Risk

It allows you to assemble the plan's structure with elements, risks, and controls.

Performance

Allows you to structure the plan using a scorecard. In this case, an additional field will be enabled to specify the desired scorecard. 

For this feature to function correctly, the SoftExpert Performance component must be part of the solutions acquired by the organization.

Process

It allows you to structure the plan based on a specific process. In this case, an additional field will be enabled to indicate which process should be used as a reference. 

For this feature to function correctly, the SoftExpert Process component must be part of the solutions acquired by the organization.

Project

Allows you to structure the plan based on a project or a program. To do this, select in the Object field whether the scope will be a project or a program , and then, in the field that will be enabled, select the desired project/program.

For this feature to function correctly, the SoftExpert Project component must be part of the solutions acquired by the organization. 

Active

It allows you to assemble the plan structure with an asset, as well as elements, risks, and controls. 

For this feature to function correctly, the Active SoftExpert component must be part of the solutions acquired by the organization.

Include potential assessment.

Select this option so that, during the risk assessment, it is possible to perform a potential risk assessment. This assessment only considers the risks in the risk plan. 

The name of the evaluation will vary according to the settings configured in the Default View Profile Configuration tab .

Include residual assessment.

Select this option so that, during the risk assessment, a residual risk assessment can be performed. This assessment takes into account the controls and treatments of the risk plan. 

The name of the evaluation will vary according to the settings configured in the Default View Profile Configuration tab .

When you select the Include residual assessment option , the Residual calculation field will be enabled. Select one of the following options to define how the residual risk will be calculated:

• Manual : the calculation will be performed manually, that is, during the risk assessment, fields will be presented for filling in the assessment score.
• Percentage of control effectiveness : This option will only be displayed if the context is configured with a risk assessment method of the Matrix , Quantitative , or Matrix with Quantitative type . In this type of calculation, the result of the residual risk assessment will be obtained by multiplying the actual risk by the percentage of effectiveness of the risk controls. When the risk has only one control, the percentage of control effectiveness will be the control assessment value itself; however, when the risk has two or more controls, the effectiveness will be obtained through a calculation of the intersection of the values ​​(percentages) of the control assessments, which is given by:

Control effectiveness = 100 - {[(100 - control_01)/100] * [(100 - control_02)/100] * ... * [(100 - control_N)/100] * 100}

The result of the residual risk assessment, for each method, is obtained as follows:

• Quantitative : the result of the residual risk assessment will be obtained by multiplying the result of the real risk assessment by the effectiveness of the controls, which is obtained through a percentage calculation that takes into account the results of all controls for that risk.

Residual risk = Actual risk * (Control effectiveness %)

• Matrix and Matrix with Quantitative Data : The result of the residual risk assessment will be obtained by multiplying the result of the real risk assessment by the effectiveness of the control groups defined for each axis of the matrix (detective controls and preventive controls). Therefore, it is necessary to define which controls will be used on each axis of the matrix, selecting one of the options: Detective controls minimize the X-axis and preventive controls minimize the Y-axis , or Detective controls minimize the Y-axis and preventive controls minimize the X-axis . For each axis of the matrix, the result of the real risk assessment will be multiplied by the percentage of effectiveness of the controls. 

Residual risk = [Actual risk * (Control effectiveness %)] x [Actual risk * (Control effectiveness %)]

• SSubtraction of control effectiveness : This option will only be displayed if the context is configured with a risk assessment method of the Matrix , Quantitative , or Matrix with Quantitative type . In this type of calculation, the result of the residual risk assessment will be obtained by subtracting the effectiveness of the control controls from the actual risk. The effectiveness of the controls is obtained through the arithmetic sum of the values ​​of the control assessments. The result of the calculation for each method is obtained as follows:

• Quantitative : the result of the residual risk assessment will be obtained by subtracting the result of the real risk assessment from the effectiveness of the risk controls. 

Residual risk = Actual risk - (Control effectiveness)

• Matrix and Matrix with Quantitative Data : the effectiveness of the control will be obtained by subtracting the result of the real risk assessment from the sum of the results of the assessments of the control groups defined for each axis of the matrix (detective controls and preventive controls). Therefore, it is necessary to define which controls will be used on each axis of the matrix, selecting one of the options: Detective controls minimize the X-axis and preventive controls minimize the Y-axis , or Detective controls minimize the Y-axis and preventive controls minimize the X-axis . For each axis of the matrix, the result of the real risk assessment will be subtracted from the sum of the results of the control assessments.

 Residual risk = [Actual risk - (Control effectiveness)] x [Actual risk - (Control effectiveness)]

• Customize : This option will only be displayed if a custom formula has been configured. In this type of calculation, the evaluation result will be obtained through these custom formulas registered in the general parameters. Therefore, it is necessary to define which formulas will be used in the X-axis and Y-axis of the matrix.

Use identification mask for risk/opportunity analysis.

This option allows risk analysis identifiers for plans to be obtained using an identification mask. Selecting this option will enable the fields Identification Mask (only identification masks whose object is risk analysis will be available for selection) and Allow changing the identifier .

Use identification mask for control analysis. 

This option allows risk analysis identifiers for plans to be obtained using an identification mask. Selecting this option will enable the fields Identification Mask (only identification masks whose object is control analysis will be available for selection) and Allow changing the identifier .

Risk/Opportunity Assessment Approval Roadmap

This option will only be displayed if the "Allow risk and control assessment only in the design phase" option is not selected in the context , or if the assessment method associated with the type is not Matrix . 

Select this option to have the risk and opportunity analyses of the plans go through approval. To do this, in the Responsible Roadmap field , select the desired responsible roadmap. 

 Approval guidelines for control analysis assessment

This option will only be displayed if the "Allow risk and control assessment only in the design phase" option is not selected in the context , or if the assessment method associated with the type is not Matrix . 

Select this option to have the plan control analyses go through approval. To do this, in the Responsible Routing field , select the desired responsible routing.

Revalidation 

This field will only be available if the context has been configured with the revalidation option. The fields Validity , Revalidation , and Expiry Date will be displayed .