Setting Up Risk Frameworks
- Yuriy Kosogon
- Mar 12
- 3 min read
A well-defined Risk Framework is essential for effective risk management.
In GRC for Jira, the Risk Framework issue type serves as a top-level record that aggregates multiple Risk Statements, which act as templates for different kinds of risks.
Establishing these structures allows organizations to assess, track, and mitigate risks systematically across various entities.
Understanding Risk Frameworks and Risk Statements
Each Risk Framework represents a broad risk category, while associated Risk Statements define specific risk types within that category.
Example of Risk Framework: Cybersecurity Risks
Risk Statement: Data Breach Risk
Risk Statement: Malware Attack Risk
Risk Statement: Denial of Service (DoS) Attack
Risk Statement: Phishing Risk
These Risk Statements serve as templates when individual risks are created and linked to specific organizational Entities (e.g., databases, software applications, vendors).
The connection to parent Risk Statements enables organizations to generate analytical reports showing risk levels across multiple entities, with breakdowns by Risk Framework or Risk Statement.
For example, if a Data Breach Risk is assessed for three databases, reports can highlight that two have a low risk level, while one is categorized as high risk, allowing organizations to prioritize mitigation efforts accordingly.
Risk Assessment Templates: Standardizing the Process
Risk Statements must have at least one Risk Assessment Template to enable risk assessments, ensuring standardized evaluations for similar risk types.
These templates configure:
Types of risk assessments (Inherent, Residual, Target)
Evaluation of Mitigation Controls Effectiveness
Review of risk-related incidents
Scoring model (Qualitative vs. Quantitative)
Assessment questionnaire
Risk Scoring Models
GRC for Jira supports two primary risk scoring methodologies:
Qualitative Scoring – Risk levels are assigned based on a relative scale (e.g., Very Low to Very High).
Quantitative Scoring – Risk is calculated in terms of Annual Loss Expectancy (ALE), representing potential financial loss over one year.
Creating a Simple Risk Assessment Questionnaire
The Risk Assessment Template includes a questionnaire designer, enabling organizations to tailor assessments with multiple criteria contributing to risk dimensions (Impact and Likelihood).
A basic and commonly used assessment questionnaire could consist of two criteria:
Risk Likelihood – Response options range from Very Unlikely to Very Likely, assigned numerical values from 1 to 5.
Risk Impact – Response options range from Very Low to Very High, assigned numerical values from 1 to 5.
When assessors respond to criteria, the system multiplies the likelihood and impact values to determine the final risk score. For example:
If Likelihood = 4 (Likely) and Impact = 5 (Very High), then Risk Score = 4 × 5 = 20.
The system maps this score to predefined ranges (e.g., Low, Medium, High, Critical) to classify risk severity.
This simple approach provides a structured and repeatable method for risk assessments, ensuring consistency across similar risk types.
Building the Risk Reference Library
Risk Frameworks, Risk Statements, and Risk Assessment Templates form the organization's Risk Reference Library — a static yet fundamental dataset that defines the risk management landscape.
Establishing a well-structured Risk Reference Library provides:
By setting up a structured risk framework in GRC for Jira, organizations create a strong foundation for proactive risk management, ensuring risks are consistently identified, assessed, and mitigated effectively.
Comments