Controls Mitigating Algorithm interface.
Standard Factors scoring
algorithm)
Assessment Select the current Risk Assessment. You can provide assessment
values for the Quantitative and Standard factors.
For Quantitative and Standard Factors, you can provide any one of
the options mentioned below as your assessment value:

The values that are available in this field are based on the value
entered in the List Of Values tab or the Scoring Rules defined in
the Quantitative Assessment Factor form.
If the assessment is scoring rules based, you can enter only number
in this field as your response. To enter the assessment value, click
the Enter Score column and type the value.

If the assessment response is set as List Of Values, you can enter

the values defined in the Response field of the Quantitative
Assessment Factor form as the current assessment for the factor.
This field displays the default rating or the previous assessment
rating based on the Risk Assessment Plan for settings.

For more information on the Risk Assessment plan, refer to the

Creating Risk Assessment Plans section.

Copyright © 2016 MetricStream Inc. Page 305

 Risk Assessments 6.1 SP2 - User Guide

Column Name Description

Score This field displays the assessed score for the quantitative/standard
factor. The module calculates this score based on the value that
you enter in the Assessment field.
Weighting This field displays the weighting score for the current qualitative/
standard factor. The module displays this value based on the value
that you enter in the Default Weighting Factor field of the
Quantitative Assessment Factor form during the factor creation.
You can edit this value only when the Modify Weighting field is set
to Yes in the Risk Assessment Plan form.
The weighting is considered as number or percentage based on the
Input Type selected during the factor creation stage.
Weighted Score This field displays the current score for the current quantitative/
standard factor. The module calculates this score.
This is a combination of Score*Weighting scores.
For Example, If the Score is 3 and Weighting Score is 100, the
current score=3*100=300. This can be in percentage or number
based on the Input Type selected during the factor creation stage.
Rating The module displays the rating for the Standard/Quantitative
factors.
This is not applicable for factor type List Of Values. The module
displays the rating for Rules Based type of Standard/Quantitative
factors based on the value specified in the Rating field of the
Quantitative Assessment Factor form.
Comments Enter comments regarding the factor assessment.

1. Click the Comments icon next to this column. The Com-

ments/Justification window appears.

2. Type the comments and click the Save button to insert the com-
ments and exit the window.
The entered comments appear in the Comments/Justification
column in the grid.
3. Click the Cancel button to cancel the entered comments.
To edit the comments, follow steps from 1 to 3.
Evidence This functionality is not available for the current release.
(made available only if you
select Yes in Attach
Evidence(s) field of the Risk
Assessment Plan form)

Page 306 Copyright © 2016 MetricStream Inc.

 Risk Scoring Algorithm Method

Column Name Description

Overall Score and Rating
The overall score and rating is displayed at the bottom of the grid in the following columns.
Weighted Score The overall weighted score appears.
Note: The score is displayed based on the assessment value provided for
each standard and quantitative factor.

Rating The overall rating for the residual risk score appears.
The rating is populated based on the value range that is defined in
the MS_RSK_HEATMAP_RANGE data table. Each rating carries a
particular score and color coding. For example, for High risk rating,
the color coding of the column is Yellow. The module populates the
color code and rating based on the rating range configured in this
data table.

Copyright © 2016 MetricStream Inc. Page 307

 Risk Assessments 6.1 SP2 - User Guide

Findings and Observations Tab

While conducting the Risk Assessment, the assessor may notice some serious issues/findings that af-
fect the organization. Using the Findings and Observations tab, you can add one or more findings and
you can trigger an issue to the Issue Management module to resolve it. For more information on add-
ing issues, refer to the Findings and Observations Tab section.

Additional Details Tab

Use the Additional Details tab to provide additional details and attach documents that the user can
refer to. For more information on additional details tab, refer to the Additional Details Tab section.

Modify/Review/Approve Section
Use the Modify/Review/Approve section to take action on the Risk Assessment form. For more
information on additional details tab, refer to the Modify/Review/Approve Section section.

Form Submission
For more information on the Form Tool Bar icons, refer to the Form Tool Bar section.

Task Assignments and E-mail Notifications

After you submit the current form, no task assignments and e-mails are generated.

Page 308 Copyright © 2016 MetricStream Inc.

 Risk Scoring Algorithm Method

Heat Maps
Heat Maps are plotted based on the configuration in the Heat Map Range Table,
MS_RSK_HEATMAP_RANGE, for assessments using Risk Scoring Algorithm method.

Based on the Risk Matrix configuration, the heat map displays the Risks in different zones of the matrix
based on the assessment values. You can view the Risk trend based on the inherent and residual scores.

You can view the Risk direction by tracing its movement from Inherent to Residual. The heat map zones
are displayed based on the data table configuration. For more information on heat map reports
functions, refer to the Heat Maps section.

Inherent Risks

Figure 67: Heat Map

Copyright © 2016 MetricStream Inc. Page 309

Heat Maps
11
This chapter provides information on the heat map charts and reports that are available in the Risk
Assessments module.

Sections:
1. What Is a Heat Map?
2. Risk Score and Rating Roll Up
3. Heat Map By Name
4. Heat Map Filters

Page 310 Copyright © 2016 MetricStream Inc.

 Heat Maps

What Is a Heat Map?

A Heat Map is a graphical representation of data where the individual values contained in a Matrix are
represented as Colors. Heat Maps are plotted based on the configuration in the Heat Map Range Table
(for assessments using Risk Scoring Algorithm method) or Risk Matrix Configuration (for assessments
using Rating, Scoring Algorithm and Rating, Scoring and Rating, Ranking and Rating methodologies).

A heat map report displays the residual/inherent risk scores in different zones based on the specified
filter values. Based on the zone where the risk score is displayed in the heat map, you can arrive at the
risk trend. You can view the heat map based on the following criteria:

 Organizations
 Assessed Entities (process, assets, asset class, auditable entity, Product, Objective, and so on)
 Risks by rolled up score
 Risks directly assessed

The Risk Assessments module has the following Heat maps:

 Heat Map By Name: You can view Inherent/Residual (combined as well as separate) Heat Maps
with Risks / Assessable Items / Organizations plotted on them, for the Perspective selected. This
Heat Map helps you to easily identify the Risks by name, as well as get a sense of its latest Inherent
and / or Residual Rating
 Heat Map By Count (Inherent): You can view the count of Risks / Assessable Items / Organizations
on different zones of the Heat Map based on the latest Inherent Assessment for the selected Per-
spective
 Heat Map By Count (Residual): You can view the count of Risks / Assessable Items / Organizations
on different zones of the Heat Map based on the latest Residual Assessment for the selected Per-
spective

Note:
- In case the Risk Matrix Configuration settings change, the historical assessment details displayed on the form
may be inconsistent with the Heat Map report. While the assessment form displays rating based on historical
matrix settings, the Heat Map picks the current settings and display the ratings accordingly.
- The Heat Maps are accompanied by corresponding reports that show exactly the same data as displayed on
the Heat Map, but in a tabular format.
- You must use Internet Explore version 10 or later to view the heat maps.

Copyright © 2016 MetricStream Inc. Page 311

 Risk Assessments 6.1 SP2 - User Guide

Heat Map By Name

The following figure depicts Heat Map By Name.

Note: The heat map chart is displayed on the left side of the screen and the related report on the right of the screen.

Chart Options Overall Filters Report Filters Print Option

Report

Heat Map Chart

Figure 68: Heat Map By Name Chart and corresponding report

Page 312 Copyright © 2016 MetricStream Inc.

 Heat Maps

Heat Map By Name (Filtered by Organization) Report

The Heat Map By Name (Filtered by Organization) report displays the rolled-up information at
organization level on heat map, where the scores and ratings are rolled up from underlying risks that
were directly assessed.

Key Columns:

 Organization Name: Displays the full name of the organization.

 Current Inherent Score: Displays the inherent score based on the latest risk assessment performed
on the organization.
 Inherent Rating: Displays the Inherent Rating corresponding to the inherent score.
 Current Residual Score: Displays the residual score based on the latest risk assessment performed
on the organization.
 Residual Rating: Displays the residual rating corresponding to the residual score.

Heat Map By Name (Filtered by Assessed Entities) Report

The Heat Map By Name (Filtered by Assessed Entity) report displays the rolled-up information at
assessed entities level on heat map, where the scores and ratings are rolled from underlying risks that
were directly assessed.

Key Columns:

 Assessed Entity (ies) Name: Displays the full name of the Assessed Item.
 Drill Down: Assessable Entity form.
For more information on Risk form, refer to the MetricStream GRC Foundation User Guide Release 6.1
SP1.

 Current Inherent Score: Displays the inherent score based on the latest risk assessment performed
on the organization.
 Inherent Rating: Displays the inherent rating corresponding to the inherent score.
 Current Residual Score: Displays the residual score based on the latest risk assessment performed
on the organization.
 Residual Rating: Displays the residual rating corresponding to the residual score.

Heat Map By Name (Risks by rolled up score) Report

The Heat Map By Name (Filtered by Risks by rolled up score) report displays the rolled-up information
on heat map, where the scores and ratings are rolled from underlying risks that were directly assessed.

Key Columns:

 Risk Name: Displays the full name of the Risk.

Copyright © 2016 MetricStream Inc. Page 313

 Risk Assessments 6.1 SP2 - User Guide

 Drill Down: Risk form.

For more information on Risk form, refer to the MetricStream GRC Foundation User Guide Release 6.1
SP1.

 Current Inherent Score: Displays the inherent score based on the latest risk assessment performed
on the organization.
 Inherent Rating: Displays the Inherent Rating corresponding to the inherent score.
 Current Residual Score: Displays the residual score based on the latest risk assessment performed
on the organization.
 Residual Rating: Displays the residual rating corresponding to the residual score.

Heat Map By Name (Risks directly assessed) Report

The Heat Map By Name (Filtered by Risks directly assessed) report displays the scores and ratings of
the risks that were individually assessed using factors, based on the Perspective chosen.

Key Columns:

 Risk Name: Displays the full name of the Risk.

 Drill Down: Risk form.
For more information on Risk form, refer to the MetricStream GRC Foundation User Guide Release 6.1
SP1.

 Current Inherent Score: Displays the inherent score based on the latest risk assessment performed
on the organization.
 Inherent Rating: Displays the Inherent Rating corresponding to the inherent score.
 Current Residual Score: Displays the residual score based on the latest risk assessment performed
on the organization.
 Residual Rating: Displays the residual rating corresponding to the residual score.

Page 314 Copyright © 2016 MetricStream Inc.

 Heat Maps

Heat Map By Count (Inherent)

The following figure depicts Heat Map By Count (Inherent).

Note: The heat map chart is displayed on the left side of the screen and the related report on the right of the screen

Figure 69: Heat Map By Count (Inherent) Chart

Copyright © 2016 MetricStream Inc. Page 315

 Risk Assessments 6.1 SP2 - User Guide

Heat Map By Count Inherent (Filtered by Organization) Report

The Heat Map By count Inherent (Filtered by Organization) report displays the rolled-up information
at organization level on heat map, where the scores and ratings are rolled from underlying risks that
were directly assessed.

Key Columns:

 Organization Name: Displays the names of organizations corresponding to the count.

 Current Impact: Displays the impact based on the latest risk assessment performed on the organi-
zation.
 Current Likelihood: Displays the impact based on the latest risk assessment performed on the orga-
nization.
 Rating: Displays the risk rating based on the latest assessment within the Perspective.

Heat Map By Count Inherent (Filtered by Assessed Entities) Report

The Heat Map By count Inherent (Filtered by Assessed Entities) report displays the rolled-up
information at assessed entities level on heat map, where the scores and ratings are rolled from
underlying risks that were directly assessed.

Key Columns:

 Assessed Entity (ies) Name: Displays the names of organizations corresponding to the count.
 Current Impact: Displays the impact based on the latest risk assessment performed on the organi-
zation.
 Current Likelihood: Displays the impact based on the latest risk assessment performed on the orga-
nization.
 Rating: Displays the risk rating based on the latest assessment within the Perspective.

Heat Map By Count Inherent (Filtered by Risks by rolled up score) Report

The Heat Map By count Inherent (Risks by rolled up score) report displays the rolled-up information
on heat map where the scores and ratings are rolled from underlying risks that were directly assessed.

Key Columns:

 Risk Name: Displays the names of Risks corresponding to the count.

 Current Impact: Displays the impact based on the latest risk assessment performed on the organi-
zation.
 Current Likelihood: Displays the impact based on the latest risk assessment performed on the orga-
nization.
 Rating: Displays the risk rating based on the latest assessment within the Perspective.

Page 316 Copyright © 2016 MetricStream Inc.

 Heat Maps

Heat Map By Count Inherent (Filtered by Risks directly assessed) Report

The Heat Map By count Inherent (Filtered by Risks directly assessed) report displays the scores and
ratings of the risks that were individually assessed using factors, based on the Perspective chosen.

Key Columns:

 Assessed Entity (ies) Name: Displays the names of organizations corresponding to the count.
 Current Impact: Displays the impact based on the latest risk assessment performed on the organi-
zation.
 Current Likelihood: Displays the impact based on the latest risk assessment performed on the orga-
nization.
 Rating: Displays the risk rating based on the latest assessment within the Perspective.

Copyright © 2016 MetricStream Inc. Page 317

 Risk Assessments 6.1 SP2 - User Guide

Heat Map By Count (Residual) chart

The following figure depicts Heat Map By Count (Residual).

Note: The heat map chart is displayed on the left side of the screen and the related report on the right of the screen.

Figure 70: Heat Map By Count (Residual) Chart

Page 318 Copyright © 2016 MetricStream Inc.

 Heat Maps

Heat Map By Count Residual (Filtered by Organization) Report

The Heat Map By count Residual (Filtered by Organization) report displays the rolled-up information
at organization level on heat map, where the scores and ratings are rolled from underlying risks that
were directly assessed.

Key Columns:

 Organization Name: Displays the names of organizations corresponding to the count.

 Current Impact: Displays the impact based on the latest risk assessment performed on the organi-
zation.
 Current Likelihood: Displays the impact based on the latest risk assessment performed on the orga-
nization.
 Rating: Displays the risk rating based on the latest assessment within the Perspective.

Heat Map By Count Residual (Filtered by Assessed Entities) Report

The Heat Map By count Residual (Filtered by Assessed Entities) report displays the rolled-up
information at assessed entities level on heat map, where the scores and ratings are rolled from
underlying risks that were directly assessed.

Key Columns:

 Assessed Entity (ies) Name: Displays the names of organizations corresponding to the count.
 Current Impact: Displays the impact based on the latest risk assessment performed on the organi-
zation.
 Current Likelihood: Displays the impact based on the latest risk assessment performed on the orga-
nization.
 Rating: Displays the risk rating based on the latest assessment within the Perspective.

Heat Map By Count Residual (Filtered by Risks by rolled up score) Report

The Heat Map By count Residual (Risks by rolled up score) report displays the rolled-up information
on heat map, where the scores and ratings are rolled from underlying risks that were directly assessed.

Key Columns:

 Risk Name: Displays the names of Risks corresponding to the count.

 Current Impact: Displays the impact based on the latest risk assessment performed on the organi-
zation.
 Current Likelihood: Displays the impact based on the latest risk assessment performed on the orga-
nization.
 Rating: Displays the risk rating based on the latest assessment within the Perspective.

Copyright © 2016 MetricStream Inc. Page 319

 Risk Assessments 6.1 SP2 - User Guide

Heat Map By Count Residual (Filtered by Risks directly assessed) Report

The Heat Map By count Residual (Filtered by Risks directly assessed) report displays the scores and
ratings of the risks that were individually assessed using factors, based on the Perspective chosen.

Key Columns:

 Assessed Entity (ies) Name: Displays the names of organizations corresponding to the count.
 Current Impact: Displays the impact based on the latest risk assessment performed on the organi-
zation.
 Current Likelihood: Displays the impact based on the latest risk assessment performed on the orga-
nization.
 Rating: Displays the risk rating based on the latest assessment within the Perspective.

Page 320 Copyright © 2016 MetricStream Inc.

 Heat Maps

Risk Score and Rating Roll Up

The following section describes how the risk score and rating is rolled up to the assessable entity and
then to organization.

The roll up logic is applicable only for Risk Configuration Matrix methods and they are as follows:

 Scoring and Rating Method

 Ranking and Rating Method
 Scoring Algorithm and Rating Method

The roll up of scores and rating is not applicable for Risk Rating (no roll ups) and Risk Scoring Algorithm
method (roll up is done based on the existing roll up logic).

Rules for Roll up Logic

The following are the logic based on which the roll up of rating and score is populated:

 Check the unique combination based on Org-Assessable Entity-Risk, Org-Assessable Entity, and
Assessable Entity- Risk
 Roll up risk rating and scores by Perspective
 Arrive at the assessed scores and roll it up to there parents by averaging at each level
 If the child object rolls up to multiple parents, then the score rolled up to multiple parents.

For more information on Roll up examples, refer to the “Roll up Logic V3.xlxs” file that is embedded in
this document.

Note:
- Scoring and rating method /Ranking and Rating method only rolls up the scores. The scores are rounded off to
the nearest value based on the Risk Matrix Configuration and plots it based on the score's uniqueness in the
Heat Map.
- Scoring Algorithm and Rating method rolls up the coordinates that are specified as part of Risk Matrix
Configuration and plots the same on the heat map. The scores that roll up for this method are used in
Organizations at Risk (By Rolled Up Score) report for applying the weightages.

Copyright © 2016 MetricStream Inc. Page 321

 Risk Assessments 6.1 SP2 - User Guide

Heat Map Filters

You can use the heat map filters to narrow-down the Risk rating details that you want to plot in the
heat map chart. There are two types of filters available for Heat Maps:

 Overall filters: These filters are available on top of the Heap Map infocenter.
 Report filters: These filters are available above the reports on the right of the Heap Map infocenter.

Heat Map Overall Filters

The filter options that they appear in this section are based on the RSK_HM_Configuration parameter
setting.
For more information on configuration, refer to the MetricStream Risk Assessments System
Administrator Guide Release 6.1 SP2

Note: These filters are available for all the three heat map reports.

Figure 71: Overall Heat Map Filters

Field Name Description

Perspective Name Select the name of the perspective for which you want to view the
heat map and related reports. The perspectives are filtered in this
field based on the logged in user profile.
By default, the Heat Map report displays the Risk Assessment
details of perspective tagged as default.
Heat Map By Select the option by which you want to view the heat map.
The fowling options are available:
 Organizations: If you want to view the heat map based on
organization, select this option.
 Assessed Entities: If you want to view the heat map based on
the assessable entities that are assessed, select this option.
 Risks by rolled up score: If you want to view the heap map for
Risks based on rolled up score, select this option.
 Standard Factors: If you want to view the heap map for risks
that are directly assessed, select this option.
The options available in this field vary based on the Perspective
name that you select in the Perspective field. The options are
displayed based on the Assessment type that is tagged for the
selected perspective.
For example, if the assessment type is Assessable Entity- Risk, the
Organizations option is made unavailable in this field.
Hierarchy Select the hierarchical level for which you want to view the heat
map. Four levels are available in this field. Based on the level that
you select the heat map data is generated.

Page 322 Copyright © 2016 MetricStream Inc.

 Heat Maps

Field Name Description

Profile Select the name of the profile based on which you want to view
the heat map report for the standard factors. This field displays all
the profile values defined for the selected perspective.
Note: This applicable only for Risk Algorithm method. For other methods
this field does not display profile names.

Report Filters
Use the report filters to narrow down your search and plot only the required details in the heat map as
well as the report. The search parameters perform the function of second set of filters to refine the
heat map view output of reports. The filter options vary based on the type of assessment to which the
Perspective is tagged.

Figure 72: Report Filters

Filters Description
Based on the option that you select in these filter parameters, the module reloads the heat map
chart and report.
Organization - Filters

Organization Select one more organizations for which you want to view the heat
map chart and report.

Copyright © 2016 MetricStream Inc. Page 323

 Risk Assessments 6.1 SP2 - User Guide

Filters Description
Assessed Entity - Filters

Assessed Entity Select one more assessed entity for which you want to view the
heat map chart and report.
Risks - Filters

Risks Select one more Risks for which you want to view the heat map
chart and report.
Search Child Risks for - Filters

Parents Risks Select one more parent Risks for which you want to view the heat
map chart and report.

Page 324 Copyright © 2016 MetricStream Inc.

 Heat Maps

Heat Map Charts

The heat map charts contain X-axis and Y-axis. The heat map displays the zone that is tagged to the
selected Perspective for the following methods:

 Risk Rating

Note: You can view the heat maps for Risk Rating method only based on standard factors as there is no roll up of
scores to the assessable entity and organization.

 Scoring and Rating Method

 Ranking and Rating Method
 Risk Algorithm and Rating Method

The following figure displays the 5X5 matrix configured for Scoring and Rating Method:

Figure 73: Heat Map Charts - Scoring and Rating Method

For more information on how to configure the matrix, refer to the Configuring Risk Matrices section.

Copyright © 2016 MetricStream Inc. Page 325

 Risk Assessments 6.1 SP2 - User Guide

The X-axis displays the likelihood/speed of onset and the Y-axis displays severity/velocity of the Risk as
shown below for the Risk Scoring Algorithm method.

Figure 74: Heat Map Chart - Risk Scoring Algorithm Method

Heat Map Zones - Risk Scoring Algorithm Method

The following table provides the description of zones based on the risk severity-likelihood combination
that is configured for Risk Scoring Algorithm method.

Zones Description
Very Low This region displays very-low severity-likelihood combination.
You can ignore the risks that appear in this region as they don’t
have any high impact on organizations.
Low This region displays low Risk severity-likelihood combination.
You can ignore the risks that appear in this region as they do not
have much high impact on organizations.
Medium This region displays constant Risk severity-likelihood combination.
The risks that appear in this region have impact on the
organization; you need to address these risks.
High This region displays high Risk severity-likelihood combination. The
risks that appear in this region have impact on the organization;
you need to address these risks immediately.

Page 326 Copyright © 2016 MetricStream Inc.

 Heat Maps

Zones Description
Very High This region displays very-high Risk severity-likelihood combination.
The risks that appear in this region have impact on the
organization; you need to address these risks quickly.
You can provide color codes to each of these zones and configure the colors, as required.
For more information on configuring the color codes for Risk Algorithm Method, refer to the
MetricStream Risk Assessments System Administrator Guide Release 6.1 SP2.

Heat Map Plots and Chart Options

In each zone of the heat map, you can see the inherent and residual plots. These plots are displayed
within the different zones of heat map based on the score and rating. The plan that appears in the cells
is based on the heat map filters that you specify. Place the pointer within the plot in different zones to
view the details. For example, if you select Risk levels and Risk names in the filters, the plot displays the
acronym of the Risk name in the plots.

For Heat Maps By Name charts, you can view combined inherent and residual plots and view the Risk
trend by tracing its movement from Inherent to Residual.

Note: For more information on how to trace the movement, refer to the Chart options table provided below.

Note: If you view the heat map by count, all the items are combined and displayed in the zone within the cell.

Figure 75: Heat Map Plots

The following table provides the information on icons used for plotting the inherent and residual plots
in the cells of the heat maps.

Plot Icon Description

All the inherent plots are represented with this icon.

All the residual plots are represented with this icon.

Copyright © 2016 MetricStream Inc. Page 327

 Risk Assessments 6.1 SP2 - User Guide

Chart Options

The following table describes the chart option available for the Heat Maps By Name heat map reports.

Button Description
Use this button to draw the line from inherent to residual plots.
This option enables you to view the Risk direction by tracing its
movement from Inherent to Residual.
After you click this icon, the following color arrows appear
displaying the movement from inherent to residual plots for all the
Risks plotted on the heat map.
 Black
 Green
 Blue
 Purple

Note: This button is made unavailable if you are viewing the inherent and
residual heat maps separately.

Risk Direction Lines

Page 328 Copyright © 2016 MetricStream Inc.

 Heat Maps

Button Description
If you want to view a particular Risk direction in a highlighted
mode, click the required direction arrow.
The module displays the selected Risk direction in thick black
arrow, highlighting the inherent and residual plots as shown below:

Highlighted Risk Direction Line and Plots

Note: You can highlight only one Risk direction at a time.

Click this button to view the inherent and residual heat map
reports separately.
(this button interchanges After you click this button, the Inherent Heat Map Report by Name
appears hiding the residual details both in chart as well as report.
with ) You can switch to residual view by clicking the Show Residual
button.
Click this button to view the combined inherent and residual heat
map reports.
(this button interchanges After you click this button, the Heat Map Report by Name appears
displaying both residual and inherent details both in chart as well
with ) as report.
Click this button to view the Residual heat map chart and report.

(appears only if you click the

Separate Heat Map button)
(this button interchanges

with )

Copyright © 2016 MetricStream Inc. Page 329

 Risk Assessments 6.1 SP2 - User Guide

Button Description
Click this button to view the Inherent heat map chart and report.

(this button interchanges

with )

Page 330 Copyright © 2016 MetricStream Inc.

 Heat Maps

Printing Heat Maps

By using the Print option, you can print the heat maps and share it with required stake holders. To print
the heat maps, perform the following steps:
Step 1 Navigate to the respective heat map report that you want to print.
Step 2 Click the Print button available in the header section of the report filter.
The Print preview appears in new Internet Explorer window.
The print preview has the following sections:
 Header: Header displays the details such as, Perspective, heat map type, Risks, and so on.
 Chart Area: Heat map chart
 Report: Details of the respective report.

Figure 76: Print Preview

Step 3 On the File menu, select Print.

Copyright © 2016 MetricStream Inc. Page 331

 Risk Assessments 6.1 SP2 - User Guide

The Print dialog box appears.

Figure 77: Print Dialog Box

Step 4 Choose the appropriate printer, and Click the Print button.

Page 332 Copyright © 2016 MetricStream Inc.

Reports
12
This chapter provides information on the reports that are available for the Risk Assessments

module.
For more information on various features available in reports, see MetricStream Portal User Guide
Release 6.1 SP5

Sections:
1. Risk Assessments Reports
2. Reports from Other MetricStream Modules
3. Creating Dynamic Dashboards Using Reports

Copyright © 2016 MetricStream Inc. Page 333

 Risk Assessments 6.1 SP2 - User Guide

Risk Assessments Reports

The following table lists all the reports available in the Risk Assessments module.

Using filters, you can search for specific contents and view the report based on the search results. For

more information on filters, see Filters.

Note: If the report consists of any mandatory filter parameters, the filter window appears first. Otherwise, the
report appears first and the filters are collapsed within the report.

The common questions regarding the usage of the report and a link to the respective report as an

answer to the question is captured in the following table.

Sl. No. To Answer this Question... Use this Report...

1. How can I view all the approved quantitative Quantitative Assessment Factors Report
factors in the Risk Assessments module?

2. How can I view all the published qualitative Qualitative Assessment Factors Report
assessment factors in the Risk Assessments
module.?
3. How to view all the perspectives in the Risk Perspectives Report
Assessments module?
4. Where is the list of Risk Scoring Algorithms Risk Scoring Algorithms Report
created in the Risk Assessment module for
supporting various Risk Assessment
methodologies?
5. How do I view the Risk Matrix Configuration Risk Matrix Configurations Report
profiles for different methods?
6. How do I view the rolled-up information of Organizations at Risk (By Rolled Up
top organizations at Risk? Score) Report
7. How to view all the different organizations Organizations at Risk (By Individual
that are at risk based on assessments Assessment)
individually performed on them?
8. Where is the information of Total number of Inherent Risk Breakdown by Category
Inherent Risks grouped by Risk Category? Report
9. Where is the information of Total number of Residual Risk Breakdown by Category
Residual Risks grouped by Risk Category? Report
10. How to view to the statuses of different risk Risk Assessment Status Details Report
assessments that have been triggered in the
last X number of days?
11. How to view the details of control Risk Control Assessment Report
assessment done as part of the risk
assessments performed within a chosen
perspective

Page 334 Copyright © 2016 MetricStream Inc.

 Reports

Sl. No. To Answer this Question... Use this Report...

12. How to view the details of all the risks that Risks Identified During Assessments
are identified and newly added by the
assessors while performing the different
Risk assessments
13. How to view the details of all the Risks that Risk Register Report
are assessed in the Risk Assessments
module?
14. How to view the detailed view of all the Risk Register - Detailed Report
Risks that are assessed in the Risk
Assessments module.
15. How to view the risk assessment details of View Assessments Report
specific Perspectives
16. What is the purpose of Cross Perspective Cross Perspective Report
report?
17. How to view the latest inherent and residual Risk Rating Report
assessment roll up results for the selected
combination of Org-Risk/Org-Assessable
Entity-Risk /Assessable Entity-Risk and the
Perspective?
18. How to view the residual and inherent risk Risk Rating Chart
scores of the Perspectives in the Risk
Assessments module
19. How to view risk ratings and trend rolled up Top Organizations at Risk (By Rolled Up
to top level (Level 1) organization Score)
20. How to view all the different organizations Organizations at Risk (Based on Risk
that are at risk based on assessments Assessment)
individually performed on them?
21. How to view the statuses of different risk Risk Assessment Assignments Report
assessments that have been triggered in the
last X number of days, where X is a
configurable filter in the report
22. Where are the details of all the Controls that Control Assessments (From Risk
are assessed by the organizations directly? Assessments) Report
23. How to view and work on the ongoing Risk Ongoing Risk Assessments Report
Assessment assignments.

24. How to view the details of all the controls View New Controls Report
that are newly added by the assessors while
performing the Risk assessment
25. How to view the details of all the risks that New Risks Added During Risk
are identified and newly added by the Assessments
assessors while performing the different Risk
assessments

Copyright © 2016 MetricStream Inc. Page 335

 Risk Assessments 6.1 SP2 - User Guide

Sl. No. To Answer this Question... Use this Report...

26. What is the purpose of Comments History Comments History Report
report?
27. How to view the details of the changes that Change History Report
are made to the form by various users

Page 336 Copyright © 2016 MetricStream Inc.

 Reports

Quantitative Assessment Factors Report

The Quantitative Assessment Factors Report displays all the approved quantitative factors in the Risk
Assessments module.

Key Columns:
 Factor Name: Name of the factor.
 Drill-Down: Quantitative Assessment Factor Form.
 Standard Factor: Indicates whether the factor is a standard factor or not. The possible values are
Yes and No.
 List of Values/Rules Based: Displays the values that are based on rules and list of values
 Factor Segmentation: Indicates whether the factor is a hierarchical factor, main factor, or a sub fac-
tor
 Input Type: Displays the type of responses defined for the factor.

Qualitative Assessment Factors Report

The Qualitative Assessment Factors Report displays all the published qualitative assessment factors in
the Risk Assessments module.

Key Columns:
 Factor Name: Name of the factor.
 Drill-Down: Qualitative Assessment Factor Form.
 Risk Categories: Displays the related risk categories.
 Response Type: Displays the type of response. The response types can be number, amount, date,
text, and list of values.

Copyright © 2016 MetricStream Inc. Page 337

 Risk Assessments 6.1 SP2 - User Guide

Perspectives Report
The Perspectives Report displays all the perspectives in the Risk Assessments module.

Key Columns:

 Perspective Name: Name of the Perspective

 Drill-Down: Perspectives.
 Assessment Type: Type of assessment selected while creating the Perspective.
 Risk Categories: Risk categories (comma separated values) to which the Perspective is associated
with.
 Risk Matrix Configuration Profile: Name of the Risk Matrix configuration profile to which the Per-
spective is tagged.
 Drill-Down: Risk Matrix Configuration.
 Risk Scoring Algorithm: Name of the risk scoring algorithm interface to which the Perspective is
tagged.
 Drill-Down: Risk Scoring Algorithm
 Risk Assessment Methodology: Risk assessment method for which the Perspective is tagged.

Risk Scoring Algorithms Report

The Risk Scoring Algorithms Report displays all the risk scoring algorithms defined in the Risk
Assessments module.

Key Columns:
 Algorithm Name: Displays the name of the risk scoring algorithm.
 Drill-Down: Risk Scoring Algorithm
 Inherent Formula: Displays the inherent formula defined for the risk assessment.
 Control Formula: Displays the control formula defined for the risk assessment.
 Pre Residual Formula Displays the pre-residual formula defined for the risk assessment: Displays
the inherent formula defined for the risk assessment.
 Residual Formula: Displays the residual formula defined for the risk assessment.

Risk Matrix Configurations Report

The Risk Scoring Algorithms Report displays all the risk matrix configurations defined in the Risk
Assessments module.

Key Columns:
 Profile Name: Name of the risk matrix configuration.

Page 338 Copyright © 2016 MetricStream Inc.

 Reports

 Drill-Down: Risk Matrix Configuration.

 Method Type: Method type for which the profile is configured.
 X-Coordinate: Name of the standard factor selected for X coordinate for configuration.
 Y- Coordinate: Name of the standard factor selected for Y coordinate for configuration.

Organizations at Risk (By Rolled Up Score) Report

Use the Organizations at Risk (By Rolled Up Score) report to view the rolled up residual, inherent risk
ratings and scores for a particular organization based on assessments performed on lower level
organizations. The aggregation/roll up happens by perspective. By default, the report populates
information based on all available perspectives that supports assessment types, Org-risk/org-
assessable entity risk. The roll up of scores and rating to the organization is done based on the
organization weightage (percentage) defined for each organization as well as the logic defined for each
method of assessment.This report is updated on a periodic basis, normally once every day.

Note: The expired Risk rating is not considered while rolling up the scores.

For more information on how the Roll up is done at the Risk level, see the Risk Score and Rating Roll Up
section.
For more information on how to set up the weightages, see the Configuring Organization Weightage
section.

Key Columns:
 Organization: Name of the organizations for which the Risk is assessed.
By default, this column displays the organization which is at the enterprise level.

Drill-down:
 Organizations at Risk (By Rolled Up Score) Report - Child Hierarchical Levels

Note:
- You can view the roll up scores for child hierarchical organization levels up to two levels.
- The columns are same for the Top Organizations at Risk (By Rolled Up Score) Report - Child Hierarchical Levels
too.
 Weightage: Weightage (in percentage) defined for the organization.

Note: If the weightage is not defined for the organization, this column does not display any value.

 Inherent Score: Displays the rolled up inherent Risk score.

 Weighted Inherent Score: Overall rolled-up inherent score of the organization.

Note:
- The overall score is displayed after applying the weightage (percentage) defined for the organization at each
level.
- The weighted inherent score is not available for Risk Algorithm Method.

Copyright © 2016 MetricStream Inc. Page 339

 Risk Assessments 6.1 SP2 - User Guide

 Inherent Rating: Rolled-up inherent Risk rating.

 Residual Score: Displays the rolled-up residual score
 Weighted Residual Score: Overall rolled-up residual score of the organization.

Note:
- The overall score is displayed after applying the weightage (percentage) defined for the organization at each
level.
- The weighted residual score is not available for Risk Algorithm Method.
 Residual Rating: Displays the rolled-up residual rating

The displayed icons indicate the following:

- Equivalent trend.
- Downward trend.
- Upward trend.

Organizations at Risk (By Individual Assessment)

Use Organizations at Risk (By Individual Assessment) report to view all the different organizations that
are at risk based on assessments individually performed on them

Key Columns:

 Organization: Name of the organizations for which the Risk is assessed. By default, this column dis-
plays the organization which is at the enterprise level.
 Inherent Score: Inherent score of the organization based on assessment performed on the organi-
zation for the Perspective. If the organization inherent rating was overridden, then the score is dis-
played with a * at the end. For example, if the calculated score was 20 and the user changed the
rating that resulted in the score 25, it is displayed as 25*
 Inherent Rating: Displays the Inherent rating corresponding to the score displayed. If the organiza-
tion’s inherent rating was overridden, then the rating display with a * at the end. For example, if
the calculated rating was High and the user changed the rating to Medium, it is displayed as
Medium*
 Residual Score: Displays the current residual score. If the organization’s residual rating was overrid-
den, then the score will display with a * at the end. For example, if the calculated score was 20 and
the user changed the rating that resulted in the score 25, it is displayed as 25*
 Residual Rating: Displays the residual rating corresponding to the score displayed. If the organiza-
tion’s residual rating was overridden directly, or recalculated as a result of overriding the residual
rating, then the rating is displayed with a * at the end. For example, if the calculated rating was
High and the user changed the rating to Medium, it is displayed as Medium*

Page 340 Copyright © 2016 MetricStream Inc.

 Reports

Key Filter

 Perspective: Select the Perspective based on which the report details are narrowed down.

Inherent Risk Breakdown by Category Report

Use the Inherent Risk Breakdown by Category report to view a split of count of risks by risk category.
This report helps to identify risk categories that are at risk most based on inherent assessments
performed on risks mapped to these categories.

Key Columns:
 Risk Category: Displays the category of risk.
 Ratings: The set of columns display the unique Inherent Ratings as column headers that has at least
one risk rated within them. If there is a rating value configured, but no risks are rated with that
value, then the specific rating column will not appear on the report. For example, if the rating val-
ues configured are High, Medium, Low, and if there are risks with inherent ratings High and
Medium, then the columns visible will be High and Medium. The column with the header Low does
not appear as there are no risks rated as Low. Under each rating against each Category will be the
count of assessed Risks applicable.

Note: The column name is not Rating, but displays the various rating values.

Key Filter

 Perspective: Select the Perspective based on which the report details are narrowed down.

Residual Risk Breakdown by Category Report

Use the Residual Risk Breakdown by Category report to view the total number of residual Risks that
are categorized under each category, that is as High, Medium, and Low.

Use the Residual Risk Breakdown by Category report to view a split of count of risks by risk category.
This report helps to identify risk categories that are at risk most based on residual assessments
performed on risks mapped to these categories.

Key Columns:
 Risk Category: Displays the category of risk.
 Ratings: The set of columns display the unique Inherent Ratings as column headers that has at least
one risk rated within them. If there is a rating value configured, but no risks are rated with that
value, then the specific rating column will not appear on the report. For example, if the rating val-
ues configured are High, Medium, Low, and if there are risks with inherent ratings High and
Medium, then the columns visible will be High and Medium. The column with the header Low will

Copyright © 2016 MetricStream Inc. Page 341

 Risk Assessments 6.1 SP2 - User Guide

not appear as there are no risks rated as Low. Under each rating against each Category will be the
count of assessed Risks applicable.

Note: The column name is not Rating, but displays the various rating values.

Key Filter

 Perspective: Select the Perspective based on which the report details are narrowed down.

Risk Assessment Status Details Report

Use the Risk Assessment Status Details report to view the statuses of different risk assessments that
have been triggered in the last X number of days, where X is a configurable filter in the report. By
default, the value for number of days is set as 30.

Key Columns:
 Plan Name: Name of the Risk assessment plan.
 Drill-Down: Risk Assessment Plan Form
 Assessment Name: Name of the Risk assessment.
 Drill Down: Risk Assessment Form
 Assessor: Name of the Risk assessor.
 Approver: Name of the Risk Assessment approver.
 Final Approver: Name of the final risk assessment approver.
 Due Date: Due date of the risk assessment plan.
 Over Due by: Number of days by which the assessment is overdue.

Risk Control Assessment Report

Use the Risk Control Assessment Report to view the details of control rating done as part of the risk
assessments performed within a chosen perspective.

Key Columns:

 Risk Name: Name of the Risk

 Drill-down: Risk form
For more information on Risk form, refer to the MetricStream GRC Foundation User Guide Release 6.1
SP1.

 Control Name: Name of the Control

 Drill-down: Control form
For more information on Risk form, refer to the MetricStream GRC Foundation User Guide Release 6.1
SP1.

 Key Control: Displays the value Yes or No.

 Rating: Displays the rating of the risk. The possible values are high, medium, and low.

Page 342 Copyright © 2016 MetricStream Inc.

 Reports

 Control Score: Displays the computed control score

 Mitigation: Individual scores for each of the mitigant factors associated with the Risk that is
assessed.

Risks Identified During Assessments

Use the Risks Identified During Assessments report to view the details of all the risks that are identified
and newly added by the assessors while performing different Risk assessments. Only the Risks that are
those risks that are keyed in by the user feature in this report; Risks added from GRC library are not
displayed in this report. This report can be used to identify the critical and common risks, if any, and
define the same in GRC Library for future use.

Key Columns:

 Assessment: All the assessment names available in the system.

 Drill Down: Risk Assessment Form
 Risk: The name of the newly added Risk.
 Inherent Rating: The rating value provided as part of inherent assessments for the Risk.
 Residual Rating: The rating value provided as part of residual assessments for the Risk.

Risk Register Report

Use the Risk Register Report to provide assessment details as well as details of Organizations,
Assessable Entities and Risks on which assessments have been performed. This report is typically
viewed by the risk program managers and risk managers. This report can be used on demand when
there is a need to view granular and all associated details of the assessments.

Key Columns:
 Perspective: Name of the Perspective (scope) on which the assessment is performed.
 Risk Name: Name of the Risk.
 Drill-down: Risk form.
For more information on Risk form, refer to the MetricStream GRC Foundation User Guide Release 6.1
SP1.

 Risk Category (ies): Select one or more categories of the Risk.

 Child Risk(s): View link.
 Drill-down: Risk Register report. When you click this link, the report contents are narrowed-
down to child level risk details.
 Assessed Entity: Assessable entities, that is, the core objects selected for Risk Assessment. The
assessable entities can be Process, Asset, Asset Class, Supplier, Product, Objective, and Auditable
Entity.

Copyright © 2016 MetricStream Inc. Page 343

 Risk Assessments 6.1 SP2 - User Guide

Risk Level: Level of the Risk. The possible values are:

 Level 1
 Level 2
 Level 3
 Level 4

<Factor Name> Rating: Rating of the standard factor.

Note:
- The factor name appears in the column header.
- By default, details of two factors are displayed in the report and the maximum number of factors that can be
displayed is five. The factor details are derived from the data table MS_RSK_LAND_CONFIG_ SF. However,
the report derives only the column values from the data table and not the column headers. The column
headers (factor names) must be typed manually.

For more information on data tables and editing report column headers, refer to the MetricStream Risk
Assessments System Administrator Guide Release 6.1 SP2

 Inherent Score: Inherent score of the risk being assessed.

 Inherent Rating: Inherent rating of the Risk being assessed.
 Inherent Rank: Inherent rank of the Risk being assessed.
 Overall Control Effectiveness: Overall Control score based on assessment and the scoring algo-
rithm defined for the Controls.
 Residual Score: Residual score of the risk being assessed.
 Residual Rating: Residual rating of the Risk being assessed.
 Residual Rank: Residual rank of the Risk being assessed.
 Residual Trend: Residual trend of the Risk being assessed.
The displayed icons indicate the following:
- Equivalent trend.
- Downward trend.
- Upward trend.

 # of Issues Raised: Number of issues raised during Risk Assessment.

 Drill-down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 # of Open Issues: Number of open issues.

 Drill-down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

Page 344 Copyright © 2016 MetricStream Inc.

 Reports

 # of Overdue Issues: Number of issues that are overdue.

 Drill-down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 # of Open Risk Issues: Number of issues that are raised in the MetricStream GRC module.
 Drill-down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 Assessment Details: Details of the Risk Assessment.

 Drill-down: Risk Assessment Form

Key Filter

Perspective: Select the Perspective based on which the report details are narrowed down.

Copyright © 2016 MetricStream Inc. Page 345

 Risk Assessments 6.1 SP2 - User Guide

Risk Register - Detailed Report

The Risk Register - Detailed report is an extension of the Risk Register Report, and provides additional
information such as Control Assessment results, Metrics and Losses related to Risk, and so on.
For more information on scheduling, see the MetricStream Risk Management System Administrator
Guide Release 6.1 SP3.

Key Columns:
 Perspective: Name of the Perspective (scope) on which the assessment is performed.
 Risk Name: Name of the Risk.
 Drill-down: Risk form.
For more information on Risk form, refer to the MetricStream GRC Foundation User Guide Release 6.1
SP1.

 Risk Category (ies): Select one or more categories of the Risk.

 Child Risk(s): View link.
 Drill-down: Risk Register report. When you click this link, the report contents are narrowed-
down to child level risk details.
 Assessed Entity: Assessable entities, that is, the core objects selected for Risk Assessment. The
assessable entities can be Process, Asset, Asset Class, Supplier, Product, Objective, and Auditable
Entity.

Risk Level: Level of the Risk. The possible values are:

 Level 1
 Level 2
 Level 3
 Level 4

<Factor Name> Rating: Rating of the standard factor.

Note:
- The factor name appears in the column header.
- By default, details of two factors are displayed in the report and the maximum number of factors that can be
displayed is five. The factor details are derived from the data table MS_RSK_LAND_CONFIG_ SF. However,
the report derives only the column values from the data table and not the column headers. The column
headers (factor names) must be typed manually.

For more information on data tables and editing report column headers, refer to the MetricStream Risk
Assessments System Administrator Guide Release 6.1 SP2

 Inherent Score: Inherent score of the risk being assessed.

 Inherent Rating: Inherent rating of the Risk being assessed.

Page 346 Copyright © 2016 MetricStream Inc.

 Reports

 Inherent Rank: Inherent rank of the Risk being assessed.

 Overall Control Effectiveness: Overall Control score based on assessment and the scoring algo-
rithm defined for the Controls.
 Residual Score: Residual score of the risk being assessed.
 Residual Rating: Residual rating of the Risk being assessed.
 Residual Rank: Residual rank of the Risk being assessed.
 Residual Trend: Residual trend of the Risk being assessed.
The displayed icons indicate the following:
- Equivalent trend.
- Downward trend.
- Upward trend.

 # of Issues Raised: Number of issues raised during Risk Assessment.

 Drill-down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 # of Open Issues: Number of open issues.

 Drill-down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 # of Overdue Issues: Number of issues that are overdue.

 Drill-down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 # of Open Risk Issues: Number of issues that are raised in the MetricStream GRC module.
 Drill-down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 Assessment Details: Details of the Risk Assessment.

 Drill-down: Risk Assessment Form
 Issue Title: Title of the issue raised to mitigate the Risk.
 Issue Due Date: Due date before which the issues has to be resolved.
 Action Title: Title of the action associated with the issue.
 Action Due Date: Date by when the action needs to be completed
 Metric Title: Name of the metric.
 Metric Type: Type of the metric.

Copyright © 2016 MetricStream Inc. Page 347

 Risk Assessments 6.1 SP2 - User Guide

 Change in % (Previous-Current) 100: Difference in the current and previous metric data entry val-
ues in percentage.
 Loss Event Name: Name of the loss event.
 Financial Status: Financial status of the internal loss event.
 Gross Loss Amount: Total amount lost due to the internal loss event.
 Net Recoveries Amount: Amount which is recovered for the internal loss event.
 Net Loss Amount: Net amount lost because of the internal loss event.

View Assessments Report

Use the View Assessments report to view the risk assessment details of specific Perspectives. This is a
drill down report, which displays the assessment details for the respective perspective.

Key Columns:
 Plan Name: Name of the Risk Assessment Plan.
 Drill Down: Risk Assessment Plan Form
 Assessed On: Date on which the risk is assessed.
 Completed On: Date on which the Risk Assessment is completed.
 # of Total Issues: Count of the total number of issues.
 Drill-Down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 # of Open Issues: Count of the total number of open issues.

 Drill-Down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 # of Overdue Issues: Count of the issues that are overdue.

 Drill-Down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 # of Closed Issues: Count of the closed issues.

 Drill-Down: Issue List report

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

Other Reports
The following reports fall under the Other Reports section:

Page 348 Copyright © 2016 MetricStream Inc.

 Reports

 Cross Perspective Report

 Risk Rating Report
 Risk Rating Chart

Cross Perspective Report

Use the Cross Perspective Report to help users compare the roll up residual ratings of assessable
entities or organizations by different perspectives as part of which they have been assessed. For
Assessable Entity-Risk type, the roll up rating is shown for assessed entities. For Org-Risk / Org-
Assessable Entity-Risk types, the roll up rating is shown for Assessed Organizations

Key Columns:

Note: To expand a row, and view additional details, click the Expand icon next to the row that you want to
expand. For more information, refer to List Reports.

 Organization Name/Object Name: Name of the organization/Object.

 Drilled-down reports/forms: Child level contents - residual rating for organization or process
based on the assessment type filter
 <Perspective Name>: The residual rating against each perspective appears. The following are the
available ratings and the corresponding color code:
 High-Red
 Medium-Yellow
 Low-Green

Note: The color coding is configurable.

Key Filters:
 Assessment Type: Select the assessment type of the perspective.

Note:
- If you select the assessment type as Assessable Entity – Risk, the Assessed Entity (ies) field appears.
- If you select the assessment type as Org – Assessable Entity– Risk or Org – Risk, the Organization(s) field
appears
 Perspectives: Select one or more perspectives.

Note: Once you select the assessment type, all the perspectives related to the selected assessment type are
available for selection.

 Organization(s): Select one or more organizations related to the perspective.

 Assessed Entity (ies): Select one or more assessed entities related to the perspective.

Copyright © 2016 MetricStream Inc. Page 349

 Risk Assessments 6.1 SP2 - User Guide

Risk Rating Report

Use the Risk Rating Report to view the latest inherent and residual assessment roll up results for the
selected combination of Org-Risk/Org-Assessable Entity-Risk /Assessable Entity-Risk, and the
Perspective.

Key Columns:

Note: To expand a row, and view additional details, click the Expand icon next to the row that you want to
expand. For more information, refer to List Reports.

 Organization Name: Name of the organization.

 Drill-down: Risk Rating Report - contents narrowed down to the specific assessable entity name.
 Inherent Rating: Inherent risk rating of the risk being assessed.
 Residual Rating: Residual risk rating of the risk being assessed.
 View Risk Assessment: Clickable link to view the assessment details. The View Assessments
Report opens.
 Drill-down of View Assessments Report: Risk Assessment Form and Risk Assessment Plan Form.

Key Filters:
 Assessment Type: Select the assessment type of the perspective.

Note:
- If you select the assessment type as Assessable Entity – Risk, the Assessed Entity (ies) field appears.
- If you select the assessment type as Org – Assessable Entity– Risk or Org – Risk, the Organization(s) field
appears
 Perspectives: Select one or more perspectives.

Note: Once you select the assessment type, all the perspectives related to the selected assessment type are
available for selection.

 Organization(s): Select one or more organizations related to the perspective.

 Assessed Entity (ies): Select one or more assessed entities related to the perspective.

Page 350 Copyright © 2016 MetricStream Inc.

 Reports

Risk Rating Chart

Use the Risk rating Chart report to view the residual and inherent risk scores of the Perspectives in the
Risk Assessments module.

Figure 78: Risk Rating Chart

Description Name Drilled-down

The Risk Rating Chart is a pie chart. It displays  Risk Rating Report
the residual and inherent risk scores of the Note: To view the Risk Rating Report, click the required
Perspective based on the search criteria. region in the pie chart.

Copyright © 2016 MetricStream Inc. Page 351

 Risk Assessments 6.1 SP2 - User Guide

Top Organizations at Risk (By Rolled Up Score)

Use the Top Organizations at Risk (By Rolled Up Score) report to view risk ratings and trend rolled up
to top level (Level 1) organization. The report considers scores from Org-Risk / Org-Assessable Entity-
Risk types, and assessments are performed within the chosen perspectives.
For more information on report columns, refer to the Organizations at Risk (By Rolled Up Score) Report
section.

Organizations at Risk (Based on Risk Assessment)

Use the Organizations at Risk (Based on Risk Assessment) report to view all the different organizations
that are at risk based on assessments individually performed on them.
For more information on report columns, refer to the Organizations at Risk (By Individual Assessment)
section.

Inherent Risks Breakdown by Category

For more information on report columns, refer to the Inherent Risk Breakdown by Category Report.

Residual Risks Breakdown by Category

For more information on report columns, refer to the Residual Risk Breakdown by Category Report.

Perspectives Report
For more information on report columns, refer to the Perspectives Report.

Risk Register Report

For more information on report columns, refer to the Risk Register Report

Risk Assessment Assignments Report

Use the Risk Assessment Assignments report to view the statuses of different risk assessments that
have been triggered in the last X number of days, where X is a configurable filter in the report. By
default, the value for number of days is set as 30. You can view the report contents based on the load
preferences.

For more information on report columns, refer to the Risk Assessment Status Details Report section.

Page 352 Copyright © 2016 MetricStream Inc.

 Reports

Control Assessments (From Risk Assessments) Report

Use the Control Assessments (From Risk Assessment) report to view details of all the Controls that are
assessed by the organizations directly. You can view the report contents based on the load preferences.

For more information on report columns, refer to the Risk Control Assessment Report section.

Assessment Status (Details) Report

Use the Assessment Status (Details) report to view the statuses of different risk assessments that have
been triggered in the last X number of days, where X is a configurable filter in the report. By default,
the value for number of days is set as 30.

For more information on report columns, refer to the Risk Assessment Status Details Report section.

Ongoing Risk Assessments Report

Use the Ongoing Risk Assessments report to view and work on the ongoing Risk Assessment
assignments.

Key Columns:
 Assessment Identifier: Ongoing assignment text as specified in the Risk Assessment Plan form.
 Drill-down: Risk Assessment Form
 Assess: Link to assess the Risk Assessment form
 Drill-down: Risk Assessment Form
 Organization(s): Name of the organization that is assessed.
 Assessed Entity (ies): Name of the entity that is assessed.
 Drill-down: Process/Risk form

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 Risk(s): Name of the risk that is assessed.

 Drill-down: Process/Risk form

For more information on Risk form, refer to the MetricStream Issues User Guide Release 6.1 SP2.

 Inherent Rating: Inherent rating of the risk being assessed. The possible values are High, Medium,
and Low.

Note: The color coding that is used for each of these values is configurable.

 Overall Control Effectiveness: Overall effectiveness of the Control. The possible values are High,
Medium, and Low.

Note: The color coding that is used for each of these values is configurable.

Copyright © 2016 MetricStream Inc. Page 353

 Risk Assessments 6.1 SP2 - User Guide

 Residual Rating: Residual rating of the risk being assessed. The possible values are High, Medium,
and Low.

Note: The color coding that is used for each of these values is configurable.

 Risk Assessment Plan Name: Name of the Risk Assessment plan.

 Drill Down: Risk Assessment Plan Form
 Assessor: Name of the Assessor
 Drill-down: Risk Assessment Form

View New Controls Report

Use the View New Controls report to view the details of all the controls that are newly added by the
assessors while performing the Risk assessment.

Key Columns:
 Assessment ID: ID of Assessment.
 Control ID: Unique ID of the Control.
 Organization Name: Name of the organization that is asses
 Core Object Name: Name of the core object.
 Risk Name: Name of the risk for which the Control is created.
 Control Name: Name of the new control added during Risk Assessment.
 Control Category: Category of the newly created Control.
 Key Control: Displays the value Yes or No.
The displayed value indicate the following:
Yes: The Control is a key Control.

 No: The Control is not a key Control.

 Control Type: Type of Control.

Page 354 Copyright © 2016 MetricStream Inc.

 Reports

New Risks Added During Risk Assessments

Use the New Risks Added During Risk Assessments report to view the details of all the risks that are
identified and newly added by the assessors while performing the different Risk assessments. Only the
Risks that are typed are displayed here; the risks added from GRC library are not displayed in this
report. This report can be used to identify the critical and common risks, if any, and define the same in
GRC Foundation for future use

Key Columns:
 Assessment Type: Type of Assessment.
 Risk: Name of the risk that is assessed.
 Inherent Rating: Inherent risk rating of the risk being assessed.
 Residual Rating: Residual risk rating of the risk being assessed.
 Assessed Organization: Name of the organization that is assessed.
 Assessed Entity: Name of the assessable entity.

Comments History Report

Almost all the MetricStream modules forms enable a user to provide comments and view the
comments entered by previous users. You can view the comments history by clicking the Comments
History link available at the bottom of the forms.

Key Columns:
 User Name: Displays the name of the user who has entered the comments.
 Date: Displays the date on which the comments are entered.
 Comments: Displays the comments entered by the users.

Change History Report

The Change History report displays the details of the changes that are made to the form by various
users. You can view the change history report by clicking the Change History link in the View Reports
icon.

Key Columns:
 Section/Group Name: Name of the section that is updated by the previous user.
 Old Value: Previous value entered value by the user.
 New Value: New value entered by the user.

Copyright © 2016 MetricStream Inc. Page 355

 Risk Assessments 6.1 SP2 - User Guide

Reports from Other MetricStream Modules

Certain reports that are listed in the Risk Assessments module are derived from the other
MetricStream modules. The following table provides a list of such reports with the corresponding
module name.

Report Name Module Name

All GRC Library reports GRC Foundation
For more information on these reports, see the MetricStream
Governance, Risk, Compliance, and Foundation User Guide Release
6.1 SP2.

Issue List Report Issue Management

For more information on these reports, see the MetricStream Issue
Management User Guide Release 6.1 SP1.

View Tests Compliance Management

For more information on these reports, see the MetricStream
Compliance Management User Guide Release 6.1 SP4.

Page 356 Copyright © 2016 MetricStream Inc.

 Reports

Creating Dynamic Dashboards Using Reports

You can create dashboards based on the data provided in a tabular format report. A tabular format
report comprises many columns. Using the data available in one or more columns, you can create new
dashboards, as required. Such dashboards are known as dynamic dashboards You can create these
dynamic dashboards instantly and share with the stake holders.

You can create the following types of dynamic dashboards:

 Pie charts
 Line charts
 Bar charts

Dynamic Dashboards
The following dynamic dashboards are available in Risk Assessment module:

 Enterprise Risk Dashboard

 Risk Register Dashboard

Enterprise Risk Dashboard

Use the Enterprise Risk Dashboard to view the Risk assessment details. The following table provides
the list of dynamic dashboards and key report from which the dynamic view is created.

Note: The Enterprise Risk Dashboard is displayed in three parts: part 1, part 2, and part 3 to provide clarity.

Dynamic Dashboard Name Type of Key Report Name

Chart
Inherent Risk Breakdown (BY Organizations) Pie Organizations at Risk (By Rolled Up
Score) Report
Residual Risk Breakdown (BY Organizations) Pie
Assessment Status Report Bar Assessment Status (Details) Report
Top 20 Risks (BY Residual Score) Bar Risk Register Report
Top 20 Risks (By Percentage Change is Bar
Residual Score)
Controls by Rating (From Risk Assessments) Pie Risk Control Assessment Report
Top Risks By Risk Owners (Based on Residual Bar Risk Register Report
Score)
Top 20 Risks By Inherent Impact Score Bar
Top 20 Risks By Inherent Likelihood Score Bar

Copyright © 2016 MetricStream Inc. Page 357

 Risk Assessments 6.1 SP2 - User Guide

Figure 79: Enterprise Risk Dashboard > Part 1

Figure 80: Enterprise Risk Dashboard > Part 2

Page 358 Copyright © 2016 MetricStream Inc.

 Reports

Figure 81: Enterprise Risk Dashboard > Part 3

Copyright © 2016 MetricStream Inc. Page 359

 Risk Assessments 6.1 SP2 - User Guide

Risk Register Dashboard

Use the Risk Register Dashboard to view the view details of all the Risks that are assessed in the Risk Assessments module. The following table provides the list of dynamic
dashboards and key report from which the dynamic view is created.

Note: The Risk Register Dashboard is displayed in four parts: part 1, part 2, part 3, and part 4 to provide clarity.

Dynamic Dashboard Name Type of Chart Key Report Name

Top 20 Organizations (By Residual Scores Based On Bar Risk Register Report
Rolled Up Score)
Top 20 Entities (By Residual Scores Based On Rolled Bar
Up Scores)
Inherent Risk Breakdown (by Risks) Pie
Top 20 Risk Owners (Based on # of Risks Owned) Bar
# of Assessed Risks by Level of Hirer achy Bar
Top 20 Assessors (Based on # of Risks Assessed) Bar
Residual Risk Breakdown (By Risks) Pie
Top 20 Risks by Residual Trend Pie
Top 20 Delayed Risk Assessments Bar

Page 360 Copyright © 2016 MetricStream Inc.

 Reports

Figure 82: Risk Register Dashboard > Part 1

Figure 83: Risk Register Dashboard > Part 2

Copyright © 2016 MetricStream Inc. Page 361

 Risk Assessments 6.1 SP2 - User Guide

Figure 84: Risk Register Dashboard > Part 3

Figure 85: Risk Register Dashboard > Part 4

Page 362 Copyright © 2016 MetricStream Inc.

Charts and Dashboards
13
This chapter provides information on the charts and dashboards that are available for the Risk
Assessments module.
To use the report section effectively, familiarize yourself with MetricStream Portal User Guide Release 6.1
SP5.

Sections:
1. Dashboards and Charts

Copyright © 2016 MetricStream Inc. Page 363

 Risk Assessments 6.1 SP2 - User Guide

Dashboards and Charts

The following table provides the list of dashboards and charts available in the Risk Assessments
module.

Sl.No Dashboard /Chart Name

1. Risk Assessment Status Chart
2. Issues by Status Chart
3. Inherent Risk Breakdown by Category Chart
4. Residual Risk Breakdown by Category Chart
5. Assessment Status (Overview) Chart

Page 364 Copyright © 2016 MetricStream Inc.

 Charts and Dashboards

Risk Assessment Status Chart

The Risk Assessment Status chart is a bar chart.

Figure 86: Risk Assessment Status Chart

Description Drill-downs
This chart displays the count of assessments by status. Each Risk Assessment Status Details
data bar represents the number of risk assessment tasks in a Report
particular status. Click the data bar to view the Risk
Assessment Status Details Report. The report displays
details of all the assessments based on the status.

Copyright © 2016 MetricStream Inc. Page 365

 Risk Assessments 6.1 SP2 - User Guide

Issues by Status Chart

The Issues by Status chart is a bar chart.

Figure 87: Issues by Status Chart

Description Drill down

This chart displays the count of Issues Issue List Report
by status. Each data bar represents the For more information on Issue List form, refer to the
number of issues in a particular status. MetricStream Issues User Guide Release 6.1 SP2.
By looking at the dashboard, you can
ascertain the number of issues that are
open, canceled, and closed.

Page 366 Copyright © 2016 MetricStream Inc.

 Charts and Dashboards

Inherent Risk Breakdown by Category Chart

The Inherent Risk Breakdown by Category chart is a bar chart.

Figure 88: Inherent Risks Breakdown by Category Chart

Description Drill-Down
Each data bar represents the number of risks that fall into a Not applicable
particular inherent risk rating based on the risk category.
The chart has information based on assessments performed
using default perspectives. By looking at the dashboard, you
can ascertain the number of Risks that fall into the low,
medium, and high residual ratings.

The ratings are color-coded. Red represents high-priority

inherent risk rating, yellow represents medium inherent risk
rating, and green represents low inherent risk rating.
However, the color coding is configurable.

The axes represent the following:

X-axis: Risk categories
Y-axis: Number of Risks

Copyright © 2016 MetricStream Inc. Page 367

 Risk Assessments 6.1 SP2 - User Guide

Residual Risk Breakdown by Category Chart

The Residual Risk Breakdown by Category chart is a bar chart.

Figure 89: Residual Risk Breakdown by Category Chart

Description Drilled-downs
Each data bar represents the number of risks that fall into a Not applicable
particular residual risk rating based on the risk category. The
chart has information based on assessments performed
using default perspectives. By looking at the dashboard, you
can ascertain the number of risks that fall into the low,
medium, and high residual ratings.

The ratings are color-coded. Red represents high-priority

inherent risk rating, yellow represents medium residual risk
rating, and green represents low residual risk rating.
However, the color coding is configurable.

The axes represent the following:

X-axis: Risk categories
Y-axis: Number of Risks

Assessment Status (Overview) Chart

For more details, refer to the Risk Assessment Status Chart section.

Page 368 Copyright © 2016 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Appendix

The common functions and features of the module are covered in this section.

Sections:
1. About My Tasks Menu
2. Form Tool Bar
3. Risk Assessments Forms - Additional Details Tab
4. Data Browsers
5. Calendars
6. Lock Functionality
7. Clarification Assignments
8. Load Preferences
9. About Reports
10. About Charts and Dashboards
11. E-Mail Notifications

Copyright © 2015 MetricStream Inc. Page 369

 Risk Assessments 6.1 SP2 - User Guide

About My Tasks Menu

The My Tasks menu is located at the top of the module home page. You can access the required task
assignment for review or approval from the My Tasks menu.

Accessing Assignments from My Tasks Menu

To access an assignment, perform the following steps:
Step 1 Move the mouse pointer over the My Tasks menu.
A list of assignments appear.

Note: In most of the MetricStream applications, in addition to accessing event assignments through My Tasks
menu, you can also access them from the assigned infoports.

Figure 90: My Tasks Menu

An event assignment may have one of the following states:

 New assignments (links appear in green)

 Assignments that are older than five days (links appear in black)
 Assignments that are Past Due (links appear in red)
Step 2 Click the required assignment link.
The relevant form appears. You can review/approve the content, as applicable, and submit the form.

My Task Menu Features

The following table lists the options available in the My Tasks menu.

Click the Icon To...

Navigate to the next page.

Navigate to the last page.

Navigate to the previous page.

Navigate to the first page.

Refresh the page and see the latest assignments.

Page 370 Copyright © 2015 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Form Tool Bar

The forms available in the Risk Assessments module include a common tool bar, which comprises a set
of icons to perform certain actions. The below table provides a list of form tool bar icons and their
descriptions.

Note: These are the standard form tool bar icons available across all the MetricStream modules. However, all the
icons may not be available in all the forms. The display of these icons is customized based on the function and
usage of the form.

Figure 91: Form Tool Bar

Icon Click the Icon to...

Submit the contents of the form and route to the next workflow step based
on the action selected.
Submit
Save the contents of the form as a working draft for the user without
processing it to the next workflow step and keep the form open.
Save Draft
Save the contents of the form as a working draft for the user without
processing it to the next workflow step and close the form.
Save as Draft & Close
Note: You can access the form from My Tasks at a later time and continue working.

View reports related to the current form.

Note: After you click this icon, a list of reports appears. Click the required report
View Reports
name to view the details.

Print the contents of the form.

After you click this icon, the contents of form open in PDF format. To print
Print the contents, perform the following steps:

1. Click the Print icon .

OR

1. Save the contents and close the file.

2. Re-open the file from the saved location.
3. On the File menu, click the Print button.
Discard changes made to the form and close it.

Cancel

Copyright © 2015 MetricStream Inc. Page 371

 Risk Assessments 6.1 SP2 - User Guide

Risk Assessments Forms - Additional Details Tab

Use the Additional Details tab to attach additional documents and view the creation history. This is a

common tab across the following forms:

 Quantitative Assessment Factor

 Qualitative Assessment Factor
 Risk Assessment Plan

After the Risk content is published, when it is accessed for editing, this tab also displays the
modification history along with the creation history.

Additional Details Tab - Editing Stage

Use the Additional Details tab to view the history and attach relevant documents.

Figure 92: Additional Details Tab > Editing Stage

Field/List Name Description

Created By The name of the user who created the Risk content appears.
(read-only)
Created On The date on which the current Risk content is created appears.
(read-only)
Modification Requested By The name of the user who requested for the modification appears.
(read-only)
Modification Requested On The date on which the modification is requested appears.
(read-only)

Page 372 Copyright © 2015 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Data Browsers
A Data browser displays contents in a hierarchical order. It enables you to navigate from one content
to the other related contents easily and perform actions assigned to these contents. Using the data
browser, you can perform the following:

 Search for the required contents

 View and edit the related contents
 View related reports and dashboards
 Create contents
 View all the content relationships

Copyright © 2015 MetricStream Inc. Page 373

 Risk Assessments 6.1 SP2 - User Guide

Accessing Data Browsers

When you login to the application, the Interactive Data Browser panel is available on the left side of
the application as a collapsed side bar widget. By default, the Interactive Data Browser panel is always
visible on the left side of all the navigated pages in the application.

Figure 93: Data Browser > Interactive Data Browser Panel

Data Browser Icons and Names

The following table lists the data browser icons and the corresponding content names.

Data Browser Icons Risk Assessments Content Names

Quantitative Assessment Factor

Qualitative Assessment Factor

Page 374 Copyright © 2015 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Data Browser Icons Risk Assessments Content Names

Risk Assessment

Controls

Organizations

Processes

Risks

Organization Weightage

Searching and Editing Risk Assessment Forms

You can search for the published forms in the Risk Assessments module using the respective data
browser filters. Based on the search criteria that you enter in the parameter/filter fields, the respective
contents are listed in the data browser as shown in the following sample figure.

Note: You can edit the forms by accessing the required Risk Assessments forms from the reports available in the
Risk Assessments module.

Figure 94: Searching and Accessing Content for Editing

To edit the details of a Risk Assessment form, click on the required title in the data browser.

For example, if you click Accounting, the respective form appears in the non-editable mode. To edit the
details, click on the upper-right corner of the form tool bar. The form becomes editable.

Note: However, the users can edit the contents based on their privileges. For more information on the privileges,
see Activities.

Copyright © 2015 MetricStream Inc. Page 375

 Risk Assessments 6.1 SP2 - User Guide

You can view the risk assessments available in the module by clicking the data browser icon for Risks
.

Figure 95: Risk Assessments available in the module

To expand a content in the browse pane, click the Expand icon to the left of the related content as
shown in the following figure.

Figure 96: Browse Pane > Expanded View

After you click the Expand icon , the contents are expanded and the Collapse icon appears. To
collapse the contents, click the Collapse icon .

Page 376 Copyright © 2015 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Calendars
The calendar displays all the scheduled events in a grid.

For more details on Calendar functionality, see the MetricStream Portal User Guide Release 6.1 SP5.

Copyright © 2015 MetricStream Inc. Page 377

 Risk Assessments 6.1 SP2 - User Guide

Lock Functionality
When there is a Risk assessment being rolled out to multiple users such as Risk Owners, Risk
Stakeholders, Roles or Users, the Risk Assessment form is made available to the person who first
accesses it. The User who has access to the form will be able to submit the risk assessment and the
same assessment is made unavailable to other Users for assessment by locking the assessment
assignment.

Consider the following scenario:

1. User A (authorized person) creates a Risk assessment plan using the Risk Assessment Plan form and
submits it. The form is now assigned to the user B and user C (who are Risk owners). The lock
functionality is enabled only if the User selects any one of the option in the Available To field of the
Risk Assessment Plan form:

 Risk Owners
 Risk Stakeholders
 Role(s)
 User(s)
2. The user B accesses the Risk Assessment form for assessing. The form opens in edit mode and the
user acquires the lock automatically.

The lock is released in the following case:

 System administrator releases the lock.

3. While the user B is still working on the <Form Name> form, if the user C accesses the same form for
editing, the form opens in read-only mode. To change the mode to editable, the user needs to click
the pencil icon on the upper-right corner of the screen. When the user C clicks the pencil icon,
since the lock is already acquired by the user B, the message “Form has been locked by another
user” appears.

Page 378 Copyright © 2015 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Icon Representations

The assignments for which the lock is enabled are represented by icons. The following table describes
the lock-related icons.
Icon Description
This icon represents the following:
 The user who has first accessed the form acquired the lock.
Green Lock  The same assignment can be accessed and submitted after editing.

This icon represents the following:

 A user who has first accessed the form has already acquired the lock.
Red Lock  The assignment can be accessed, but cannot edit the details.

Copyright © 2015 MetricStream Inc. Page 379

 Risk Assessments 6.1 SP2 - User Guide

Clarification Assignments
While working on the module, at most of the stages in the workflow, a user

may send the form back for clarification/rework. The assignment is usually assigned to the previous

user for rework. However, the user to whom the assignment is sent is based on the workflow defined

in the module.

Sample assignment syntaxes:

The assignment syntax may vary according to the context and stage in which the form is sent for
clarification.
Clarification Assignment Text Clarified Assignment Text
Clarify <Assessment-Name> Approve <Assessment-Name> [<PID>]
[<PID>]

Page 380 Copyright © 2015 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Load Preferences
The Load Preference feature allows you to view the reports based on certain default preferences that
are pre-packaged with the Risk Assessments module. By using the load preferences option, you can
avoid reentering the data in the filter fields.

The saved preference is report-specific. By default, the Risk Assessments module provides various load
preference options based on which you can view the reports. For example, in the Top Organizations a
Risk (BY Rolled Up Score) report, you can view the report based on inherent risk score, residual trend,
and so on.

Accessing Load Preferences

To access load preferences, perform the following steps:
Step 1 Navigate to the specific report.
Step 2 Click the Drop-down icon next to the report label.

Figure 97: Accessing Load Preference

The load preference window appears with one or more available load preferences.
Step 3 Select the required load preference criteria as required.
Note: Based on the load preference that you select, the module reloads the report data.

Copyright © 2015 MetricStream Inc. Page 381

 Risk Assessments 6.1 SP2 - User Guide

Report-Data Display Matrix

The following table provides information on the security criteria based on which the data is displayed in few of the module reports.

Report Name Fields in Risk Form Risk Assessment module

(GRC Foundation)
Owners Restrict Risk Risk Risk Assessed Activities Flow down Data View
Access To Assessment Assessment Assessment Organization Required to view view of the of the
Plan form - Plan form - Plan form - the report data in the parent
Applicable Owner Restrict Access RSK - View Risk reports organizatio
To Organizations To Assessment n users of
Organization or Plan Owner
field RSK - View All Organizatio
Risk n and
Assessments Assessed
Organizatio
n
Risk Register Report         
Control Assessment         
Report
Assignment Status         
Report
Organizations at Risk         
(by individual Assess-
ment) Report
Heat Map by Risks         
Directly Assessed
Report
Heat Map by Organi-         
zation Report

Page 382 Copyright © 2015 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Legends:

 : You can view the report details/flow down data

 : You cannot view the report details/flow down data

What is Flow down?

The organizations that are at the top-level in the hierarchy can view the details of the subordinate
organizations. But, the subordinate organizations cannot view the details of the top-level
organizations.

Copyright © 2015 MetricStream Inc. Page 383

 Risk Assessments 6.1 SP2 - User Guide

Scenarios
The below section provides information on the scenarios and the security details of the following reports:

 Assignment Status Report

 Organizations at Risk Report

Consider the following scenario:

Line of Business - A Line of Business - B

HR - A1 Benefits - A2 Retails Banking - B1 Retails Finance - B2

Staffing - A1.1

Page 384 Copyright © 2015 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Scenario 1:

If the Plan is owned by LOB A, they can view the assessment data pertaining to HR - A1 and Benefits -
A2.

Since the assessment is pertaining to HR - A1, users with view access to assessments can view the data
related to HR - A1.

Since the assessment is pertaining to Benefits - A2, users with view access to assessments can view the
data related to Benefits - A2.

Scenario 2:

If the assessment is performed on Staffing - A2:

The plan owners of Staffing A2, HR - A1 and Line Business - A can view the assessment information.

The assessed organization users of Staffing A1.1, HR A1 and Line Business - A can view the assessment
information.

Scenario - 3:

If the assessment is performed on Staffing - A1.1, but the Plan is Owned by Retail - B1

The Plan owners in Retail Banking - B1 can view the details of Risk Assessments performed at Staffing
- A1.1

Since the Risk Assessment is performed for Staffing - A1.1, user with view assessment privilege can view
the details pertaining to Staffing - A1.1.

Since HR - A1 and Line of Business -A is up the hierarchy of Staffing - A1.1, users with view access to
assessments can view them as well.

Users with view access to assessments in Line of Business B can also access the Risk Assessments of
Staffing - A2 since the Plan is created and managed by an Organization (Retail Baking - B1) within it (Line
of Business - B).

The below section provides information on the scenarios and the security details of the following
reports:

 Risk Register Report

 Control Assessment Report
 Heat Map by Standard Factors Report
 Risk Register Detailed Report

For the above specified reports, the Plan Owner and assessed organization security is applied as
explained in the above scenario. In addition, the Risk owners security is also applied. The risk owners

Copyright © 2015 MetricStream Inc. Page 385

 Risk Assessments 6.1 SP2 - User Guide

can also view the reports. The following section provides information on the display of report data to
the Risk Owners.

 While creating the Risk library, the initiator selects the following users as Risk Owners for R1 and R2
Risks. The Risk is setup in the GRC library of the GRC Foundation module.

Risks Users
R1 U1 U2 U3 U4
R2 U5 U6

Scenarios:

 If the R1 Risk is assessed, the U1, U2, U3, and U4 users can view the assessment details of R1 Risk
assessment.
 If the R2 Risk is assessed, the U5 and U6 users can view the assessment details of R1 Risk assess-
ment.

Note:
- If no Risk owners are selected while creating the Risk library content, none of the users can view the Risk
assessment details, except the Plan owner and assessed organization as specified in the above scenario.
- The Risk Owners are the users who are assigned to the Edit - GRC Object activity.
For Heat Map by Organization Report, users of assessed organization and their parents who are
assigned to the View Risk Assessment privilege can view the assessment details.

Page 386 Copyright © 2015 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

About Reports
A report is a tabular representation of meaningful data, which you can use to make informed decisions.
It normally consists of multiple columns. Most of the reports provide filters. Using the filters, you can
search for specific contents and view the report based on the search results.

Filters
You can narrow down your search by filtering the report data. The search parameters perform the
function of filters to refine the output of reports. You can access report filters by clicking as
shown in the following figure.

Figure 98: Accessing Report Filters

Note: To hide filters, click

After you click the arrow, the related filter window appears.

Note: If the report consists of any mandatory filter parameters, the filter window appears first. Otherwise, the
report appears first and the filters are collapsed within the report.

Figure 99: Report Filters

Copyright © 2015 MetricStream Inc. Page 387

 Risk Assessments 6.1 SP2 - User Guide

Perform the following steps to display the report data based on the filters:

Step 1 Enter the required data in one or more filter parameters.

The following types of parameters are available in the filters:

 Mandatory filter parameters: You must provide data in the parameter field.
 Optional filter parameters: You can provide data in the parameter fields or leave them blank.

Note:
- You can enter search criteria in all the filter parameters or just a few of them, as required. The application
applies an “AND” condition to all the filter criteria that you enter.
- If you click the Submit button without entering any data in any of the filter fields, provided there are no
mandatory filter fields, the report retrieves one or more existing contents from the application.
- If you want to clear the entered data, click the Clear All button.
- If you want to save the entered details, click the Save button. The next time you open the filters, the
entered details are available for selection in the drop-down list beside the Save button.

Step 2 Click the Submit button to submit the details.

Note: The report retrieves the records based on the entered data.

Drill Downs
A few reports can have associated drill-down reports and/or forms. To access drill-down reports and
forms, click the text that appears as a hyperlink in the relevant column. Not all reports have a drill-
down report or form.

List Reports
List reports are those reports that can be accessed by clicking the links within an infoport.

Figure 100: Accessing List Reports

Link Reports
Link reports are those reports which are available within a form in the Form Tool Bar.

Page 388 Copyright © 2015 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Accessing Link Reports

To access the link reports, perform the following steps:
Step 1 Click the View Reports icon in the form tool bar.

One or more relevant Link reports appear as a list.

Step 2 Click the required report name.
The relevant Link report appears.

The following table provides the list of Link reports, corresponding form names, and the related
reference links.

Link Report Name Form Name Click This Link to View the Report
Comments History All the Risk Management Comments History Report
forms
Change History Report Qualitative Assessment Fac- Change History Report
tor
Quantitative Assessment Fac-
tor
Risk Assessment Plan 3) Risk
Assessment Form

Copyright © 2015 MetricStream Inc. Page 389

 Risk Assessments 6.1 SP2 - User Guide

About Charts and Dashboards

A dashboard is a page that displays one or more charts. A chart is a graphical representation of data in
which the data is represented by symbols such as bars in a bar chart, lines in a line chart, or slices in a
pie chart.

Dashboards enable you to make informed decisions.

You can access dashboards though specific infoports. A chart is either accessible through an infoport
link or displayed directly in an infoport.

Figure 101: Charts directly displayed in infoport

Drill Downs
The drill-down option enables you to view associated dashboard charts and reports from the current
chart. Move the pointer over the data in the chart. If the pointer changes to a hand symbol, it is an
indication that there is a drill down available. When you click, the drill down chart or report appears.

Interactive Legends
The interactive legends allow you to click the icon (legend) of a particular data series to hide it so that
you can focus on the other data series available in the chart. The interactive legend feature allows a
section of the chart to slide-out and slide-in or hide and display.

Page 390 Copyright © 2015 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Hide/Display Feature
The hide/display feature is available in the Bar/Run charts, where you can hide/display a particular data
bar graph of the chart.

Data Bar

Interactive Legends

Figure 102: Bar Chart

Copyright © 2015 MetricStream Inc. Page 391

 Risk Assessments 6.1 SP2 - User Guide

To hide a particular data bar, click the legend/icon which represents the data bar that you need to hide.
For example, in the below figure, click the to hide that portion of the bar graph that
represents the issues that are closed. Re-click the legend to display the hidden bar graph.

Figure 103: Bar Chart > Hidden View

Page 392 Copyright © 2015 MetricStream Inc.

E-Mail Notifications
Refer to the following table for information on e-mail notifications that are triggered in the module.

Qualitative and Quantitative Factor Forms

To Content Task
Owner(s) Dear <Recipient User Name>, Notify Owner(s) to work on the
Assessment Factor
<User Name> has added a new <Quantitative> Factor: <Factor Name> for which you are the Owner.
Please review the Assessment Factor and Approve or Reject.

<<Additional Details>>

To access and complete this assignment, click on the below link.

View Details

Copyright Information
Initiator Dear <Recipient User Name>: Notify Initiator to provide clarifications
requested by Owner
<User Name> has requested clarifications for new <Quantitative> Factor: <Factor Name>.

<<Additional Details>>

To access and complete this assignment, click on the below link.

View Details

Copyright Information

Copyright © 2015 MetricStream Inc. Page 393

 Risk Assessments 6.1 SP2 - User Guide

To Content Task
To: Dear <Recipient User Name>: Workflow
Level 1
<User Name> has added a new <Quantitative> Factor: <Factor Name> for which you are the Approver.
[CC: Initiator, Owner(s)] Please review the Assessment Factor and Approve.

To: <<Additional Details>>

Level 2 Approver,
To access and complete this assignment, click on the below link.
[CC: Initiator, Owner(s), View Details
Level 1 Approver]
Copyright Information
Owner Dear <Recipient User Name>: Owners to Initiator

[CC: Initiator, Owner(s)] <User Name> has requested clarifications for <Quantitative> Factor: <Factor Name>.

<<Additional Details>>

To access and complete this assignment, click on the below link.

View Details

Copyright Information

Page 394 Copyright © 2015 MetricStream Inc.

 To Content Task
Level 1 Approver or Level Dear <Recipient User Name>: Owner to Initiator
2 Approver
This is to notify you that <User Name> has provided clarifications for <Quantitative> Factor: <Factor
[CC: Initiator, Owner(s)] Name>. Please review Assessment Factor and take appropriate action.

OR <<Additional Details>>

To: To access and complete this assignment, click on the below link.
Owners View Details

Copyright Information
Initiator Dear <Recipient User Name>: Notify users of rejected Risk Assessment
Plan
[CC: Owner(s)] The <Quantitative> Factor: <Factor Name> has not been approved by <User Full Name>.

<<Additional Details>>

Initiator Dear <Recipient User Name>: Notify users of Risk Assessment Plan in
This message is to notify you that a new <Quantitative> Factor: <Factor Name> is active in the Risk the system.
[CC: Owner(s)] Assessment Library.

<<Additional Details>>

To view or modify the content, please click on the below link.

View Details

Copyright Information

Copyright © 2015 MetricStream Inc. Page 395

 Risk Assessments 6.1 SP2 - User Guide

To Content Task
Initiator Dear <Recipient User Name>: Notify users that updated Risk
This message is to notify you that an updated version of <Quantitative> Factor: <Factor Name> is Assessment Plan modified is active in the
[CC: Owner(s)] available now in the Risk Assessment Library. system.

<<Additional Details>>

To view or modify the content, please click on the below link.

View Details

Copyright Information
Initiator Dear <Recipient User Name>: Notify users of expired Risk Assessment
Plan.
[CC: Owner(s), This message is to notify you that <Quantitative> Factor: <Factor Name> is inactive since its validity
Level 1 Approver, period is over.
Level 2 Approver]
<<Additional Details>>

To view or modify the content, please click on the below link.

View Details

Copyright Information

Page 396 Copyright © 2015 MetricStream Inc.

Risk Plan Form
To Content Task
Owner(s) Dear <Recipient User Name>: Notify Owner(s) to work on the
Assessment Plan
<User Name> has added a new <Risk Assessment Plan> for which you are the Owner. Please review the
Assessment Plan and approve or reject.

<<Additional Details>>

To access and complete this assignment, click on the below link.

View Details

Copyright Information
Initiator Dear <Recipient User Name>: Notify Initiator to provide clarifications
requested by Owner
<User Name> has requested clarifications for new <Risk Assessment Plan>.

<<Additional Details>>

To access and complete this assignment, click on the below link.

View Details

Copyright Information

Copyright © 2015 MetricStream Inc. Page 397

 Risk Assessments 6.1 SP2 - User Guide

To Content Task
To: Dear <Recipient User Name>: Notify Level 1 or Level 2 Approver to
Level 1 approve Assessment Plan
<User Name> has added a new <Risk Assessment Plan> for which you are the Approver. Please review
[CC: Initiator, Owner(s)] the Assessment Plan and approve.

To: <<Additional Details>>

Level 2 Approver,
To access and complete this assignment, click on the below link.
[CC: Initiator, Owner(s), View Details
Level 1 Approver]
Copyright Information
Owner Dear <Recipient User Name>: Notify Owners to provide clarification
requested by L1 or L2 Approver
[CC: Initiator, Owner(s)] <User Name> has requested clarifications for <Risk Assessment Plan>.

<<Additional Details>>

To access and complete this assignment, click on the below link.

View Details

Copyright Information

Page 398 Copyright © 2015 MetricStream Inc.

 To Content Task
Level 1 Approver or Level Dear <Recipient User Name>: Notify Level 1 or Level 2 Approver about
2 Approver the clarification provided by Owner
This is to notify you that <User Name> has provided clarifications for <Risk Assessment Plan>. Please
[CC: Initiator, Owner(s)] review Assessment Plan and take appropriate action.

OR <<Additional Details>>

To: To access and complete this assignment, click on the below link.
Owners View Details

Copyright Information
Initiator Dear <Recipient User Name>: Notify users of rejected Assessment Plan

[CC: Owner(s)] The <Risk Assessment Plan> has not been approved by <User Full Name>.

<<Additional Details>>

Initiator Dear <Recipient User Name>: Notify users of Active Assessment Plan in
This message is to notify you that a new <Risk Assessment Plan> is active in the Risk Assessment the system
[CC: Owner(s)] Library.

<<Additional Details>>

To view or modify the content, please click on the below link.

View Details

Copyright.

Copyright © 2015 MetricStream Inc. Page 399

 Risk Assessments 6.1 SP2 - User Guide

To Content Task
Initiator Dear <Recipient User Name>: Notify users that updated Assessment
This message is to notify you that an updated version of <Risk Assessment Plan> is available now in the Plan modified is active in the system
[CC: Owner(s)] Risk Assessment Library.

<<Additional Details>>

To view or modify the content, please click on the below link.

View Details

Copyright.
Initiator Dear <Recipient User Name>: Notify users of expired Risk Assessment
Plan.
[CC: Owner(s), This message is to notify you that <Risk Assessment Plan> is inactive since its validity period is over.
Level 1 Approver,
Level 2 Approver] <<Additional Details>>

To view or modify the content, please click on the below link.

View Details

Copyright.
Owner(s) Dear <Recipient User Name>: Notify Owner(s) to work on the
Assessment Plan
<User Name> has added a new Assessment Plan: <Plan Name> for which you are the Owner. Please
review the Assessment Plan and approve or reject.

<<Additional Details>>

To access and complete this assignment, click on the below link.

View Details

Copyright Information

Page 400 Copyright © 2015 MetricStream Inc.

 To Content Task
To: Dear <Recipient User Name>: Notify Risk Assessor to assess Risks within
Risk Assessor(s) A Risk Assessment (Ongoing): <Tag/Identifier> has been assigned to you for assessing risks within the the assessment’s scope
(All Users specified or assessment scope.
derived based on the <<Additional Details>>
Plan for Ongoing To access and complete this assignment, click on the below link.
Assessment) View Details

[CC: Copyright Information

Initiator, Owners]

To: Dear <Recipient User Name>: Notify Risk Assessor and Approvers
Risk Assessor(s) A Risk Assessment (Ongoing): <Tag/Identifier> has been withdrawn and hence will not be available for regarding withdrawal of Ongoing Risk
(All Users specified or Risk Assessment. Assessment
derived based on the <<Additional Details>>
Plan for Ongoing
Assessment) Copyright Information
And Approver(s)

[CC:
Initiator, Owners]
To: Dear <Recipient User Name>: Notify Approver to approve Risk
Assessment Approver A Risk Assessment (Ongoing): <Tag/Identifier> has been submitted by <User Full Name> for your Assessments done by Risk Assessor
approval. Please review and take appropriate action.
[CC:
Initiator, <<Additional Details>>
Owners]
To access and complete this assignment, click on the below link.
View Details

Copyright Information

Copyright © 2015 MetricStream Inc. Page 401

 Risk Assessments 6.1 SP2 - User Guide

Risk Assessments
To Content Task
To: Dear <Recipient User Name>: Notify Risk Assessor to assess Risks within the assessment’s scope
Risk Assessor
A Risk Assessment: <Assessment Name>
[CC: has been assigned to you for assessing
Plan Owners] risks within the assessment scope. Please
review the content and Approve or
Reject.

<<Additional Details>>

To access and complete this assignment,

click on the below link.
View Details

Copyright Information
To: Dear <Recipient User Name>: Notify Approver to approve Risk Assessments done by Risk Assessor
Assessment Approver
The Risk Assessment: <Name> of
[CC: (<Frequency> Frequency) has been
Plan Owners] submitted by <User Full Name> for your
approval. Please review and take
appropriate action.

<<Additional Details>>

To access and complete this assignment,

click on the below link.
View Details

Copyright Information

Page 402 Copyright © 2015 MetricStream Inc.

 To Content Task
To: Dear <Recipient User Name>: Notify Risk Assessor to provide clarification as requested by Risk Approver
Risk Assessor
<User Full Name> has requested
[CC: clarifications for Risk Assessment:
Plan Owners] <Name>. Use the following link to view
the assignment and provide your
clarifications:

<<Additional Details>>

To access and complete this assignment,

click on the below link.
View Details

Copyright Information
To: Dear <Recipient User Name>: Notify Risk Assessor to provide clarification as requested by Assessment Approver
Risk Assessor
<User Full Name> has requested
[CC: clarifications for Risk Assessment:
Plan Owners] <Name>. Use the following link to view
the assignment and provide your
clarifications:

<<Additional Details>>

To access and complete this assignment,

click on the below link.
View Details

Copyright Information

Copyright © 2015 MetricStream Inc. Page 403

 Risk Assessments 6.1 SP2 - User Guide

To Content Task
To: Dear <Recipient User Name>: Notify Assessment Approver about clarification provided by Risk Assessor
Assessment Approver
This is to notify you that <User Name> has OR
[CC: provided clarifications for Risk
Plan Owners] Assessment: <Assessment Name>. Please Notify Plan Owner about clarification provided by Risk Assessor if ‘Final Approver for Assessments->
review and take appropriate action. Plan Owners’
OR
<<Additional Details>>
To:
Plan Owner To access and complete this assignment,
click on the below link.
View Details

Copyright Information
To: Dear <Recipient User Name>: Notify reassigned user to assess Risks within assessment scope
Reassigned Risk Assessor
<Sender User Name> has reassigned the
[CC: task of assessing risks for Risk
Plan Owners] Assessment: <Name>.

<<Additional Details>>

To access and complete this assignment,

click on the below link.
View Details

Copyright Information

Page 404 Copyright © 2015 MetricStream Inc.

 To Content Task
To: Dear <Recipient User Name>: Notify Reviewer to review Risk Assessments
Reviewer
<User Full Name> has requested to
[CC: review Risk Assessment: <Name>. Use the
Plan Owners] following link to view the assignment and
provide your clarifications:

<<Additional Details>>

To access and complete this assignment,

click on the below link.
View Details

Copyright Information
To: Dear <Recipient User Name>: Notify Risk Assessor to verify review comments provided by Reviewer
Risk Assessor
<User Full Name> has reviewed Risk
[CC: Assessment: <Name>. Use the following
Plan Owners] link to view the assignment and provide
your clarifications:

<<Additional Details>>

To access and complete this assignment,

click on the below link.
View Details

Copyright Information

Copyright © 2015 MetricStream Inc. Page 405

 Risk Assessments 6.1 SP2 - User Guide

To Content Task
To: Dear <Recipient User Name>: Notify Risk Assessor reminding that Risk Assessment is due in 24 hours
Risk Assessor
This email is to remind you that Risk
[CC: Assessment: <Name> is due in 24 hours.
Plan Owners]
<<Additional Details>>

To access and complete this assignment,

click on the below link.
View Details

Copyright Information
To: Dear <Recipient_User_Name>: Escalate Risk Assessor that Risk Assessment is overdue
Risk Assessor
This email is to notify you that Risk
[CC: Assessment: <Name> is overdue.
Plan Owners]
<<Additional Details>>

To access and complete this assignment,

click on the below link.
View Details

Copyright Information

Page 406 Copyright © 2015 MetricStream Inc.

 To Content Task
To: Dear <Recipient_User_Name>: Notify Initiator that Risk Assessor or Assessment Approver has rejected Risk Assessment
Plan Owners
The Risk Assessment: <Name>
(<Frequency> Frequency) has not been
approved by <Risk Assessor OR
Assessment Approver>.

Copyright Information
To: Dear <Recipient_User_Name>: Notify Risk Assessor about approved Risk Assessment
Risk Assessor, Plan
Owners The Risk Assessment: <Name> has been
approved by <User Name>.

<<Additional Details>>

To view and modify the content, please

click on the below link.
View Details

Copyright Information

Copyright © 2015 MetricStream Inc. Page 407

Glossary

GRC
Governance, Risk, and Compliance

Infocenter
Infocenter is a portal interface, which comprises a collection of various artifacts (Infoports) such as In-
put Forms, Event Assignments, Report Links, Actions, Bookmarks, Chart Output, Dashboards, Report
Output, and free text. By using this collection of various type of artifacts, you can analyze and under-
stand the data.

Infoport
Infoport is a collection of various type of artifacts that are configured in an infocenter.

Inherent Risks
The probabilities of loss arising out of circumstances or existing in an environment, in the absence of
any action to control or modify the circumstances are called as inherent risks.

Perspectives
Perspectives help to do various Risk assessments using different scoring algorithms and also to allow
different set of user to assess the same risks using different perspectives and maintain the scores in the
perspective buckets.

PID
Process instance identification number (which is an internal system identifier).

Quantitative Factor
These factors can be scored in on any scale (1-10 or 50 to 100 and so on). These factors can have factor
choices which user can select the appropriate score. This will enforce standard approach for scoring the
factors. Quantitative factors scores will be rolled up to the risk based on the specific algorithm applied
(Default).

Page 408 Copyright © 2016 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Qualitative Factor
Qualitative factors are nothing but the questions with specific responses such as text, number, date
and so on. The qualitative factors defined for risk will be displayed during the Risk Assessment. These
factors are not scored in case any numeric number is entered as response which will not be considered
for roll up score.

Residual Risks
Exposure to loss remaining after other known risks have been countered, factored in, or eliminated.

Reports
A tabular representation of data.

Residual Risks
Exposure to loss remaining after other known risks have been countered, factored in, or eliminated.

Risk
Risks are the internal and external factors that introduce uncertainty into an organization’s ability to
achieve its objectives.

Standard Factors
Standard factors are specific questions used for conducting traditional Risk Assessment methodology
with specific responses that each correspond to a score that is then added up & rolled-up to arrive at
an overall score for the Risk Assessment. Commonly observed set of Standard Factors for conducting
Risk Assessments are Impact, Likelihood, Consequence, Velocity, Dollar Exposure, Control Effective-
ness, and so on.

Copyright © 2016 MetricStream Inc. Page 409

Index

A
Accessing Assignments through My Tasks Menu 28
Accessing the Data Browsers 30
Ad hoc Tasks - Creation 213
Approval Work-Flow 8
Approve Risk Assessment 210
Approving Assessment Factors 130
Assessment Factors - Qualitative 117
Assessment Factors - Quantitative 97

C
Calendars 38

D
Dashboard Charts 286
Dashboard Drill-Downs 284
Dashboards 281
Dashboards - Access 282
Dashboards - Introduction 282
Data Browser 30

H
Heat Map Reports 225
Heat Maps 218

I
Infoport Reports 263
Inline Reports, Access 278

M
Multi-Window Interface 36

Q
Qualitative Assessment Factors 117

R
Report Drill-Downs 241

Page 410 Copyright © 2016 MetricStream Inc.

 Risk Assessments 6.1 SP2 - User Guide

Reports 239
Reports - Introduction 240
Reports ?Access 243
Reports ?RSK 242
Review Risk Assessment 208
Risk Assessment Contents Accessing 26
Risk Assessment Plan - Creation 138
Risks - Assessments 164
Roles and Related Activities 15
RSK Actions and Statuses 44
RSK E-mail Notifications 50

S
Search Parameters 283, 286

U
User Story 60

W
Workflow Approval 8
Working on Assessment Factors -Owner 127

Copyright © 2016 MetricStream Inc. Page 411

 Risk Assessments 6.1 SP2 - User Guide

Documentation Feedback

MetricStream welcomes customers' comments and suggestions on the quality and usefulness of this
document. Your feedback is important to us. It can help us identify opportunities to improve the quality
for the benefit of our users. If the answer to any of the following questions is not satisfactory, please
write to TechPubs.

Did you understand the context of the procedures?

Did you find any errors in the information?

Does the structure of the information help you to complete your tasks?

Do you need different information or graphics? If so, where, and in what format?

Are the examples correct? Do you need more examples?

If you need training or App support, contact MetricStream Support Services at support@metricstream
or 800-858-5658.

A list of MetricStream offices is available on our Web site: http://www.metricstream.com/

Page 412 Copyright © 2016 MetricStream Inc.