Risk rating is a crucial aspect of risk assessment, allowing a business to assess and prioritise risks. In StartRisk, we differentiate between three types of risk ratings:
These ratings help in understanding the severity of risks before and after the application of controls, enabling risk owners to understand if controls are having the desired impact to reduce risks.
Above you can see that the Inherent, Residual and Forecast risk rating is shown by the circle on the horizontal bar. The circle changes from red to green when it is inside of risk appetite. The risk appetite is shown as by the thicker part of the bar.
In the case where there are no controls recorded against a risk only the Inherent risk rating will be shown. Similarly, if all controls are implemented and there are no planned controls a Forecast risk rating will not be shown.
StartRisk will automatically assess the rating with controls based on the controls recorded against the risk. It’s important the key controls that help manage the risk are captured accurately.
Inherent Risk Rating represents the level of risk a business faces before any controls or mitigating factors are applied. It reflects the 'natural' level of risk inherent in an activity or decision.
Residual Risk Rating is the level of risk remaining after considering controls that are implemented. It shows the effectiveness of the current risk management strategies.
Forecast Risk Rating is the level of risk remaining after considering controls are planned or implemented collectively. It shows the effectiveness of the current and planned risk management strategies.