Calculating the overall risk
Several factors determine how Hyperproof calculates the overall risk.
Likelihood and impact are factored into the inherent risk.
Inherent risk, control impact, and control health are factored into the residual risk. If used, the mitigation percentage is also factored into the residual risk.
The overall risk is determined by comparing the tolerance to the residual risk.
Step one: Determine the inherent likelihood and the inherent impact
Both inherent likelihood and inherent impact are based on a five-point scale with qualitative and quantitative representations:
Very high (5)
High (4)
Moderate (3)
Low (2)
Very low (1)
Step two: Determine the inherent risk
The inherent risk is calculated as inherent likelihood x inherent impact.
For example, if the inherent likelihood of a risk is moderate (5) and the inherent impact is very low (1), the inherent risk is very high (5).
Step three: Set the mitigation
Mitigation is determined by the user on a control by control basis.
Step four: Determine the residual likelihood and the residual impact
The residual likelihood is calculated as inherent likelihood x (1 - likelihood mitigation percentage).
The residual impact is calculated as inherent impact x (1 - impact mitigation percentage).
Step five: Determine the residual risk
The residual risk is calculated as residual likelihood x residual impact. If a control isn’t healthy, it's not doing its job of mitigating the risk!
The control health discounts the mitigation factor according to the following schedule:
Healthy - 0%
At risk - 50%
Critical - 100%
For each control, the actual mitigation factor is calculated as (the mitigation factor that the user inputted) x (1 - the discount from the health).
For example, if a control is supposed to address 50% of a risk (user-inputted), but is at risk, the actual mitigation factor will be 25 percent. This is expressed as .50 * (1 - .50) = .25%.
Step six: Determine the overall risk
The overall risk is determined by comparing the tolerance to the residual risk.
Tolerance is set on a risk by risk basis and is determined by the risk owner (or organization administrator). Hyperproof's default tolerance scale is:
Very high (5)
High (4)
Moderate (3)
Low (2)
Very low (1)
Not set (i.e. no tolerance level)
Custom risk mapping
Administrators have the option to customize risk mapping, i.e. changing the point scale to better suit the organization.
The risk scale can have 3 to 10 levels with custom point values. For example, an organization might choose a 3-point likelihood scale and a 3-point impact scale. They might decide on the following values:
Low (1)
Fair (5)
Catastrophic (10)
![custom-risk-scale.png](../../image/uuid-b1e2adc1-7fdf-8872-2843-b13c4c00018e.png)
Likelihood and impact custom risk mapping
The applicable values for each risk level can be adjusted, as shown below with 0 to 30, 31 to 50, and 51 to 100 groupings.
![custom-risk-scale2.png](../../image/uuid-5d865e17-8778-00a0-214f-5e04797cd22b.png)
Custom risk scale
Refer to Customizing the Risk Register for more information.