Calibrated Risk Index®

Calibrated Risk Index® (CRI) is Assura’s methodology for calculating risk on both a quantitative and qualitative basis. CRI can be used to calculate any risk in a context that’s meaningful to your organization. This provides leaders with the information they need to make objective, informed risk decisions that translate into improved compliance and business results.

The CRI process begins with a series of calibrations to determine the scale and context of various risk inputs such as threats, impacts, and the assets (e.g., physical plant, monetary, cyber, intellectual property, etc.) that are important to your organization. We then gather data about vulnerabilities that can be exploited by each threat and currently in-place controls to mitigate those vulnerabilities. From there, we run a series of sophisticated calculations that provide a rating for each risk.


CRI scientifically measures risk in the context of your organization.


We are constantly improving CRI and the latest version uses a proven computational algorithm to determine the probability that a given risk will come to fruition. This answers the question, “how likely is it that this risk will occur?” and provides organizations with greater clarity to make informed risk decisions.

CRI measures risks by identifying threats, vulnerabilities, probabilities, and impacts and computing an Unmitigated Risk Rating using a sophisticated computational model. The effect of in-place controls is then computed and re-run through the computational model to derive a Residual Risk Rating.

This provides a framework where organizations can conduct “what-if” analyses to objectively determine how changes in the control environment affect a given risk.

The result is that organizations can determine whether their current control investments are paying off and make informed decisions about whether or not to invest in control enhancements.

While any set of risks can be measured with CRI, its real strength is in its ability to measure risk in the context of compliance with standards and regulations. In other words, for the first time, an organization can measure its risk profile in the context of its compliance posture.

CRI achieves this through the use of Controls Catalogs based on various laws, regulations, and international standards. We have controls catalogs for: Assura’s security professionals are experts in compliance with laws, regulations and standards such as:

  • CJIS
  • ISO 23001
  • ISO 27001/27002
  • ISO 31000
  • IRS 1075
  • NIST SP 800-53
  • NIST SP 800-37
  • SOX
  • SSAE-16/SOC 2
  • State-level security standards and data protection laws

Other Controls Catalogs are being developed every day.

CRI can be used to measure risks in all parts of an organization’s ecosystem including:

  • Business Strategy
  • Financial Strategy
  • Internal Financial Controls
  • Products and Services
  • Information Technology Strategy and Projects
  • Information Protection and Cybersecurity
  • Business Continuity and Continuity of Operations
  • Occupational Safety and Health
  • Political Environment
  • Regulatory Environment