1 - Overall Risk Assessment

1 - Overall Risk Assessment

What is the Overall Risk Assessment?

The Overall risk assessment (ORA) provides the easiest way to get started with risk assessments in Diri. The Diri ORA asks you to briefly describe the parts of your organization that impact cybersecurity, such as Industrial Classification, number of employees, internal and external requirements, and key business products and deliveries. In short, it is a strategic risk assessment of your business.
The ORA is a tool for staking out the direction of the risk management program together with the key stakeholders and decision-makers in your organization.

Why the ORA?

The ORA allows you to conduct a risk assessment of overarching and strategic risks that are not bound to one system. The ORA in Diri har two strategic purposes: to quickly identify the business-critical ICT systems and register them in the Diri portfolio. The best way to achieve this goal is to discuss the business value chain and how ICT systems support the core business processes. This discussion will flush out several critical ICT systems, but not all: Some of the domain knowledge resides with the IT experts, so be sure to include them in the discussion.
Like quickly establishing ICT systems, the ORA also allows you to rapidly list all your existing global security controls. A global security control is a treatment that affects risks on more than one system. Examples of such controls are security guidelines, firewalls, and single sign-on solutions.

The second purpose of the ORA is to stake out the direction of the risk management program. The ORA asks for the most significant cybersecurity concerns of the organization; these will be added to the ORA and can be used for direction in future risk assessments in the organization. For example, if ransomware is the key concern, this risk should be inherited into all risk assessments. The same goes for information assets, where business-critical assets can be identified and added in the ORA and re-used throughout the organization.

(Re-use of risks and assets in Diri currently requires that the ORA is shared with other users)

When and how to use the ORA

If you are ready to do your first risk assessment in your organisation, the ORA should be your go-to choice. It would be best to use the ORA to define critical risks for the organisation and quickly populate the ICT systems portfolio and existing treatment list. 

The ORA is also the best choice if you need to do an overarching cybersecurity audit in your organisation. 

Choose the ORA using the Diri helper on the Dashboard. Fill out the requested information and spend time on:

  1. Mapping out internal and external requirements to security. 
  2. Most important deliveries

The fields for adding IT systems, risks, assets, and controls, illustrated below, are currently only available through the ORA form. Both of which are essential for the relevance of the risk assessment results. Make sure to make good use of them.

The ORA option can also be reached through the organisational overview, accessed via the four quadrant icon next to edit, illustrated in the picture below.

You can have mulitple ORAs per organisational level, the amount is illustrated with the number to the right of the four quadrant icon. For Gautes Private Enterprise there exists one ORA in the picture above. If you wish to delete an existing ORA, you must click on the four quadrant icon.

    • Related Articles

    • Published Risk Assessments

      Diri AS have made risk assessment templates for copying to ease your way into cyber risk management. The templates are available through the "Published Assessments"-feature on the risk assessment overview. The library will contain templates for ...
    • Copy and re-use risk assessments

      Copying whole risk assessments The copy button is available on all risk assessment objects Are you delighted with one or more of your assessments? Or is the same IT system in use multiple places? Existing risk assessments can be copied and re-used in ...
    • 3 - The Problem Risk Assessment

      What is the Problem Risk Assessment? Put plainly, the Problem Risk Assessment (PRA) is a simplified risk assessment with lower documentation requirements when compared to IT system assessments. The PRA is an option for risk assessing problems that ...
    • Add risks from template

      Create a set of baseline risks for all assessments Currently, the beta version of this functionality in production only allows for copying the template to one risk assessment at a time. The functionality does not copy risk treatments to prevent the ...
    • 2 - The ICT System Risk Assessment

      What is an ICT system? ICT (information, communication, and technology) systems are the most basic type of risk assessments in Diri: An ICT system is a set-up consisting of hardware, software, data and the people who use them. It commonly includes ...