Running Risk Assessments with GRC for Jira
- Yuriy Kosogon
- Mar 26
- 3 min read
Risk assessments are a crucial part of risk management, ensuring that potential threats to an organization’s entities are identified, evaluated, and addressed effectively.
GRC for Jira streamlines this process by providing structured workflows and automation. Here’s how you can run risk assessments using the application.
Identifying Risks
The first step is to identify risks related to an entity. This can be done by leveraging the Risk Reference Library, where users can search by entity type to find standard risks represented by Risk Statements. The outcome of this phase is the creation of a Risk issue (in Draft status) that is linked to both the Entity and the Risk Statement.
Risk Workflow and Assessments
Each Risk issue type in GRC for Jira follows a structured workflow tied to the risk assessment process. A single risk can have one or multiple associated Risk Assessments. Organizations may choose to create a new Risk Assessment for each evaluation or reopen an existing one for future assessments.
When a new Risk Assessment is initiated, the system suggests selecting a Risk Assessment Template. By default, the system proposes the template linked to the risk’s Risk Statement, but users can search and select any available template. Once a template is chosen, a new Risk Assessment record is created, and the Risk issue transitions to the Assessment status.
Conducting a Risk Assessment
The Risk Assessment process is presented as a multi-step wizard. The number of steps depends on the configuration of the selected Risk Assessment Template.
The possible assessmnet steps include:
Inherent Risk Assessment
Residual Risk Assessment
Target Risk Assessment
Controls Effectiveness Assessment
Incidents Review
Additionally, two more steps involve:
Reviewing Assessment Results & Selecting a Risk Response
Final Review & Approval by the Risk Manager
Assessment Details
During the Inherent, Residual, and Target Risk Assessment steps, the assessor answers predefined questions in the risk assessment questionnaire.
In the Controls Effectiveness Assessment step, assessor can view existing mitigation controls already associated with the risk, along with their assessment results. Assessors can allocate weights to each control to determine its impact on risk mitigation. If the assessment uses Quantitative scoring, this step influences the final risk calculation. For Qualitative scoring, control effectiveness serves as reference information.
Optionally, you can add an Incidents Review step, that provides historical data on past incidents linked to the risk, helping assessors evaluate risk likelihood based on actual events.
Reviewing Results and Selecting a Risk Response
Once all assessment steps are completed, the assessor reviews the calculated risk ratings for Inherent, Residual, and Target Risk, as well as Control Effectiveness. Based on these insights, they select a Risk Response and assign responsibility for its resolution.
Possible Risk Responses include:
Accept – Document and justify the risk acceptance.
Mitigate – Implement measures to reduce the risk.
Avoid – Eliminate activities causing the risk.
Transfer – Shift risk responsibility to another party (e.g., insurance).
Reject – Mark the risk as invalid or irrelevant.
Along with selecting a Risk Response, the assessor must provide a justification and an implementation plan.
Risk Response and Mitigation
A person assigned for the Risk Response task should implement it according to the type of response and its implementation plan.
In order to address the mitigation response, the system allows linking existing Controls to the Risk when they are associated with the Risk’s entity. These Controls mitigate and reduce the risk. This highlights the connection between the Risk and Compliance domains in GRC for Jira and allows efficient reuse of work done during controls assessment.
Once the Risk Response task is completed, it undergoes a final review by the Risk Manager.
Final Review and Transition to Monitoring
If Risk Response is approved, the parent Risk issue transitions to the Monitoring status.
This indicates that the risk has been identified, assessed, responded to, and is now under control.
Risks in Monitoring status should be periodically reassessed following the organization’s risk management procedures to ensure continued mitigation effectiveness.
By following this structured approach, organizations can efficiently identify, assess, respond to, and monitor risks while ensuring compliance with risk management frameworks and best practices.
Commenti