Skip to main content

Evaluating proposed risks

Roles and permissions

The following roles can evaluate proposed risks:

Anyone with manager permissions for the assessment
Anyone with manager permissions on the evaluation

You’ll do the majority of your assessment work in the Evaluations tab. From here, you can assess risks and proposed risks and record your findings. You also have the option to assign evaluation work to different team members. As always, you can communicate with team members about a particular evaluation via the Activity Feed.

When evaluating a proposed risk, setting the risk to Approved promotes it to the selected risk register as an actual risk. If the proposed risk is not approved and shouldn't be promoted, set the status to Closed, then return to the risk intake register and archive the proposed risk. See Rejecting a proposed risk.

This article explains how to assess evaluations linked to proposed risks in a risk assessment. For information on evaluating controls or requirements, see Evaluating controls, requirements, and risks. For information on evaluating risks, see Evaluating risks.

Tip

Active evaluations can also be accessed via Work items. From the left menu, select Work items, then select the Evaluations tab.

A note about the risk evaluation user interface

The risk evaluation user interface differs from the control and requirement evaluation user interface. These differences are intentional and reflect ongoing efforts to improve usability, accessibility, and overall user experience. The updated interface is designed to make your time spent evaluating a risk smoother and more efficient.

Risk evaluations feature a split-pane view. The left pane contains information about the target object, i.e., the risk being evaluated, while the right pane contains information about the evaluation itself, such as linked objects, proof, and other relevant details.

Note

The fields displayed in the left pane are the risk fields selected during the assessment creation process. For example, if you only selected 'inherent risk', 'inherent impact', and 'mitigation', only those three fields would appear in the left pane.

Proposed risk evaluations include two additional fields:

Risk Register - The risk register determines which fields are included in the evaluation and where approved proposed risks will be stored when promoted.
ID - Proposed risks are assigned an ID when they are created, but you can change that ID during the evaluation process.

Evaluating proposed risks

Note

When the risk evaluation status for a proposed risk is set to Approved, Hyperproof updates the original risk record with any changes made to the risk fields being evaluated.

Hyperproof also promotes the proposed risk to an actual risk and moves it to the selected risk register.

From the left menu, select Assessments.
Select your assessment.
Select the Evaluations tab.
A list of evaluations is displayed.
Select the evaluation you want to assess.
From the left pane, do any or all of the following:
1. Change the status of the evaluation
  - Not started - Work has not yet started on the evaluation.
  - In progress - The evaluation is currently being worked on.
  - Submitted - The evaluation has been submitted for review.
  - In review - The organization is reviewing the evaluation.
  - Closed - The evaluation has been canceled.
  - Approved - All information in the evaluation has been verified and accepted.
  Note
  When an evaluation is marked as 'Approved', a confirmation window displays, alerting the user that the associated risk will be automatically updated using the values from the evaluation. Once an evaluation is approved, the status can't be changed.
2. The fields that appear in the left pane are determined by the evaluation fields selected during the creation of the risk assessment, as well as whether the risk being evaluated is a proposed risk. You can:
  1. Select or change the risk register where the proposed risk will be placed if approved. This option also determines the set of subsequent fields that display.
  2. Change the ID of the proposed risk.
  3. Change the name of the evaluation.
  4. Set the inherent risk, inherent likelihood, inherent impact, rationale, and/or tolerance.
    - Inherent risk - The level of risk if no mitigation is performed. This value is determined by the risk being evaluated.
    - Inherent likelihood with rationale - The measure of a risk occurring without any preventative measures (controls) in place. This value is determined by the risk being evaluated.
    - Inherent impact with rationale - The measure of impact an event has on an organization when there are no preventative measures (controls) in place. This value is determined by the risk being evaluated.
    - Tolerance - The level of risk that an organization is willing to bear. This value is determined by the risk being evaluated.
  5. Set or change the risk category - The category is the classification to which the risk belongs, e.g., Breach. This value is determined by the risk being evaluated.
  6. Set or change the response action.
  7. Set or change the owner - The owner is the individual in your organization responsible for the risk. This value is determined by the risk being evaluated.
  8. Enter or edit the description - The description is an overview of the risk. This value is determined by the risk being evaluated.
  9. Set or edit any custom fields associated with the risk.
  10. View or link controls - Displays controls that are linked to the risk. This value is determined by the risk being evaluated.
  11. Set or edit mitigation and rationale values for linked controls
From the right pane, do any or all of the following:
1. Add a user or group to the evaluation
2. Click the facepile to manage user permissions for the evaluation.
  - Manager - Can manage and share content, and manage object members and settings.
  - Contributor - Can share, add, and remove files from objects where they are a member.
  - Viewer - Can view information about objects where they are a member or have inherited access.
3. Hover over the current description to change it.
4. Expand the Research section to add tasks or assessment surveys. For proposed risks, you can also view the risk intake survey response by clicking the title.
  Assessment surveys must be configured first from the Assessments > Risk Surveys tab.
5. Expand the Details section and do any or all of the following:
  1. Set the evaluation priority.
  2. View the evaluation source.
  3. Edit the due date.
  4. View the Created on and Updated on dates
  5. Enter your observations
6. Expand the Assignee section and do any or all of the following:
  1. Assign the evaluation to a user or group.
  2. Change the current assignee or group.
7. Expand the Past evaluations section to link to a previous evaluation (these are previously approved evaluations related to the risk being assessed).
8. Expand the Linked objects section to link a related object to the evaluation.
9. Expand the Related issues section to link related issues to the evaluation.
10. Expand the Proof section to link proof to the evaluation.
  Tip
  Proof that is indirectly linked to the evaluation is shown with an Indirect link icon.
11. Communicate with team members via the Activity Feed.
12. Archive the evaluation.
Tip
Looking to score controls (either numerically or categorically)? Create a custom field on your evaluations.

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.