Who is this article for?

Administrators who want guidance on setting up the enterprise risk matrix in Assurance.

Administration access is required.

Assurance supports three types of risk matrices.

By default, your Assurance site is set up with a one risk matrix. You can customise the risk matrix setup to suit your organisation's risk framework. Your chosen risk matrix setup will be used across all register templates with the risk assessment field.

This article goes over each of the configurable fields available when setting up the matrix.

1. Configuring the matrix

1.1. Risk Matrix Type

Allows you to select the Risk Matrix Type your organisation's risk framework uses from the following options:

• One Risk Matrix
  • Risk Rating = Likelihood x Consequence
• Two Risk Matrix (Control Ratings based)
  • Inherent Risk = Likelihood x Consequence
  • Residual Risk = Inherent Risk x Control Rating
• Two Risk Matrix (Likelihood and Consequence based)
  • Inherent Risk = Likelihood x Consequence
  • Residual Risk = Likelihood x Consequence

1.2. Control Rating

Also known as control effectiveness. Allows you to rate controls on a particular risk.

Enable it by setting Control Rating to Yes.

1.3. Target Risk

Also known as risk tolerance, risk appetite, or acceptable risk level. Allows you to determine the maximum amount of risk that is acceptable to the organisation.

Enable it by setting Target Risk to Yes.

When a user is assessing a risk, they will see the Target Risk slider, which allows them to set the target risk level.

This functionality enables you to generate reports, such as the Risk Gap Report, and view snapshots, such as the Risk Gap.

1.4. Risk Rating

Once you have selected the risk matrix type, you can configure the matrix itself to reflect your organisation's risk framework.

Customise is by selecting the cells of the matrix to adjust the risk rating associated with that particular level of likelihood and consequence.