This message was posted by a user wishing to remain anonymous
This is greatly appreciated.
Original Message:
Sent: 11-03-2023 04:01 PM
From: Stephen Meyer
Subject: Risk Categories
The short answer may be over simplified, however, the general thought process would be, that you have given more "weight" to the aspects or risk factors that would pose the greatest potential risk to your organization. You could then support that logic with a explanation that specifically identifies the the monetary risk, reputational risk, strategic risk, etc. posed to your organization. In today's data centric environment, many organizations would consider confidential information or a data breach as their greatest risk and score the assessment accordingly. I am not sure if that helps, but hopefully that makes sense! Asking the question of "how bad would it be if "x" happened to us?", might also help support the rationale for the weightings.
Original Message:
Sent: 11-03-2023 02:27 PM
From: Anonymous Member
Subject: Risk Categories
This message was posted by a user wishing to remain anonymous
Hello all,
Background: I work in a financial institution. We started to use the venminder software platform earlier this year.
We setup our assessment based on 8 risk categories with each category given a risk weight, and questions within those risk categories also given a risk weight. This was done based on our experience and our bank's size and complexity, nothing sophisticated.
Recently we were asked to explain how we came up with these weights for each category and the weights for the questions within the categories, (logic behind our decisions) and to document that logic.
So, my question is: how everybody else decide on a weight to give for a risk category. Why does one category receive a larger share than any other risk category and why? How do you decide?
I would appreciate any input from the community.