Create or Edit a Risk
Create a Risk to define and manage issues and potential problems.
To create or edit a Risk, you must log in to Neurons for ITSM as a GRC Manager.
To create a Risk:
1.Open the Risk workspace.
2.Click New Risk to open a blank Risk form.
3.Enter the following information into the Overview section as required:
| Field | Description |
|---|---|
| Title | Enter a title for the new record. |
| Team | From the dropdown, select the team for which the risk record is being created. |
| Owner | From the dropdown, select the owner name. |
| Date Identified | Click the calendar icon and select the date on which the risk was identified. |
| Last Review Date | Click the calendar icon and select the date by which the risk is expected to be reviewed. |
| Review Cadence | From the dropdown, select the frequency with which the risk needs to be reviewed. |
| Create Review Tasks | Select the checkbox to create review Tasks. |
| Status | From the dropdown, select the relevant status of Risk record: •Draft: Initial pre‑risk state. The item is not yet confirmed as a risk. •New: The risk is identified but not yet assessed. A risk owner (operator) is not yet assigned. •Under Review: A risk owner (operator) is assigned. The risk is being analyzed for likelihood, impact, and response options. •Assessed: Risk analysis is complete. The risk is scored and categorized. •Response Planned: A treatment strategy is planned (Mitigate, Accept, Transfer, or Avoid). When Response is Planned, Risk Response field should be selected. •Treatment In Progress: Mitigation actions are in progress. The Risk Response field might indicate Mitigate or Avoid at this stage. •Monitored: The risk is under observation after treatment. The treatment can be Mitigate, Accept, Transfer, or Avoid. If mitigation is implemented through controls or a mitigation plan, you should select a Mitigation Strength value. •Retired: The risk is no longer relevant. •Elevated: The risk remains on the register and is submitted for emergency response. |
| Risk Response | Refers to the action or strategy chosen to address the identified risk. From the dropdown, select the following appropriate option: •Mitigate: Reduce the impact of the risk with controls or a Mitigation Plan. •Accept: Accept the risk without additional action. •Transfer: Transfer the case to an IT Incident. •Avoid: Take steps to eliminate the risk or its impact entirely. |
| Source | From the dropdown, select the relevant source: Audit, Manual, Risk Assessment, or Vulnerability Scan. |
Risk Type | From the dropdown, select the type of risk that might impact the project. |
Risk Category | From the dropdown, select the category of risk based on the Risk Type. |
Risk Sub-Category | From the dropdown, select the sub-category of the Risk Category. |
Inherent Impact | From the dropdown, select the severity of impact that the risk has on the project. |
Inherent Likelihood | From the dropdown, select the likelihood that the risk may have an impact on the project. |
Inherent Risk | This field auto-populates and it indicates the risk score based on Inherent Likelihood and Inherent Impact. |
Mitigation Strength | Indicates the effectiveness of controls or a mitigation plan in reducing the impact of the risk. Select an appropriate option from the dropdown. Unknown: Select when mitigation measures are not identified. None: Select when no mitigation measures / controls are currently in place. Weak (10% Reduction): Select when controls exist but are minimal or largely ineffective in reducing the risk. Moderate (50% Reduction): Select when controls are implemented but provide only partial risk reduction. Strong (70% Reduction): Select when controls are effectively implemented and significantly reduce the risk. Very Strong (90% Reduction): Select when controls are highly effective and provide near‑maximum risk reduction. |
Residual Impact | Indicates the level of impact a risk still has after all mitigation actions or controls are applied. Select an appropriate option from the dropdown. |
Residual Likelihood | Indicates the probability of a risk event occurring after mitigation actions or controls are implemented. Select an appropriate option from the dropdown. |
Residual Risk | Indicates the current risk score after controls and mitigations. This field auto-populates based on the scores of Residual Likelihood and Residual Impact. |
Grade change | Graphically represents the risk level. •Displays •Displays •Displays •No icon, if the Residual Risk or Inherent Risk fields are blank. |
icon to indicate increasing risk (if Residual Risk is greater than Inherent Risk).
icon to indicate no change to risk (if Residual Risk is equal to Inherent Risk).
icon to indicate decreasing risk (if Residual Risk is less than Inherent Risk).Mandatory fields are marked with an asterisk.
4.Enter the following information into the Details section as required:
| Field | Description |
|---|---|
| Description | Enter a detailed explanation of the identified risk. You can include the nature of the risk, context, and potential impact. |
| Triggers | Enter the events or conditions that can cause the risk to occur, such as system failures, human error, external attacks, or regulatory changes. |
| Root Cause Analysis | Describe the fundamental reasons behind the risk’s existence, such as process gaps or lack of control. |
| Threat Category | Classify the risk according to the type of threat it poses. Select the appropriate category from the dropdown. |
| Confidential | Select the checkbox to restrict access to the risk record if it contains sensitive or confidential information. |
| Data Privacy Risk |
Specify if the risk is related to data privacy. Select the following appropriate option from the dropdown. Confidentiality: Select when there is a risk of unauthorized data disclosure. Integrity: Select when there is a risk of unauthorized data alteration. Availability: Select when there is a risk of data or system unavailability. |
| Attachments | Click Attach to upload supporting documents related to the risk, such as assessments, evidence, or mitigation plans. |
5.Use the Controls, Mitigation Plans, Assets, Risk Assessments, Audits, Policies, Tasks, Changes, Incidents, Problems, and Security Incidents tabs to link supporting records to the Risk.
Use the Controls and Mitigation Plans tabs to create new Controls and Mitigation Plans.
You can restore hidden tabs using the plus sign (to the right of the tabs).
6.Click Save.
Click Refresh If changes you made or relevant tabs are not shown in the record after you have saved it.
Edit a Risk
To edit a Risk:
1.Double-click the Risk to open the details.
2.Edit the information as required.
3.Click Save.