Calculating the overall risk

Both inherent likelihood and inherent impact are based on a five-point scale with qualitative and quantitative representations:

The inherent risk is calculated as inherent likelihood x inherent impact.

For example, if the inherent likelihood of a risk is very high (5) and the inherent impact is very low (1), the inherent risk is very high (5).

Mitigation is determined by the user on a control-by-control basis.

The residual likelihood is calculated as inherent likelihood x (1 - likelihood mitigation percentage).

The residual impact is calculated as inherent impact x (1 - impact mitigation percentage).

The residual risk is calculated as residual likelihood x residual impact. If a control isn’t healthy, it's not doing its job of mitigating the risk!

The overall risk is determined by comparing the tolerance to the residual risk.

Tolerance is set on a risk-by-risk basis and is determined by the risk owner (or organization administrator). Hyperproof's default tolerance scale is:

Administrators can customize risk mapping by adjusting the point scale to better suit the organization.

The risk scale can have 3 to 10 levels with custom point values. Note that Hyperproof only accepts integer values; it does not accept a range of values. For example, an organization might choose a 3-point likelihood scale and a 3-point impact scale. They might decide on the following values:

Likelihood and impact of custom risk mapping

The applicable values for each risk level can be adjusted, as shown below, into 0-30, 31-50, and 51-100 groupings.

Custom risk scale

Refer to Customizing the Risk Register for more information.