This article provides a conceptual overview of the Risk Analysis measurement through 'Analysis' and 'Response' calculations. A pre-requisite to this article is to have a basic understanding on the building blocks of Risk Management, such as Probability, Speed of Onset, Impact, etc.

We will begin with determining the 'Analysis'. And then will proceed to 'Response'.

Calculation of 'Analysis'

Risk Management in GRC is based on a hierarchical model, where Risks are associated with Activities. An Activity can be thought of as an assignment which an organization undertakes. Eg. Data Processing of EU countries. Activities are grouped into categories. Let's say EU projects.

And each Activity Category is assigned with a Risk Category. A Risk category is created under the work-center Master Data > Risk and Responses> Risk Catalog.  A Risk category requires an 'Analysis profile' to be assigned to it. 

So, let us begin the calculation by understanding from the basic unit of Analysis Profile.

An Analysis profile is defined in SPRO > Governance Risk and Compliance > Risk Management > Risk and Opportunity Analysis . The important governing factors for an analysis profile are Probability and Impact.

These 2 factors can of the type Qualitative, Quantitative, scoring, Three-point analysis, etc. Here we will consider Quantitative and Three-point analysis for determining the Risk level.

Three-point Analysis This approach considers customizable %age for 3 scenarios: Min., Average and Max. 

Example in the case of a financial loss the %age definition such as 25, 50 and 25 , respectively for the above 3 scenarios will determine the Total loss. 

Calculation of 'Response' : A Response is an action taken against a Risk and are of the types: Mitigate, Accept, Transfer, etc. The amount of loss mitigated through this Response is subtracted from the Total loss(calculated through 'Analysis') resulting in the Residual Loss. 

The amount(in currency) mitigated is defined under 'Mitigation' in tab Response(for the Risk). The 'Completeness' and 'Effectiveness' are 2 other factors which determine the Residual loss. Therefore, there are 2 types of Residual Loss. One is the present Residual Loss. The other is when the Response is fully completed and therefore is termed Planned Residual Loss.

Example: Response defined with a Completeness of 50% will consider half of the amount(monetary) mentioned under the Response/Mitigation for the present Residual loss. While the planned Residual loss will consider completion at 100% and therefore the entire amount define under Mitigation is considered. 

'Effectiveness' also determines the residual loss. Such as 'Very Effective' considers  the entire monetary amount defined in Mitigation, while Effective considers 50% of the amount.  

Below figure shows calculation of Analysis and Mitigation, resulting to net Residual loss and Residual loss(Planned)

There can be other scenarios such as where the probability-reduction is 10% when Mitigation is applied. 

The above provides a basic understanding of Risk Measurement. The other elements on Risk Management will be shared in different articles.

Please share your comments and suggestions.