The world’s first software-as-a-service (SaaS) IT Risk Assessment Tool

The Information Technology Assessment Tool makes it easy to identify, assess, mitigate and manage IT risks

Completing a New IT Risk Assessment

 

FRAT-Getting-Started1

Getting started

To start a risk assessment select New Assessment from the main menu, which will direct you to the Assessment Information screen which is used for:

  • Naming the assessment
  • Selecting the assessment type
    • Full (includes all of the following dimensions collectively)
    • Internal Risk Management Only
    • Internal Systems Development Lifecycle Only
    • Internal Threat Assessment Only
    • External Risk Management Only
    • External Threat Assessment Only
  • Select industry sector from the 30+ available

The 650+ risk factors have been configured against each of the 30+ industry sectors which creates default out-of-the-box settings which can be adjusted.

ABCRAT-Completed-By

Completed By

Next provide the following details outlining who is completing the risk assessment:

  • Full name
  • Company name
  • Position/Title
  • Telephone
  • Email address
  • Assessment period
MLRAT-Context-Framed.PNG.png

Provide context behind the risk assessment

The context fields are mandatory for full assessments only – below is a summary of the key fields:

  • General comments
  • Nature, size and complexity of the business
  • Number of employees
  • Key lines of business subject to IT risk management
  • Products/services offered
  • Channels for delivery of regulated business to end customers:
  • Ownership structure of the business
  • Types of customers and countries the organisation deals with
  • Description of how the IT risk assessment will be kept current
  • Process for updating/refreshing the IT risk assessment
  • Name of the person responsible for IT risk oversight and contact info.
MLRAT-Qs-Detail-Framed.PNG.png

Risk Factors

There are over 650 different risk factors that are organised into a hierarchy – Group, Category and Sub-Category with risk factors rolling up to these levels.The risk factor is in the form of a question with an associated assumption / risk context description that explains the rationale as to why the risk factor should be considered.

The weight field is carried over from the configuration settings and is used in the calculation of a risk score at the risk factor level.

The scoring scale goes from 0 to 5 (low to high) and appears in the model rating summary report.  The end user should answer Yes or No to the question and provide any relevant comments that assist in explaining the assessment.

ABCRAT-Inherent-Rating

Inherent Risk Rating

The end user must then assess the inherent risk, meaning the likelihood of a risk event occurring, multiplied by the impact of a risk event if it were to occur to provide an overall inherent risk rating.The likelihood rating is a six point scale and includes the following values – not applicable, rare, unlikely, likely, very likely and guaranteed.

The impact rating is also a six point scale and includes the following values – not applicable, insignificant, low, moderate, high and extreme.

The risk assessment tool has in-built logic to calculate the overall inherent risk rating based on the likelihood x impact and a field to capture any relevant comments.  The inherent risk score for every risk factor is plotted into the inherent risk matrix on the final PDF report to display the inherent risk concentration across all active risk factors present in the model.

ABCRAT-Residual

Residual Risk Rating

Next consider the existence and effectiveness of mitigating controls that can serve to reduce the overall inherent risk rating (or conversely, if non-existent or poor/ineffective then the overall inherent risk rating will be higher), which results in an overall residual risk rating with a rating scale from Low to High.   The end user should also document the nature of control measures designed to reduce risks.

The effectiveness of control rating comprises a six point scale and includes the following values – not applicable, none, poor/ineffective, fair/moderately effective, good/effective and excellent/highly effective.

The residual risk score for every risk factor is plotted into the residual risk matrix on the final PDF report to display the residual risk concentration across all active risk factors present in the model.

Why not sign up for an obligation free trial today?

Contact us and we will provide you with access to a limited functionality no obligation free trial today!