Risk Assessment
Understand how Dictiva calculates inherent and residual risk for processes using the likelihood-impact matrix, control effectiveness, and risk trend indicators.
What Is Process Risk Assessment?
Risk assessment is the systematic evaluation of threats to your business processes. Dictiva uses a V2 risk model inspired by ISO 31000 and COSO ERM, built around three core concepts: inherent risk, control effectiveness, and residual risk.
Every process in your organization carries risk. The goal isn't to eliminate all risk -- it's to understand it, manage it, and make informed decisions about what level of risk is acceptable.
The Risk Model
Dictiva's risk assessment follows a clear flow:
Likelihood x Impact = Inherent Risk → minus Control Effectiveness → = Residual Risk
Each component is assessed independently, and the results are computed automatically.
Likelihood
Likelihood measures how probable it is that a risk event will occur within this process. Dictiva uses five levels aligned with ISO 31000 guidance:
| Level | Label | Description |
|---|---|---|
| 1 | Rare | Could occur only in exceptional circumstances. No history of occurrence. |
| 2 | Unlikely | Could occur at some time, but not expected. Has occurred elsewhere. |
| 3 | Possible | Might occur at some time. Has occurred before in similar contexts. |
| 4 | Likely | Will probably occur in most circumstances. Regular occurrence in the industry. |
| 5 | Almost Certain | Expected to occur frequently. Is happening now or has occurred recently. |
How to Determine Likelihood
Ask yourself:
- Has this type of event occurred in your organization before?
- How often does it occur in your industry?
- Are there known vulnerabilities or gaps in this process?
- Have external conditions (regulatory, market, technology) changed recently?
Impact
Impact measures the severity of consequences if a risk event does occur. Consider financial, operational, reputational, regulatory, and safety dimensions:
| Level | Label | Description |
|---|---|---|
| 1 | Negligible | Minimal effect. Easily absorbed within normal operations. |
| 2 | Minor | Some disruption, but manageable within existing resources. No external visibility. |
| 3 | Moderate | Noticeable disruption. May require management attention and additional resources. |
| 4 | Major | Significant disruption to operations. May affect customers, revenue, or compliance. |
| 5 | Severe | Critical impact. Could threaten business continuity, trigger regulatory action, or cause lasting damage. |
How to Determine Impact
Consider the worst realistic scenario across these dimensions:
- Financial: What is the potential cost (direct loss, fines, remediation)?
- Operational: How long would the process be disrupted?
- Reputational: Would customers, partners, or the public notice?
- Regulatory: Could this trigger compliance violations or investigations?
- Safety: Could people be harmed?
Use the highest dimension as your impact rating.
The 5x5 Risk Matrix
The risk matrix is a visual tool that maps likelihood against impact. Each cell contains a risk score calculated as:
Risk Score = Likelihood Level x Impact Level
Scores range from 1 (Rare x Negligible) to 25 (Almost Certain x Severe) and fall into four risk bands:
| Band | Score Range | Color | Meaning |
|---|---|---|---|
| Low | 1 -- 4 | Green | Acceptable risk. Monitor during routine reviews. |
| Medium | 5 -- 9 | Amber | Moderate risk. Ensure controls are adequate. Review periodically. |
| High | 10 -- 15 | Orange | Significant risk. Active management and enhanced controls required. |
| Extreme | 16 -- 25 | Red | Unacceptable risk. Immediate action needed. Escalate to leadership. |
Click any cell in the matrix to set both likelihood and impact simultaneously.
Inherent Risk
Inherent risk is the risk level of a process before any controls, policies, or procedures are applied. It represents "What would happen if we did nothing to manage this process?"
This is your raw exposure -- the starting point for understanding where controls are needed.
Inherent risk is computed automatically from your likelihood and impact selections. You cannot edit it directly; adjust the sliders or click the matrix instead.
Control Effectiveness
Controls are the policies, standards, procedures, and governance mechanisms that mitigate risk. In Dictiva, the statements adopted by a process are literally its controls.
Control effectiveness is assessed on four levels:
| Level | Reduction | Description |
|---|---|---|
| None | 0% | No controls are in place, or controls exist but are not implemented. |
| Weak | 25% | Basic controls exist but are informal, inconsistent, or untested. |
| Adequate | 50% | Controls are documented, implemented, and reasonably effective. Some gaps may exist. |
| Strong | 75% | Controls are mature, tested, monitored, and continuously improved. |
How to Determine Control Effectiveness
- How many governance statements has this process adopted?
- Are those statements actively enforced or just documented?
- When were the controls last reviewed or tested?
- Have any control failures been reported?
- Do you have evidence of control performance (metrics, audits, reviews)?
Residual Risk
Residual risk is the risk that remains after controls have been applied. It represents your actual, real-world exposure.
Residual Risk = Inherent Risk Score x (1 - Control Reduction)
For example:
- Inherent Risk = 20 (Extreme)
- Control Effectiveness = Adequate (50% reduction)
- Residual Risk = 20 x 0.50 = 10 (High)
If residual risk exceeds your organization's risk appetite, you need to either strengthen controls or accept the risk with documented justification.
Risk Trend
Risk trend captures the direction of risk over time:
| Trend | Meaning |
|---|---|
| Increasing | Risk is growing due to changing conditions, new threats, or degrading controls. Requires attention. |
| Stable | Risk level is unchanged. Current controls are maintaining the position. |
| Decreasing | Risk is reducing due to improved controls, resolved issues, or favorable conditions. |
Update the trend whenever conditions change -- after control improvements, incident responses, regulatory changes, or periodic reviews.
Best Practices
- Assess regularly -- Risk assessments should be reviewed at least quarterly, or whenever significant changes occur.
- Be honest -- Overestimating control effectiveness creates a false sense of security. When in doubt, rate conservatively.
- Use the matrix -- The visual matrix helps you compare processes side by side and prioritize where to invest in controls.
- Connect to statements -- The gap between inherent and residual risk represents the value of your governance statements. If the gap is small, your statements may need strengthening.
- Document rationale -- When you set a rating, note why. Future reviewers will thank you.
Framework References
Dictiva's risk model draws from established governance frameworks:
- ISO 31000:2018 -- Risk Management Guidelines. Defines risk as "the effect of uncertainty on objectives" and provides a universal framework for risk assessment.
- COSO ERM -- Enterprise Risk Management framework. Integrates risk with strategy and performance across 20 principles.
- ISO 27005 -- Information Security Risk Management. Provides detailed guidance on likelihood/impact assessment for information assets.
- NIST RMF -- Risk Management Framework. US government standard for categorizing and managing information system risk.