Not Applicable = 0 (when calculating per Compliance Area we take averages and exclude Not Applicable)
Compliance Risk (Probability / Likelihood)
This is the probability of risk occurring. Compliance Risk is the inverse of Compliance Score: out of 5, 1 = Low Risk, 5 = High Risk
Scoring explanation:
Not Started = 5
In Progress = 3
Complete = 1 (there is still possible risk but negligible)
Not Applicable = 0 (when calculating per Compliance Area we take averages and exclude Not Applicable)
Impact Score (Severity)
This is probability and impact score. It looks at the risk level (severity) of the question: High Risk = 5, Medium Risk = 3, Risk = 1
Scoring explanation:
High = 5
Medium = 3
Risk (Low) = 1
Unmitigated Risk (Inherent risk)
Low = 5 High = 25. Unmitigated (or inherent) risk is the risk present in any scenario where no attempts at mitigation have been made and no controls or other measures have been applied to reduce the risk from initial levels to levels more acceptable to the organization.
Scoring explanation:
Compliance Risk X Impact (maximum=25)
Mitigated risk (Residual risk)
Low = 5 High = 25. Mitigated (or residual) risk is the risk “left over” after security controls and process improvements have been applied, meaning after efforts have been made to reduce the unmitigated risk. This means that residual risk is something organizations might need to live with based on choices they’ve made regarding risk mitigation.
Scoring explanation:
First determine Max Risk (which allows us to calculate what is “left over”)