Prevalent Platform Risk Scoring and Status Overview
The Prevalent Platform broadly aligns to ISO31000 methodologies for risk management good practice. Risks may be generated from a variety of sources, including automated monitoring, assessments, via the API, or manually. The key metric for tracking risks within the Prevalent Platform is a risk score. This score is derived from two scores between 0-5, multiplied together, to provide an overall score between 0-25. The two contributing scores are Likelihood and Impact.
Based on the contributing Likelihood and Impact scores, the overall score can be classified as either Low, Medium, High, or Critical. Amendments to classifications can be applied within the Prevalent Platform.
In conjunction with the overall score classification, any individual risk has a status. This status provides insight into where the risk is in the remediation lifecycle. For example, it may be awaiting review, accepted, mitigated, or transferred. The Platform also support custom statuses based on customer workflows.
The Platform provides 3 status ‘types’. This helps define how the Platform considers the risk in risk score calculations and reporting. Any risk status will be associated one of the following types, regardless on whether it is predefined or custom:
An open risk is considered active and any overall score will be included within all reporting metrics of the Platform.
Closed & Accepted
A risk with this status will be considered active, but not expected to have any proactive iterative adjustments to the risk score. The overall risk score will be included within all reporting metrics of the Platform.
Closed & Mitigated
A risk with this status will be considered addressed, and the overall risk score nullified. While the Platform maintains the existing overall risk score for visibility, the score does not contribute to any reporting metrics.
Risks can also be archived. When a risk is archived, it is no longer displayed by default within the risk register and does not appear by default in risk registers and reporting metrics. A risk should be archived when it is considered fully resolved and no further amendments or tracking is necessary.
Risk Registers & Reporting
There are multiple locations within the Platform where risks can be reviewed and reported against. This includes within an Entity, within distinct Risk Registers, and in live summary reporting.
The entity overview contains the total number of risks, a total risk score, and the average risk score. The entity overview does not adjust based on filters of adjacent entity pages.
Number of Risks
This includes all risks of any status except for archived risks.
Total Risk Score
This includes all risks with a status of ‘Open’ or ‘Open and Accepted’. Archived risks are excluded.
Average Risk Score
This considers all risks with a status of ‘Open’ or ‘Open and Accepted’. Archived risks are
excluded. The average is the mean of all risks within scope.
The Entity Profile details risks which are in a status of ‘Open’, and ‘Open & Accepted’. Archived risks are excluded from this section.
Entity Risk Register
By default, filters have been applied to only show risks which have not been archived. This can be adjusted by expanding the filter and adjusting accordingly.
By default, each individual risk register displays all risks statuses. Archived risks are maintained in a separate tab for review.
The summary risk classification counts cover all risks with a status of ‘Open’ or ‘Open and Accepted’. Archived and ‘Closed and Mitigated’ are not included.
By default, this is filtered to include all risks with a status of ‘Open’ or ‘Open and Accepted’. Archived and ‘Closed and Mitigated’ are not included. Where necessary, additional statuses can be added or removed leveraging the status dropdown.