How does the inherent and residual risk calculation work in Pirani?

In this tutorial we will show you how the tool performs the calculations for inherent and residual risk and controls. It is essential to know that the tool handles the same probability and impact structure as the heat map.

How is inherent risk calculated?

The tool handles two types of measurements to calculate the inherent risk, this can be direct or variable. To choose the type of measurement to use, you must go to the top bar and enter the “gear”, select the option of the management system to work with and then the “risk rating” section. There you will find a drop-down with the two types of rating to choose from.

✨This rating is transversal for all management systems.

⚠️ ️ After choosing the type of rating, remember to click on the “save” option so that the change will be reflected in the risk section.

Know the two types of measurement:

Direct measurement: it is the traditional measurement, which is carried out by the method of expert judgments and the calculation: RI=Inherent risk, RI= impact x probability. 
For the following example, an average impact (40%) and a possible probability (80%) are assigned. This places the risk in the fourth quadrant on the Y-axis and in the second quadrant on the X-axis.

Variable measurement: This measurement handles two types of calculations, by rating or by average. To choose between these two options you must go back to the “risk rating” section and select the “by variables” rating type, then the “calculation type” bar will be activated, where you can choose between the highest rating and by average.

When choosing the variable measurement option, you must assign a weight to each of the variables, which vary according to the organizational context, methodology, the way in which the impacts are defined and the history of the organization.

✨ Remember that the sum of the weights of the variables must always add up to 100%.

1. By highest rating: In this type of calculation, the tool uses the highest rating assigned to the impact. For example in the following case the highest value assigned is moderate (60%), then the risk impact will be moderate. In this type of rating the tool will always override the highest rating assigned. 

We then choose the probability directly and the tool will proceed to place the risk on the heat map.

2. By average: For this type of calculation it is essential that you assign a weight to each variable, since they can have the same or different weights, but they must always add up to 100%. After assigning the weight, in the create risk section you must assign the impact to each variable, in this way the tool will multiply the weight assigned by the rating assigned to the impact of each variable.

For example, if the legal variable has a weight of 20% and we assign a moderate impact of 40% it will have an inherent impact of 8%.  
Weight x Impact = Inherent impact
20% x 40% = 8%

✨ A rating must be assigned to each variable so that the tool can perform this operation with each of the variables and finally add up all the inherent risks as we can see in the following example:

✨ This is how calculations are represented within the tool.

Next, a rating must be assigned to the probability, this is given by direct calculation and ranges from improbable (20%) to very possible (100%).

Finally, to obtain the inherent risk per variable, the tool multiplies the impact (calculated by average) x the probability: 

RI= Inherent Risk

RI= Inherent Impact x Residual Impact  

Continuing with the example, we will take the probability rating of this risk materializing as improbable(20%)

RI= Inherent Impact x Residual Impact  

RI= 48%(II) x 20%(IR) 

RI= 10%.

Finally the software places our risk on the heat map.

How are the controls calculated?

The tool handles variables in terms of design and execution, these variables must add up to 100% so that they can have full coverage in the heat map, however the design and execution weights are based on the user's work methodology since the tool allows working with both variables or with one of the two as appropriate. To choose how much percentage weight each variable is going to have, you must go to the top bar and enter the “gear”, select the “controls” option, there you will find a bar where you can adjust the weight of both variables.

✨  This qualification is transversal for all management systems.

Although the variable “design” and “execution” already have a weight, they have within each a group of reducers with individual weights

The design variable: 

This variable already has a general weight, as we see in the previous example it is 50%, however it has some variables that have their own weight. To assign or know the weight of each of these reducers, we go within the “controls” section to the option “design variables”, there you will find reducers with different weights according to the classification. For example “control type” has three types of rating: 20 corrective, 50 detective and 100 preventive.

To get the value of the control design you must assign a rating to each of the variables when creating a control.
 
Finally the tool will extract the design value by multiplying the weight assigned to each design variable by the rating you give each of the variables when creating the control, then it will add these percentages and the sum will be multiplied by the overall weight of the design variable, as shown in this example below

Design value= design weight x( sum( variable weight x variable rating)

The execution variable: 

The execution variable already has a general weight, as we see in the initial example it is 50%, however it has some variables that have their own weight. To assign or know the weight of each of these variables, we go to the “execution variables” option in the “controls” section, there you will find variables with different weights according to the classification. For example “have events associated with this control been reported?” has two types of rating: yes 10%, no 100% and these variables vary their weight according to their nature.

When creating a control you must give a grade to each of the variables by execution.

Finally the tool will get the execution value, multiplying the weight assigned to each execution variable, by the rating you give to each of the variables when creating the control, then it will add these percentages and the sum will be multiplied by the overall weight of the execution variable, as shown in this example below

Execution value= execution weight x( sum( variable weight x variable rating)

Robustness

Finally, to find the soundness, the following operation must be carried out

Robustness = design value + execution value

In this case we are working on, it would be as follows

soundness= 35% + 34%.

Solidity=69%.

✨ All data and results are worked in percentages (%).

When the control is created, it must be associated with the risk of interest, when it is associated it must be assigned mitigation percentages by impact and frequency according to the mitigation that is intended to be assigned in one of the axes of the heat map (probability or impact).

For this example we will use a 50% impact mitigation and a 20% frequency mitigation.

How is the residual risk calculated?

To find the residual impact the tool performs some calculations where it first finds the residual impact and the residual frequency, to find them it is done through the following formulas 

IR= Residual Impact 
IR= Inherent Impact-( Inherent Impact x Control Design Coverage)
IR= II - (II x CDC(i) )

FR= Residual Frequency
FR= Inherent Frequency- ( Inherent Frequency x Control Design Coverage)
FR= FI- (FI X CDC(f))

CDC= Control design coverage
CDC(i)=( Robustness x Impact mitigation) if it is to find IR
CDC(f)=( Robustness x mitigation by frequency)if to find the FR

If the CDC found is greater than the maximum coverage of the control (CMC=80) the system will choose the CMC to perform the process.

For the following example we will take the data from the previous control example and the initial inherent risk

Robustness= 69% Mitigation by frequency= 20% Mitigation by Impact= 50% Inherent impact of the risk=48% Mitigation by frequency= 20% Inherent impact of the risk= 48

Inherent Risk Impact=48% Inherent Risk Frequency= 20% Inherent Risk Frequency= 20% Inherent Risk Impact=48% Inherent Risk Frequency=20

Residual Impact: 

First we find the Control Design Coverage for Impact.

CDC(i)=( Robustness x mitigation for Impact) 

CDC(i)= ( 69% x 50%)

CDC(i)= 35%.

We then substitute in the residual impact formula 

IR= II - (II x CDC(i))

IR= 48% - ( 48% x 35% )

IR= 31%.

Residual Frequency: 

First we find the Control Design Coverage for the frequency.

CDC(f)=( Robustness x mitigation by frequency)

CDC(f)=(69% x 20%)

CDC(f)= 14%.

Then we replace in the residual frequency formula 

FR= FI- (FI X CDC(f))

FR= 20% - (20% x 14%)

FR= 17% 

Finally, after the whole process of risk creation, control creation and association of the control with the risk, the tool shows the risk in the heat map with the inherent risk and residual risk.

What happens when I have several controls for the same risk?

To find a residual risk with several controls applied you should use the main formulas mentioned in the previous exercise, however when finding the CDC (Control Design Coverage) you should average the number of controls associated with the risk, e.g. 

Control 1: robustness 30%, impact 10%, frequency 60%.

Control 2: robustness 40%, impact 80%, frequency 20%.

CDC(I)= average [( Robustness1 x mitigation for Impact1), ( Robustness2 x mitigation for Impact2)].

CDC(I)= average [(30% x 10%), (40% x 80%)

CDC(I)= average [( 3%), ( 32%)].

CDC(I)= 17.5% → this is the value to use in CDC to find the residual Impact.

To find the residual frequency you must perform the same averaging process to find the CDC(f) and continue with the process shown above.