Hey Tim... good to see ya!
I've tried to convince CROs to have one Risk Framework for the entire Org. That way everyone is on the same page when we're talking about Risk. Plus, your examiners will appreciate the enterprise-wide alignment. I would also add, if you have 5 risk tiers, you should consider 5 Contract Effectiveness measures. It makes it easier from a math perspective. I have "Effective; Mostly Effective, Fair/Partially Effective; Needs Improvement and Ineffective / No Control"
Don't forget to define Impact; Likelihood; Rate of Occurrence; Complexity of Risk...
and if you use a Linear approach, you should add a note for Management... Mine says:
Note: This is a linear based scale 5x5. It establishes 25 potential Residual Risks. One should carefully consider the Control Effectiveness, as many controls can likely see improvements in both design and execution. Therefore, an Effective control score should be significantly rare and when one rates as such, Management is encouraged to challenge the rating.
And one last thing... by definition, the Residual Risk can not Exceed the Inherent Risk. I've seen programs that make the mistake in their calculation as they want to take a conservative approach and want to use a weighted risk rating; as opposed to a linear rating. But if you go that route, you need to explain more... :-) I'm trying to keep it simple...
Good Luck!
------------------------------
Bradley Martin
------------------------------
Original Message:
Sent: 08-23-2022 03:31 PM
From: Tim Barthold
Subject: Risk Rating Scale
Hi Everyone,
I'm curious how many risk levels are used in your TPRM programs (e.g., 3 levels - L/M/H, 5 levels - L/ML/M/MH/H) and whether you purposely aligned the TPRM risk levels with your company's ERM risk levels. Also, do you have any lessons learned now that you've gone in that direction?
My company doesn't have an ERM program yet, and we are building out the TPRM program first. My instinct tells me to establish a 5-tier rating system and set it as the enterprise taxonomy.
Thanks!
Tim