Viewing Risks

HOPEX IT Risk Management : HOPEX IT Risk Management : Managing inventories : Inventory of Risks and Controls : Viewing Risks

Viewing Risks

Accessing risks

To access risks:

1. See "Accessing the IT Inventory".

2. Click Risks > All Risks.

You can also access:

• key risks

Key risks are the risks for which the Key Risk check box was selected in the risk properties page.

• risks not connected to a control.

Assessed characteristics

Impact

The impact characterizes the impact of the risk when it occurs.

Likelihood

The likelihood characterizes probability that the risk will occur.

Inherent risk

The inherent (or gross) risk indicates the risk to which the organization is exposed in the absence of measures taken to modify the occurrence likelihood or impact of this risk. This is the result of multiplying impact value and likelihood value before taking account of risk prevention or reduction measures.

In summary, an inherent risk = impact x likelihood

Velocity

Velocity represents the rapidity of propogation of the risk of an asset to other assets if an incident occurs. Velocity represent a way to characterize the risk (other than by impact and frequency).

Weighted inherent risk

Inherent risk x velocity

Risk scope

In the risk properties window, you can identify:

• the IT assets at risk

• applications

A business application is a set of software tools that make up a consistent whole from a software development viewpoint and with respect to functionalities supplied to users.

• software technologies

A software technology is a basic component necessary for operation of business applications.

• deployed assets at risk

• software installations

A software installation is the deployment of an application with a view to using it on a given site.

• deployed technologies

A software technology is a basic component necessary for operation of business applications.

To specify the risk scope:

1. In the risk properties page, expand the following section as needed:

• Scope (IT assets), or

• Scope (Deployed IT assets)

The choice of scope definition has a direct impact on the direct assessments.

2. Connect the objects as you see appropriate.

For more details on the risk scope, see “Risk scope", page 472

Risk Analysis

For more details, see “Risk analysis", page 472.

Risk assessment

You can assess risks by:

• application

• deployed application (or installation)

The tab available in the risk properties page depends on the choice made concerning risk assessment.

For more details, see "Direct Risk Assessment".

Risk treatment

For more details, see "Specifying Controls to be Implemented".