Once you have added all the relevant threats, start adding the treatments that are necessary to reduce the risk levels. Treatments are elements that are designed to mitigate the threat. We have chosen to use the terminology from the ISO 31000 standard and called it “Treatments”. It is also called “Mitigating Measures”, “Security Controls” or just “Controls”.
You have two ways of adding treatment in a risk assessment. You can either click on suggested treatment or create your own treatment. Follow the instructions below to do this.
Suggested treatments
Note, this functionality is only possible if this has been set up by an administrator on the Organization page.
Click on the “Suggested Treatments” button and you will be able to see pre-defined treatments from the treatments template.
Click into each to read about them by clicking on the little arrow.
Deselect the ones you find irrelevant by clicking on the checkboxes.
Click import to add the treatments to your risk assessment.
Afterward, click on each treatments to assess their implementation and the effect it has on the active threats.
If you change an automated effect, a wand will appear. Click it to change back to the automated effect.
Click on save.
Filling out the necessary information
Once you have imported the treatments into your RA, you need to fill out the information regarding the treatment. The description can be predefined depending on how much has been filled out by your organization.
Cost
Cost allows you to add a cost for the mitigation. This can also be a negative number - to indicate a saving.
Responsible
Add the person who is responsible for this treatment. You can select from users who have access to this Risk Assessment.
Implementation
In the Implement section, the user has to define the current implementation state of the Treatment. The user can choose between:
Implemented
Implemented - Over Specified
In Progress
Not Implemented
Not Implemented - Accepted Risk
Not set
If the treatment is not implemented or in progress, select a deadline. Select “Not implemented – Accepted Risk” if this treatment deliberately has not been decided to be implemented. This option requires you to leave a comment.
Effects
The effects tab allows the user to specify how effective the respective treatment is at mitigating each threat.
The user can choose between 4 different types of effects it has on each threat:
None
Low
Medium
High
Scoring
The effects of a treatment are assigned points based on their level of effectiveness.
None: 0 points
Low: 1 point
Medium: 2 points
High: 3 points
If multiple treatments are assigned to a threat, an average is calculated. The average treatment effect is used to determine the overall effectiveness of the treatments in mitigating the threat.
To reduce a High Threat Level to a Medium Risk Level, the average treatment effect must be at least 1.5. To reduce it from High to Low, the average treatment effect must be at least 2.5.
Files
The Files tab allows the user to drop any files that are relevant to that treatment.
Mandatory treatments
Clicking the Suggested Treatment button will reveal the Treatment Suggestions list, where mandatory treatments will be marked with an exclamation mark next to the checkbox. Additionally, the checkbox for mandatory treatments will be disabled, preventing it from being unchecked.
Create treatments
You can create your own treatments in case you would like to supplement the suggested treatments, or if this is the primary way of adding treatments in your organization. To create your own treatment, follow the instructions below:
Click on the Create treatment button.
Fill out the information regarding the treatment manually.
Click on save.
🤔 Didn't find what you were looking for?
Don't worry! We are here to help. Feel free to write directly to us on support@humanrisks.com and we will be of assistance.