Calculating the overall risk

Both inherent likelihood and inherent impact are based on a five-point scale with qualitative and quantitative representations:

The inherent risk is calculated as inherent likelihood x inherent impact.

For example, if the inherent likelihood of a risk is moderate (5) and the inherent impact is very low (1), the inherent risk is very high (5).

Mitigation is determined by the user on a control by control basis.

The residual likelihood is calculated as inherent likelihood x (1 - likelihood mitigation percentage).

The residual impact is calculated as inherent impact x (1 - impact mitigation percentage).

The residual risk is calculated as residual likelihood x residual impact. If a control isn’t healthy, it's not doing its job of mitigating the risk!

The control health discounts the mitigation factor according to the following schedule:

For each control, the actual mitigation factor is calculated as (the mitigation factor that the user inputted) x (1 - the discount from the health).

For example, if a control is supposed to address 50% of a risk (user-inputted), but is at risk, the actual mitigation factor will be 25 percent. This is expressed as .50 * (1 - .50) = .25%.

The overall risk is determined by comparing the tolerance to the residual risk.

Tolerance is set on a risk by risk basis and is determined by the risk owner (or organization administrator). Hyperproof's default tolerance scale is:

Administrators have the option to customize risk mapping, i.e. changing the point scale to better suit the organization.

The risk scale can have 3 to 10 levels with custom point values. For example, an organization might choose a 3-point likelihood scale and a 3-point impact scale. They might decide on the following values:

Likelihood and impact custom risk mapping

The applicable values for each risk level can be adjusted, as shown below with 0 to 30, 31 to 50, and 51 to 100 groupings.

Custom risk scale

Refer to Customizing the Risk Register for more information.