Calculating assurance for risk

When you enable assurance, you aggregate testing results and issues for an active project or framework associated with multiple projects. This allows you to report on assurance for a single project, or across all projects associated with a framework.

This topic provides examples of assurance so that you can become familiar with the calculations associated with assurance.

Demonstrating assurance for a single project

Demonstrate assurance for a single project to show confidence that organizational risk is being effectively mitigated.

Example

Scenario

You are conducting an IT General Controls Review and need to quantitatively assess risk. You have one objective in your project (Physical Security), and two risks that associated with that objective. You enable assurance in the project, and begin conducting project work.

Scoring risks

You assess risk on two risk scoring factors, Impact and Likelihood, and use a 5-point scale to score risks:

Objective Risk Description Scoring
Physical Security Risk 1 Unauthorized entry into secure server room.
  • Impact = 5
  • Likelihood = 3
Risk 2 Facilities storing sensitive data or company information are not adequately secured.
  • Impact = 2
  • Likelihood = 2
Inherent Risk Score calculation

Based on your risk scoring, Projects automatically calculates the Inherent Risk Score of each risk, as well as the Total Inherent Risk Score:

  • Risk 1 (5 x 3) = 15.0
  • Risk 2 (2 x 2) = 4.0

Total Inherent Risk Score (15 + 4) = 19.0.

Defining controls, associated risks, and control weights

You define four controls that help to mitigate the two identified risks, including their associated risks, and the percentage of the risk that the control mitigates (Control Weight):

Control Description Associated Risk Control Weight
Control 1 A lock is in place at the facility entrance. Risk 1 100%
Control 2 A security camera is in place to record suspicious activity. Risk 1 20%
Control 3 All server facility entrances are protected by key card access system.
  • Risk 1
  • Risk 2
  • 80%
  • 50%
Control 4 All office facility entrances are monitored by administrative personnel.
  • Risk 1
  • Risk 2
  • 50%
  • 50%
Testing controls

In your project, you do not have any testing rounds - instead, you have one walkthrough per control. You test each control and document the results:

Control Testing Result Pass or Fail?
Control 1 Operating Effectively Pass
Control 2 Exception(s) Noted Fail
Control 3 Operating Effectively Pass
Control 4 Operating Effectively Pass
Residual Risk Score

Based on your defined risk-control associations, specified control weights, and testing results, Projects automatically calculates the Residual Risk Score for each risk, as well as the Total Residual Risk Score.

Residual Risk Score is calculated by multiplying the Inherent Risk Score by the Control Weight for the associated controls that have failed:

  • Risk 1 (15.0 x 0.2) = Residual Risk Score (3.0)
  • Risk 2 Controls 3 and 4 are both passing, and collectively mitigate Risk 2 by 100%. The Residual Risk Score for Risk 2 is 0.0.

The Total Residual Risk Score is calculated by adding all Residual Risk Scores:

Risk 1 Residual Risk Score (3.0) + Risk 2 Residual Risk Score (0.0) = Total Residual Risk Score (3.0).

Overall Assurance

Overall Assurance, displayed within the project, is calculated as follows:

(Total Inherent Risk Score (19.0) - Total Residual Risk Score (3.0)) / Total Inherent Risk Score (19.0) = Overall Assurance (84%).

Demonstrating assurance across multiple projects

Demonstrate assurance across multiple projects associated with a framework to show confidence that organizational risk is being effectively mitigated.

Example

Scenario

You need to centrally manage five different projects and quantitatively assess risk across all five projects. In your framework, there is one objective that contains two risks.

Framework Objective Risk
Framework 1 Objective 1 Risk 1
Risk 2

Process

You import the risks into the relevant projects, enable assurance in both the framework and project, and test controls. You note any issues, where applicable.

Result

Testing results and issues are automatically aggregated from each project to the framework. Assurance calculations aggregate to the framework as follows:

Project level risk scores
Project Inherent Risk Score Residual Risk Score Associated framework risk
Project 1 9.0 2.0 Risk 1
Project 2 6.0 2.0
Project 3 3.0 1.0
Project 3 0.0 0.0 Risk 2
Project 4 5.0 1.0
Project 5 5.0 1.0
Framework level risk scores
Framework risk Inherent Risk Score Residual Risk Score Associated projects
Risk 1 18.0 5.0 1, 2, 3
Risk 2 10.0 2.0 3, 4, 5

Assurance of Objective 1 75%

(Total Inherent Risk Score (28.0) - Total Residual Risk Score (7.0)) / Total Inherent Risk Score (28.0)

More examples

View additional scenarios that illustrate how assurance for risk is calculated within a single project.

A risk covered by a single control

  Risk A --> Control A Risk A --> Control A Risk A --> Control A Risk A --> Control A Risk A --> Control A
Risk ID A A A A A
Impact 2 3 2 3 3
Likelihood 5 3 5 3 3

Custom Risk Scoring Factor 1 (Velocity)

Weight: 80%

 -- -- 5 5 --

Custom Risk Scoring Factor 2 (Vulnerability)

Weight: 50%

 -- -- -- 5 --
Inherent Risk Score 10 9 40 90 9
Control Weight 85% 100% 85% 100% 55%
Control ID A A A A A
Operating Effectively? Yes Yes Yes Yes No
Residual Risk Score calculation 10 x (1- 0.85) 0 40 x (1- 0.85) 0 (9 x 0.55) + (9 x 1-0.55)
Explanation
  • No controls failed
  • Combined control weight of all controls is < 1
  • No controls failed AND control weight of all controls is > or = 1
  • Control mitigates risk below risk tolerance level
  • No controls failed
  • Combined control weight of all controls is < 1
  • No controls failed AND control weight of all controls is > or = 1
  • Control mitigates risk below risk tolerance level
  • Control failed
  • Combined control weight of all controls is < 1

A risk covered by two controls

  Risk A --> Control A, B Risk A --> Control A, B
Risk ID A A
Impact 3 4
Likelihood 3 3

Custom Risk Scoring Factor 1 (Velocity)

Weight: 80%

 -- --

Custom Risk Scoring Factor 2 (Vulnerability)

Weight: 50%

 -- --
Inherent Risk Score 9 12
Control Weight
  • 100% - A - Yes
  • 75% - B - No

 
  • 25% - A - No
  • 100% - B - No
Control ID
Operating Effectively?
Residual Risk Score calculation 9 x 0.75 12 x 1
Explanation
  • Control failed
  • Combined control weight of all controls is > or = 1
  • Controls failed
  • Combined control weight is > 1

A risk covered by three controls

  Risk A -->
Control A, B, C		 Risk A --> Control A, B, C
Risk ID A A
Impact 5 5
Likelihood 3 3

Custom Risk Scoring Factor 1 (Velocity)

Weight: 80%

 -- --

Custom Risk Scoring Factor 2 (Vulnerability)

Weight: 50%

 -- --
Inherent Risk Score 15 15
Control Weight
  • 40% - A - Yes
  • 45% - B - No
  • 15% - C - No
  • 25% - A - Yes
  • 45% - B - No
  • 15% - C - No
Control ID
Operating Effectively?
Residual Risk Score calculation 15 x (0.45 + 0.15) 15 x (0.45 + 0.15) + 15 x (1- 0.85)
Explanation
  • Controls failed
  • Residual risk is calculated from the risk of failed control walkthroughs/test only
  • Controls failed AND combined control weight of all controls is < 1

Calculations

Learn about the calculations associated with assurance.

Term Calculation Remarks
Risk Scoring Factor Weight

Values (1-1000%) that are input by the user to express the importance of the Risk Scoring Factor.

The higher the value of the weight, the more important the risk scoring factor is to your organization, and the more the risk scoring factor will contribute to the Total Inherent Risk Score.

The range of values enables full customization of your scoring. For example, you can weight a risk scoring factor five times more than another risk scoring factor (Vulnerability = 100%, Velocity = 500%). The sum of Risk Scoring Factor weights can add up to any number.

Note

You cannot modify the weight of the default risk scoring factors (Likelihood and Impact), which is set at 100%.
Inherent Risk Score (Risk) 
(Impact x Likelihood) x (Custom Risk Scoring Factor x Weight)
  
Inherent Risk Score (Objective) 
SUM (Inherent Risk Scores for all risks in the objective)
  
Total Inherent Risk Score (Project) 
SUM (Inherent Risk Scores per objective)
  
Total Inherent Risk Score (Framework) 
SUM (Inherent Risk Scores in all projects containing the risk)
  
Control Weight

Values (0-100%) that are input by the user to express the percentage of risk that is mitigated by the control.

The sum of control weights can add up to any number.
Residual Risk Score (Risk) 
SUM (Inherent Risk Score x Control Weight <for associated controls that are not operating efficiently>) + (Inherent Risk Score x (1 - Sum of Control Weights <if Total Control Weight is less than 100%>))

The control is marked as "failed" and used in the Residual Risk Score calculation when:

  • any one walkthrough is not designed appropriately
  • any one testing round is not operating effectively

Assurance decreases with the above scenarios.

Projects calculates one Residual Risk Score per risk, not one Residual Risk Score per testing round.
Residual Risk Score (Objective) 
SUM (Residual Risk Scores for all risks in the objective)
  
Total Residual Risk Score (Project) 
SUM (Residual Risk Scores per objective)
  
Total Residual Risk Score (Framework) 
SUM (Residual Risk Scores in all projects containing the risk)
  
Overall Assurance (Project) 
(Total Inherent Risk Score - Total Residual Risk Score) / Total Inherent Risk Score
Overall Assurance (Framework) 
(Total Inherent Risk Scores in all projects containing the risk - Total Residual Risk Scores in all projects containing the risk) / Total Inherent Risk Scores