This field is initially populated by the system after the evaluation of risks and controls: it details all risks mitigated by the control concerned. This means that the following fields are not changeable:
•No.
•Risk
•Asset
•Impact
•Probability
•Score.
The column headed "Key" shows whether the system has determined the relevant control to be an important or key control in mitigating the risk; if you disagree with the system determination you can change it here by clicking on "Edit" in the toolbar at the top of the screen and either "ticking" or "un-ticking" the box.
The columns headed "Use Working" and "IA Use Working" are in the nature of “over-ride" buttons. When controls are tested, using predefined Compliance Tests, the system will capture the control’s effectiveness and apply this data across all of the risks the control mitigates. Whilst leaving the original scores in the matrix intact, the system decrements their effectiveness, removing 1 where a control is working “Mostly”, 3 where it is “Sometimes” working and negating the score entirely where a control never works. No score is allowed to fall below zero. This approach can have a drawback in that a control that is “Sometimes” working might have a portion that is still effective in mitigating a risk. To address this issue, we place a tick in the “Use Working” box. This will have the effect of over-riding the “Sometimes” score and leaving the original score in place.
The Evaluation Column. The logic behind this column is as follows:
1) If you have a Control of type "Other Entity" and want to link its related risks with the Other Entity's Risks, this is done from: Control Screen --> Rel. Entity Risks Tab --> Link, this will show the following screen:
In this screen, you select the Related Risk from the Drop-down list, and then tick the boxes of the Other Entity Risks that can be linked to this Risk. After this is done, the Related Risk(s) and the related Other Entity Risks will show in the Control Screen under the "Rel. Entity Risks” tab:
2) The next step is to click on the "Rel. Risks" Tab and click on the button "Show Link", this will show a window that contains a list of the Related Risks and the Other Entity Risks linked to them, and the user will have the ability to evaluate each Related risk (Untested, Always, Mostly, Sometimes, Never), and the ability to enter a Compliance Test result:
Note: Evaluating the Related Risks does not have any impact on the Actual environment or any other calculation, its purpose is only to help the user in assessing the overall Test Result, the user can evaluate the Related Risk from looking at the status of the Other Entity Risks that are linked to this Risk (whether they are properly controlled).
3) The last step is entering the Test Result and clicking OK, which will enter a new test for the control, and will show the Related Risks Evaluation in the Related Risks Tab:
The final two columns, "Working" and "Actual" show the control environment (on a scale of A - very good - to D - very weak) over each of the related risks; the "working" column reflects the situation if all of the controls relevant to the risk work as intended, the "Actual" column reflects the situation given the current state of control deployment.