The risk module is very configurable. A risk field consists of the following principle parts:
The risk input defines all the factors which contribute to a risk. It can contain several text and numeric values. | |
A risk assessment before risk controls allows to asses a risk by assigning number or text and a risk class. | |
The risk controls can be items of some defined categories of the project | |
A risk assessment after risk controls allows to asses a risk by assigning number or text and a risk class. |
The risk input defines all the factors which contribute to a risk, each factor can have none, one or several weights assigned to it. The user can select each weight from a predefined list of weights.
interface IRiskConfig { factors?:IRiskConfigFactor[], // a list of factors contributing to risk levels, see below .... } interface IRiskConfigFactor { type:string, // an unique identification of the factor label:string, // the label displayed in the UI, where user can enter some text, e.g. "Cause" or "Effect" weights: IRiskConfigFactorWeight[] // an array of definitions describing how the factor contributes to the risk level, each weight is a a drop down of values hideTextInput?:boolean, // default: false, set to trueif there should not be a text input field to specify details readonly?:boolean, // default: false, can be set to true if user should not be able to change the field inputType?:IRiskConfigFactorInputType, // default:text (a single line text input), can be used to overwrite the input as a drop down selection or a text area options?: IRiskConfigFactorOption[], // if inputType is "select" this contains the values which can be selected } type IRiskConfigFactorInputType = "text"|"select"|"textarea"; interface IRiskConfigFactorOption { value:string, // a unique identifier label:string, // text to display changes:IRiskConfigSelectChanges[] // for input select only. Allows to automatically change other inputs / weights when the select changes } interface IRiskConfigSelectChanges { changesFactor?:string, // identifier (type) the factor to be modified OR changesWeight?:string, // identifier (type) the weight to be modified value:number // the new value to set } interface IRiskConfigFactorWeight { type:string, // an identifier of the contributing factor help:boolean, // if set true a help popover will explain the values label:string, // the label displayed in the UI, where the user can select a value from the drop down, e.g. "Probability", "Severit"y or "Detectability" readonly?:boolean, // default false, set to true, if an input field should not be changeable by the user hidden?:boolean, // default false, set to true, if field should be hidden values:IRiskConfigFactorWeightValue[] // an array of options of the drop down } interface IRiskConfigFactorWeightValue { shortname:string,// name displayed in the UI, can omitted to only show the factor help:string,// name displayed in tool tip help factor:number //factor which goes into calculation of risk } |
The method is defined by setting the property method to to either '*', '+' or 'lookup'. The property rbm can be set to hide or modify the text displayed in the UI or reports.
interface IRiskConfig { method:IRiskConfigMethod, // "+" or "*" whether to add or multiply the risk factors, "lookup" to get values from lookup table ... rbm?:IRiskConfigRT,// allows to overwrite the default text used for Risk Before Mitigation fields. } type IRiskConfigMethod = "+"|"*"|"lookup"; interface IRiskConfigRT { short:string, // text used in UI just before the field long:string, // text used in tooltip in UI report:string, // text used in report hidden?:boolean // default:false, set to true if this should not be displayed/reported } |
Method one is defined by the setting method to '*' or '+'. If defined the following properties must be defined as well, in order to define the classification based on the sum / product.
interface IRiskConfig { ... maxGreen?:number, // the maximum risk level value which will be shown in green (low risk) maxYellow?:number, // the maximum risk level value which will be shown in yellow (moderate risk), all above will be red (high risk) ... } |
Method two is defined by the setting method to 'lookup'. If defined the following properties must be defined as well, in order to define the classification based on the sum / product.
interface IRiskConfig { ... charts?:IRiskConfigZone[], // colors and text per risk class rpns?:IRiskConfigRPN[], // lookup table to determine for risk priority numbers based on weights ... } interface IRiskConfigZone { zone?:string, // unqiue ID foreground?:string, // foreground color in the user interface background?:string, // background color in the user interface textColor?:string, // text color in reports label?:string // text to be displayed } interface IRiskConfigRPN { // e.g. { "probability":5, "severity":4, "zone":"LOW", "text":"5 x 4 = 20" } zone:string, // ID of zone text:string, // for below combination of numbers: the resulting zone(char) and text [key:string]:string|number // properties for each weight defining the lookup value for this lookup entry } |
Risk controls are defined by selecting or creating items from or more categories (usually these are considered as design input).
interface IRiskConfig { ... mitigationTypes?:IRiskConfigMitgationType[], // a list of categories which can be used as risk controls, see below. If there are no mitigations the RBM section will not be shown. reductions?:IRiskConfigReduction[], // a list describing how risk levels can be reduced by risk controls, see below. postReduction?:IRiskPostReduction // option for user selection after risk controls ... } |
For this method, the reductions property must be configured. It is a an array of IRiskConfigReduction options.
interface IRiskConfigReduction { name:string,// a unqiue id of the reduction factor options:IRiskConfigReductionOptions[] // an array of reductions factors describing how the risk level can be reduced. These show up as drop down of values: } interface IRiskConfigReductionOptions { shortname:string, // the string shown in drop down by: number, // the amount by which a factor of the risk is changed (so negative values reduce the risk level) changes:string, // defines which weight is reduced. } |
Note: this is only available from release 1.11.
If the user has selected at least one risk control, this option allows the to user modify one or more of the weights defined as risk input. The weights which can be changed must be defined with all options which can be selected.
interface IRiskPostReduction { weights:IRiskConfigFactorWeight[] } |
The method used is the same as the risk assessment before risk controls. The property ram can be set to hide or modify the text displayed in the UI or reports.
interface IRiskConfig { ... ram?:IRiskConfigRT,// allows to overwrite the default text used for Risk After Mitigation fields. } interface IRiskConfigRT { short:string, // text used in UI just before the field long:string, // text used in tooltip in UI report:string, // text used in report hidden?:boolean // default:false, set to true if this should not be displayed/reported } |