Another method of entering data into the matrix, particularly useful when data is being entered for the first time, is the Control Impact Scoring Screen.
From the Entity screen click on the "Scoring" button in the toolbar at the top of the screen to bring up the Control Impact Scoring Screen:
This form may only be used to enter scores; it cannot be used to add risks or controls. If a new Entity has been created and therefore there are no risks or controls already identified, the scoring button will not appear.
Use the navigation arrows 
in the top left-hand corner of the toolbar at the top of the screen to select the control and risk that you want to score and enter the value into the “SCORE” field in the top left corner. Once a score has been entered click on the (update) button to save the record.
The form is designed so that one section, say risks, can remain static whilst the other, controls, can be cycled round using the arrows. The advantage this screen has over scoring directly into the matrix is that the long descriptions of both risks and controls can be seen and this often helps in the evaluation of how effective a control is in mitigating a risk.
Use the 
button in the toolbar at the top of the screen to go up one level to the individual Entity Screen.
The 
button on the toolbar at the top of the screen deletes the Entity currently displayed; this is fairly drastic action since all of the risks, controls, remedial action detail and Compliance Tests will be deleted also.
Tip: After deleting an entity you cannot retrieve it. Thus, it is advisable to always create backups before deleting entities. |
Once scoring is complete, either via the Matrix or the Control Impact Scoring screen, some basic risk modelling could be done; for example, the following questions could be addressed:
•What if certain controls could be improved?
•If we restructured and some controls were lost what would the impact be?
•What impact does our current insurance programme have on the Risk Profile?
•How could a change in the insurance programme help?
•What is the organisation’s “appetite for risk”?
•How many of the identified possible exposures have the potential to breach this appetite?
•What are our “top 10” potential risks?
•What are the major areas where a particular type of asset or element of corporate strategy is under threat?
•What is the effect of some or all of the key controls not working?
•How many risks do we have that could affect Financial Reporting and are therefore important from a Sarbanes-Oxley perspective, and how well controlled are they?
•And so on…….