DESC:FORM 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003

COMPLETE SPECIFICATION
(See Section 10 and Rule 13)

Title of invention:

METHOD AND SYSTEM PROVIDING RISK ASSESSMENT FOR AN ENTERPRISE

Applicant

Tata Consultancy Services Limited
A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India

The following specification particularly describes the invention and the manner in which it is to be performed.
CROSS-REFERENCE TO RELATED APPLICATIONS AND PRIORITY
[001] The present application claims priority from Indian patent application no. 201721036377, filed on October 12, 2017, the complete disclosure of which, in its entirety is herein incorporated by reference.

TECHNICAL FIELD
[002] The disclosure herein generally relates to risk assessment and mitigation plan generation thereof, and, more particularly, to prediction and elimination of risks associated with enterprise group using the risk assessment systems.

BACKGROUND
[003] Risk Assessment is very crucial for enterprises (or organizations) to avoid any impact. The enterprises adapt security, privacy, confidentiality and contract compliance as an integral part of Software Development Life Cycle (SDLC) to predict and eliminate risks. Generally, enterprises adopt risk policies and procedures to identify, analyse, assess, treat and monitor risks for an entity. The entity may be a supplier, vendor, partner or the like, providing services to the enterprises. To manage the risks an enterprise creates one or more groups or structures to conduct security assessments and project Sign-Off’s. Currently, any privacy, security aspects and thereof associated with the project Sign-Off’s provides only marginal way to predict and eliminate the risks associated with any enterprise.
[004] In conventional methods, risk assessment mainly focusses on scoring or grading the risks associated with current model based on several constraints to generate mitigation plans. The conventional method limits to current risk analysis and cannot predict the risks associated with any entity. In an existing method, a risk assessment framework uses capability maturity model integration (CMMI) to develop a risk assessment model. The model analyses existing risks, identifies risk taxonomy, adopts best practices, derives and deploys new risk identification rule to assess risks in current projects. However, the existing method is unable to track and manage the status of the risks for one or more projects. In an another existing method, IT project risk assessment enterprise framework generates a risk factor profile based on predefined attributes and represents graphically using spider nets. However, the existing method may fail to identify status of the risks for one or more projects. Thus, most of the current methods used by the enterprises today require a solution to track, manage, predict, eliminate and assess the risks associated with any entity and thereof.

SUMMARY
[005] Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one aspect, there is provided a method for identifying risks for mitigation plans generation and periodically tracking of the risks for minimizing thereof. The processor implemented method comprises: receiving, via one or more hardware processors, an input data pertaining to an entity, wherein the input data corresponds to one or more domains; querying, via the one or more hardware processors, one or more databases to identify and select a set of unique context sensitive based queries specific to the input data; obtaining, a set of responses for the set of unique queries specific to the input data; mapping the set of responses to a set of predefined data attributes to identify a plurality of entity risks; calculating, a risk score for each of the plurality of identified entity risks, based on one or more criteria comprising (i) a probability of the plurality of identified entity risks, (ii) a severity associated with each of the plurality of identified entity risks, and (iii) detection of the plurality of identified entity risks; and dynamically generating one or more mitigation plans based on the calculated risk score for each of the plurality of identified entity risks, wherein each of the one or more dynamically generated mitigation plans comprises an estimated timeline and a reducible risk score candidate based on one or more parameters specific to the entity.
[006] In an embodiment, the method may further comprise: upon dynamically generating the one or more mitigation plans, generating a risk profile based on the set of responses to being mapped to the set of predefined data attributes; periodically tracking attributes associated with the generated risk profile to update the risk score associated with each of the plurality of identified entity risks; and analyzing the updated risk score associated with each of the plurality of identified entity risks to determine a risk state of the entity.
[007] In an embodiment, the method may further comprise performing an analysis of an impact of each of the plurality of identified entity risks based on the one or more criteria; and prioritizing at least a subset of the plurality of identified entity risks for attaining a status of the plurality of identified entity risks, wherein the status of the plurality of identified entity risks comprises one of a hibernation mode, an open mode and a close mode.
[008] In an embodiment, the step of querying, via the one or more hardware processors, one or more databases to identify and select a set of unique context sensitive based queries may comprise: dynamically generating one or more queries based on the input data; and identifying at least a subset of the one or more queries as part of the set of unique context sensitive based queries.
[009] In an embodiment, the method may further comprising identifying, using the input data, one or more focused projects based on at least one of (i) the set of responses to the set of context sensitive based queries, (ii) the calculated risk score associated with each of the plurality of identified risks, and (iii) an exposure level of each of the plurality of identified risks pertaining to the entity.
[010] In another aspect, there is provided a system for identifying risks for mitigation plans generation and periodically tracking of the risks for minimizing thereof. The system comprises a memory storing instructions; one or more communication interfaces; and one or more hardware processors coupled to the memory via the one or more communication interfaces, wherein the one or more hardware processors (104) are configured by the instructions to: receive, an input data pertaining to an entity, wherein the input data corresponds to one or more domains; query, one or more databases comprised in the memory, to identify and select a set of unique context sensitive based queries specific to the input data; obtain, a set of responses for the set of unique queries specific to the input data; map the set of responses to a set of predefined data attributes to identify a plurality of entity risks; calculate, a risk score for each of the plurality of identified entity risks, based on one or more criteria comprising (i) a probability of the plurality of identified entity risks, (ii) a severity associated with each of the plurality of identified entity risks, and (iii) detection of the plurality of identified entity risks; and dynamically generate one or more mitigation plans based on the calculated risk score for each of the plurality of identified entity risks, wherein each of the one or more dynamically generated mitigation plans comprises an estimated timeline and a reducible risk score candidate based on one or more parameters specific to the entity.
[011] In an embodiment, the one or more hardware processors are further configured by the instructions to generate a risk profile based on the set of responses to being mapped to the set of predefined data attributes; periodically track attributes associated with the generated risk profile to update the risk score associated with each of the plurality of identified entity risks; and analyze the updated risk score associated with each of the plurality of identified entity risks to determine a risk state of the entity.
[012] In an embodiment, the one or more hardware processors are further configured by the instructions to: perform an analysis of an impact of each of the plurality of identified entity risks based on the one or more criteria; and prioritize at least a subset of the plurality of identified entity risks for attaining a status of the plurality of identified entity risks, wherein the status of the plurality of identified entity risks comprises one of a hibernation mode, an open mode and a close mode.
[013] In an embodiment, wherein the set of unique context sensitive based queries are identified and selected by: dynamically generating one or more queries based on the input data; and identifying at least a subset of the one or more queries as part of the set of unique context sensitive based queries.
[014] In an embodiment, the one or more hardware processors are further configured by the instructions to identify, using the input data, one or more focused projects based on at least one of (i) the set of responses to the set of context sensitive based queries, (ii) the calculated risk score associated with each of the plurality of identified risks, and (iii) an exposure level of each of the plurality of identified risks pertaining to the entity.
[015] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS
[016] The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles:
[017] FIG. 1 illustrates a risk assessment enterprise framework for risk assessment, in accordance with an embodiment of the present disclosure.
[018] FIG. 2 illustrates a block diagram of an enterprise risk building block of the risk assessment enterprise framework, in accordance with an embodiment of the present disclosure.
[019] FIG. 3 illustrates a high level architecture of the enterprise risk building block, in accordance with an embodiment of the present disclosure.
[020] FIG. 4 illustrates an exemplary flow diagram of a method for risk assessment, in accordance with an embodiment of the present disclosure.
[021] FIG. 5, with reference to FIGS. 1 through 4, depicts a graphical representation of top ‘n’ risks associated with an entity as identified by the system of FIG. 1 in accordance with an example embodiment of the present disclosure. .
[022] FIG. 6 depicts a graphical representation of high focused projects in an enterprise along with associated risk score and risk surface area as identified by the system of FIG. 1 in accordance with an example embodiment of the present disclosure.
[023] FIG. 7 depicts a graphical representation illustrating top ‘n’ high risk score computed for each project associated with an enterprise, in accordance with an example embodiment.
[024] FIG. 8 depicts a graphical representation illustrating top ‘n’ non-mitigated risks beyond planned closure date associated with an enterprise, in accordance with an example embodiment.
[025] FIG. 9 depicts a graphical representation illustrating number of projects that need to adhere to defined compliance in the enterprise, in accordance with an example embodiment.
[026] FIG. 10 depicts a table illustrating risk score computed for each identified risk by the system of FIG. 1 in accordance with an example embodiment of the present disclosure.

DETAILED DESCRIPTION OF EMBODIMENTS
[027] Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the spirit and scope of the disclosed embodiments. It is intended that the following detailed description be considered as exemplary only, with the true scope and spirit being indicated by the following claims.
[028] Embodiments herein provide a method and a system for risk assessment for an enterprise. The enterprise may be referred to an organization or operational unit or one or more projects and thereof. The system, alternatively referred as a risk assessment enterprise framework enables identifying, predicting, tracking, managing and eliminating a plurality of risks and thereof to identify a risk state of one or more projects associated with enterprise. This risk assessment enterprise framework has built-in statistics based computational techniques to detect a plurality of risks from the enterprise filled questionnaire, identify severity of the detected risks, calculate a risk score for each of the detected risks, determine probability of assessment accuracy of the computed risk score, formulating the risk surface area and thereof. Further, the risk assessment enterprise framework generates a risk profile for the enterprise, wherein the risk profile includes the data filled questionnaire, identified risks, calculated risk score, assessment accuracy, selected mitigation plan and thereof.
[029] The risk profile is provided to one or more groups or entities associated with the enterprise such as providers, vendors, suppliers, partners, any stakeholder(s), or the like. Further, based on the risk score in the risk profile the entities can then select one or more mitigation plans with one or more actions or steps (or the mitigation plans could be auto-populated by the system of the present disclosure). In an embodiment of the present disclosure, the mitigation plans could be dynamically generating using one or more mitigation plans already stored in the system. The mitigation plan(s) that is being generated for the entity under consideration may be unique and not similar or identical to one or more existing mitigation plans comprised in the system 100, in one example embodiment of the present disclosure. Alternatively, the mitigation plan(s) that is being generated for the entity under consideration may be a combination of the one or more existing mitigation plans comprised in the system 100, in another example embodiment of the present disclosure. In scenarios, where the mitigation plans may be combination of the one or more existing mitigation plans, the identified risks for the current entity under consideration may be similar, or identical or different from risks for which the one or more existing mitigation plans were previously generated for other entities (or for the same entity which may be was considered previously). This risk assessment enterprise framework analyses the mitigation plan to identify a risk state, wherein the risk state includes one of an open state, a closed state, a hibernate (or hibernation) state, etc. The risk profile may be reviewed on timely basis by one or more entities based on which current mitigation plans may be revised. Further, with mitigated plans being revised, the risk assessment enterprise framework re-computes the risk score and updates the risk profile accordingly. The risk profile may also be represented graphically such as tabulated metrics, spider nets, charts, and the like. A detailed description of the above described system for risk assessment enterprise framework is shown with respect to illustrations represented with reference to FIGS.1 through 4.
[030] The method(s) and system(s) for the enterprise risk assessment framework are further described in conjunction with the following figures. It should be noted that the description and figures merely illustrate the principles of the present subject matter. It will thus be appreciated that those skilled in the art will be able to devise various arrangements that, although not explicitly described or shown herein, embody the principles of the present subject matter and are included within its spirit and scope. Furthermore, all examples recited herein are principally intended expressly to be only for pedagogical purposes to aid the reader in understanding the principles of the present subject matter and the concepts contributed by the inventor(s) to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the present subject matter, as well as specific examples thereof, are intended to encompass equivalents thereof.
[031] Referring now to the drawings, and more particularly to FIGS. 1 through 10, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
[032] FIG. 1 illustrates a network environment 100 implementing a system 102 for assessing the enterprise risks according to an embodiment of the present subject matter. The system 102 is configured to enterprise risk building block. The system 102 may be embodied in a computing device, for instance a computing device 104. Although the present disclosure is explained considering that the system 102 is implemented on a server, it may be understood that the system 102 may also be implemented in a variety of computing systems, such as a laptop computer, a desktop computer, a notebook, a workstation, a cloud-based computing environment and the like. In one implementation, the system 102 may be implemented in a cloud-based environment. It will be understood that the system 102 may be accessed by multiple users through one or more user devices 106-1, 106-2... 106-N, collectively referred to as user devices 106 hereinafter, or applications residing on the user devices 106. Examples of the user devices 106 may include, but are not limited to, a portable computer, a personal digital assistant, a handheld device, a Smartphone, a Tablet Computer, a workstation and the like. The user devices 106 are communicatively coupled to the system 102 through a network 108.
[033] In an embodiment, the network 108 may be a wireless or a wired network, or a combination thereof. In an example, the network 108 can be implemented as a computer network, as one of the different types of networks, such as virtual private network (VPN), intranet, local area network (LAN), wide area network (WAN), the internet, and such. The network 106 may either be a dedicated network or a shared network, which represents an association of the different types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), and Wireless Application Protocol (WAP), to communicate with each other. Further, the network 108 may include a variety of network devices, including routers, bridges, servers, computing devices, storage devices. The network devices within the network 108 may interact with the system 102 through communication links.
[034] As discussed above, the system 102 may be implemented in a computing device 104, such as a hand-held device, a laptop or other portable computer, a tablet computer, a mobile phone, a PDA, a smartphone, and a desktop computer. The system 102 may also be implemented in a workstation, a mainframe computer, a server, and a network server. In an embodiment, the system 102 may be coupled to a data repository, for example, a repository 214. The repository 214 may store data processed, received, and generated by the system 102. In an alternate embodiment, the system 102 may include the data repository 214. The components and functionalities of the system 102 are described further in detail with reference to FIG. 2.
[035] FIG. 2 illustrates a block diagram of a system for risk assessment enterprise framework 200, in accordance with an example embodiment. The system for assessing the enterprise risk 200 (hereinafter referred to as system 200) may be an example of the system 102 (FIG. 1). In an example embodiment, the system 200 may be embodied in, or is in direct communication with the system, for example the system 102 (FIG. 1). The system 200 includes or is otherwise in communication with one or more hardware processors such as a processor 202, at least one memory such as a memory 204, at least one I/O interface 206, a modules 210, a repository 214 and an enterprise risk building block 212. In an embodiment, the enterprise risk building block t 212 can be implemented as a standalone unit in the system 200. In another embodiment, enterprise risk building block 212 can be implemented as a module in the memory 204. The processor 202, memory 204, and the I/O interface 206 may be coupled by a system bus such as a system bus 208 or a similar mechanism.
[036] The hardware processor 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the hardware processor 202 is configured to fetch and execute computer-readable instructions stored in the memory 204.
[037] The memory 204 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an embodiment, the memory 204 includes a plurality of modules 210, a plurality of repository 214.
[038] The I/O interface 206 may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The interfaces 206 may include a variety of software and hardware interfaces, for example, interfaces for peripheral device(s), such as a keyboard, a mouse, an external memory, a camera device, and a printer. Further, the interfaces 206 may enable the system 102 to communicate with other devices, such as web servers and external databases. The interfaces 206 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, local area network (LAN), cable, etc., and wireless networks, such as Wireless LAN (WLAN), cellular, or satellite. For the purpose, the interfaces 206 may include one or more ports for connecting a number of computing systems with one another or to another server computer. The I/O interface 206 may include one or more ports for connecting a number of devices to one another or to another server.
[039] The repository 214, may include a system database and other data. The other data may include data generated as a result of the execution of one or more modules in the modules 210. The repository 214 is further configured to maintain a plurality of risk profiles and thereof.
[040] The modules 210 may include an enterprise risk building block 212 (also referred as ‘an entity risk building block/module 212’). The modules 210 may also include routines, programs, objects, components, data structures, and so on, which perform particular tasks or implement particular abstract data. The components and functionalities of the enterprise risk building block 212 are described further in detail with reference to FIG. 3.
[041] FIG. 3 illustrates a high level architecture enterprise risk building block 212, in accordance with an example embodiment. The enterprise risk building block 212 may include a questionnaire building block (also referred as questionnaire generating module), a building block meta data (also referred as meta data generating module), a building block reports (also referred as reports generating module) and a building block assessment (also referred as assessment generating module). The building block questionnaire of enterprise risk building block 212 may also include the plurality of enterprise operational unit questionnaire, the plurality of project or application questionnaire. The building block Meta data of enterprise risk building block 212 may include the plurality of data attributes, the classified data attributes, the risk catalogue, and the risk mitigation steps catalogue. The plurality of catalogue may include a standards risks, a reference risks, a potential mitigation plans, and the like. The building block reports of the enterprise risk building block 212 may include a plurality of metrics, a plurality of dashboard. The building block assessment of enterprise risk building block 212 may include a plurality of risk level, a plurality of risks, the plurality of computed risk score, the plurality of risk surface area, the plurality of risk mitigation plans, a plurality of defined time frame for the risk state. The plurality of risk state may include state as open, close, hibernate and thereof. The plurality of risk level may include levels as baseline, target and actual.
[042] The enterprise risk building block 212 of the risk assessment enterprise framework system 200 can be configured to receive the plurality of filled questionnaire from an enterprise (or from a stakeholder associated with the enterprise/entity). For example, the plurality of questionnaire are collected and pre-stored into the building block questionnaire. This plurality of questionnaire may include the plurality of predefined enterprise operational unit questionnaire and the plurality of project application questionnaire. Based on the one or more projects of the enterprise the plurality of questionnaire are framed into a template. The framed template may include questions related to the data attributes and thereof.
[043] The enterprise risk building block 212 of the risk assessment enterprise framework system 200 can be configured to map data (e.g., set of responses) from the questionnaire (set comprising context sensitive based queries and associated responses) with predefined data attributes to identify enterprise/entity risks. For example, the plurality of data filled questionnaire are received from, or pertaining to, one or more projects of an enterprise that are mapped with the predefined data attributes. This predefined data attributes are associated with the meta data building block. This meta data building block comprises of data attributes and classifications. This plurality of data attributes may include a plurality of severity levels as (high, medium and low), (severity1, severity2, severity3, and so on) and (highly significant, moderately significant, less significant, and the like). For example, the data attributes may include a first name, last name, contact number, government identifier to uniquely identify a person or user or organization user subscription data, finance data, any data associated thereof.
[044] The enterprise risk building block 212 of the risk assessment enterprise framework system 200 can be configured to calculate the risk score for the identified risks. For example, the risks are detected and identified using the questionnaire data filled template. Here, the risk is graded to calculate the score using probability of risk, severity of detected risk, identified risk surface area in compliance with security, privacy, confidentiality principles, and the like.
[045] The enterprise risk building block 212 of the risk assessment enterprise framework system 200 can be configured to estimate a mitigation plan maintained in the risk catalogue based on the calculated risk score for each identified risk. For example, the graded risk score is obtained from one or more groups filled questionnaire data template. In other words, stakeholder can specify type of risk (probability, severity, detection, and risk surface area), in one example embodiment. Here, based on the obtained risk score, the relevant one or more mitigation plans may be selected from the risk catalogue. The risk catalogue may include a plurality of standard risks, a plurality of reference risks, a plurality of potential mitigation plans, and the like. This selected mitigation plan has a plurality of actions or steps for goals defined by entity. This goal may provide an optimal solution to meet needs. The plurality of actions from the mitigation plan may be tagged for short term, long term, midterm, and the like.
[046] The enterprise risk building block 212 of the risk assessment enterprise framework system 200 can be configured to generate a risk profile for one or more groups and representing graphically the risk profile based on mapped data attributes. For example, the risk assessment enterprise framework generates a risk profile that includes a data filled questionnaire, identified risks, calculated risk score, assessment accuracy, selected mitigation plan, and the like for the entity (or enterprise under consideration). The generated risk profile may be represented graphically using a multi-dimensional view. This multi-dimensional view may represent the risk profile as spider nets, a charts, and the like. The graphical representation of the risk profile of an enterprise may be based on the data attributes. The greater the area inside the boundary the higher the risk profile. This multi-dimensional graphical representation shows the comparison of spider chart of ideal versus actual.
[047] The enterprise risk building block 212 of the risk assessment enterprise framework system 200 can be configured to track the mapped data attributes to update the risk score. For example, the risk score available in the risk profile are to be tracked in timely basis to retain some of the privacy, security risks and thereof in alive status. This alive status has to be maintained after applying the mitigation plans based on the entity needs to address and eliminate the detected risks, severity of detected risks and probability of risks. The (live) risk score provides an indication about one or more group’s current status, new projects, understand the current maturity or risk level and thereof.
[048] The enterprise risk building block 212 of the risk assessment enterprise framework system 200 can be configured to review the risk profile based on updated risk score to identify the risk state of an enterprise. The key aspect of the risk assessment enterprise framework is to keep the risk alive. The risk state for one or more groups of an enterprise may include one of the state open, closed, hibernate, and the like.
[049] FIG. 4 illustrates a flow diagram of a method 400 for enterprise risk building block according to some embodiments of the present disclosure. The method 400 may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, functions, etc., that perform particular functions or implement particular abstract data types. The method 400 may also be practiced in a distributed computing environment where functions are performed by remote processing devices that are linked through a communication network. The order in which the method 400 is described is not intended to be construed as a limitation, and any number of the described method blocks can be combined in any order to implement the method 400, or an alternative method. Furthermore, the method 400 can be implemented in any suitable hardware, software, firmware, or combination thereof. At 402, the system 200 receives, by the one or more hardware processors, the one or more filled questionnaire from enterprise(s), for example, an entity. In an embodiment, the filled questionnaire may also be referred as ‘a set of context sensitive based queries and associated set of responses’. The response to the set of context sensitive based queries may be provided by one or more users (or stakeholders who have direct or indirect relationship (or even no relationship) with the enterprise (or entity)). In an embodiment, the expressions ‘enterprise’, ‘entity’, ‘supplier’, ‘vendor’, ‘client partner’, ‘partner’, ‘customer’ may be interchangeably used herein. For instance, the stakeholders, comprise, but are not limited to, Enterprise Risk Officer(s), Chief Compliance Officer(s), Compliance Officer(s), Risk Manager(s), Data Privacy Professional(s), Enterprise Internal Auditor(s), and the like.
[050] In an embodiment, the one or more databases may be queried by the system 100 to identify and select a set of unique context sensitive based queries specific to input data received from the entity. In the present disclosure, the step of querying, via one or more hardware processors, one or more databases to identify and select a set of unique context sensitive based queries comprises: dynamically generating one or more queries based on the input data; and identifying at least a subset of the one or more queries as part of the set of unique context sensitive based queries. For example, input data may comprise, but not limited to, number of projects, application(s) being executed, number of resources being utilized, information associated with infrastructure of the entity, domain(s) in which one or more projects, applications are being handled and executed respectively, technology type(s) being utilized, and the like. In an embodiment, the domains may comprise, but are not limited to, Finance and Banking solutions, Healthcare, Pharma, Mechanical, Civil, Life science, Automotive, Aviation, Administration, and the like. In an embodiment, these databases may comprise one or more queries pertaining to domain associated with each project, application, (or based on the input data) and the like. Further the databases may be comprised in the memory 204 or in the repository 214 or in a cloud like environment.
[051] In the case of cloud like environment, the system 100 may be externally connected to the cloud like environment, wherein the system 100 may dynamically query for generating (or identifying) context sensitive based queries. The system 100 in such scenarios may invoke artificial intelligence based technique(s) and/or machine learning model(s) comprised in the memory 102, which when executed by the system 100 may enable automatic querying of the databases or the cloud like environment for generating (or identifying) context sensitive based queries to provide to the stakeholders. Alternatively, the input data may only include one or more hyperlink(s) to one or more internet source(s), wherein the system 100 can perform web crawling and gather appropriate required information to be used for generating (or identifying) context sensitive based queries. Information gathered from the web crawling operation may vary or be identical or similar in some or all scenarios as compared to input data received from the stakeholder(s).
[052] In certain scenarios, information gathered through web crawling may be transmitted via communication channel(s) (e.g., through email, SMS, MMS, dashboard(s), and the like) to various stakeholders so that they can validate the information gathered and provide their feedback/comments or observations (which can be achieved through internal quality systems/module(s) – not shown in FIGS). The internal quality systems/module(s) can act as an interface for submitting observation(s) or feedback/comments, and the like. If there are no feedback/comments or observations from the stakeholder(s), the system 100 can use the information pertaining to the enterprise(s)/entity that is gathered from the one or more internet sources as is for generating (or identifying) context sensitive based queries. In scenarios, where various stakeholders provide their inputs or feedback on the information gathered, the system 100 incorporates and performs appropriate modifications so as to facilitate generation (or identification) of context sensitive based queries. Upon receiving the input data or information gathered, the system 100 creates an entity profile, in one example embodiment. Using the entity profile, the system 100 can generate (or identify) context sensitive based queries. Examples of Context sensitive based questions are provided below and shall not be construed as limiting the scope of the present disclosure:
1. Finance domain: SOX compliance,
2. Healthcare domain: HIPAA compliance,
3. Questions related to data classification for highly critical (High), Medium Critical (Medium) and less critical projects.
[053] Other exemplary set of context sensitive based queries based on domain, project, and the like, may comprise, but are not limited to:
Sarbanes-Oxley Act (SOX):
1) Does the entity need to comply to SOX requirements?
2) Are SOX Compliance Audit reports available?
Environments:
1) Is the Production data without masking available in non-prod environments (User Acceptance Testing (UAT)/Pre-Prod/Staging)?
Data:
2) Does the team have access to critical production data/data elements?
Production:
1) Does the project have Production Access?
2) What is the type of production access?
3) Is there a mechanism to monitor usage and access to critical data by individual?
4) Does the project have list of associates who have access to production data?
[054] Few examples of response for the above queries may comprise as below:
1) Does the project need to comply to SOX requirements? Answer from stakeholder can be either in the form or Yes or No, or in the form of Boolean values (e.g., 1 for Yes, 0 for No)
2) Are SOX Compliance Audit reports (internal as well as external audit) available? Answer from stakeholder can be either in the form or Yes or No, or in the form of Boolean values (e.g., 1 for Yes, 0 for No)
[055] Upon receiving responses to the context sensitive based queries (examples as above), at 404, the system 200 maps the one or more filled questionnaire (or the set of queries and associated responses) with predefined data attributes to identify one or more enterprise risks (or also referred as one or more entity risks). In an embodiment, the mapping of the set of queries and associated responses with the predefined data attributes may be provided by an end user (e.g., a stakeholder) wherein the system 100 may either use the mapped data as is or make appropriate changes in the mapped data (obtained from the end user) as per the requirement (e.g., this could be either based on the entity type or based on the historical data pattern and training data set). In an embodiment, the predefined data attributes can be (or are) dynamically identified based on a set of parameters, in one example embodiment. The set of parameters may comprise, but are not limited to, created profile of the entity, project type(s), industry domain(s)/industry type(s), chosen risks by similar projects in the entity/enterprise, dynamic population of data element type based on parameters for example, meta model, project type, and industry domain, and the like. Example of data element type could be end user, consumer, employee, enterprise, company of the end user, and the like. For example for data element type ‘end user’, data attribute(s) can be name, phone number, email address, communication address, and the like.
[056] At step 406, the system 200 calculates a risk score for each of the one or more identified enterprise risks. In an embodiment, the risk score is computed (or calculated) for each of the one or more identified entity risks based on one or more criteria comprising (i) a probability of the identified entity risks, (ii) a severity associated with each of the one or more identified entity risks, (iii) detection of the identified entity risks, (iv) an exposure level of each of the identified risks (also referred as risk surface area), or (v) combinations thereof. The entity/enterprise Risk Score consists of one or more attributes, for instance, average Risk Score, Median Risk Score and Range of Risk Score, number of High Focus projects, and the like. Below are exemplary risk score computation and these shall not be construed as limiting the scope of the present disclosure:
[057] Enterprise Average Risk score = Average of (Project 1 Risk score, Project2 Risk score, …. Project ‘n’ Risk score)
[058] Enterprise Median Risk score = Median of (Project 1 Risk score, Project2 Risk score, …. Project ‘n’ Risk score)
[059] Enterprise Risk Score Range = Minimum of (Project 1 Risk score, Project2 Risk score, …. Project ‘n’ Risk score) to Maximum of (Project 1 Risk score, Project2 Risk score, …. Project ‘n’ Risk score)
[060] Project1 Risk score = Sum of each and every individual Risk scores
= Sum (R1+ R2 +….Rn)
[061] Risk score for each risk (R1…..Rn) = Probability (Value of 1 to 5 ) * Severity (Value of 1 to 5) * Detection (Value of 1 to 5)
[062] Individual Risk score minimum value = 1 and maximum value = 125, in one example embodiment.
[063] Project Risk score >= 100 indicates a High-risk project and needs thorough/periodic reviews.
[064] Risk surface area for each risk determines: Number of associates who have highly critical/critical data access, number of Highly critical/critical data access elements, and the like.
[065] Probability of the identified entity risks (also referred as ‘Risk Probability Ranking (P)’) may be categorized as follows, and shall not be construed as limited the scope of the present disclosure:
1) 5 – Frequent
2) 4 – Reasonably Possible
3) 3 – Occasional
4) 2 – Relatively few chances
5) 1 – Extremely Unlikely
[066] Severity associated with each of the one or more identified entity risks (also referred as ‘Risk Severity (S)’) may be categorized as follows, and shall not be construed as limited the scope of the present disclosure:
1) 5 – Catastrophic
2) 4 – Critical
3) 3 – Minor, low damage
4) 2 – Very minor
5) 1 – No relevant effect
[067] Detection of the identified entity risks (also referred as ‘Risk Detection (D)’) may be categorized as follows, and shall not be construed as limited the scope of the present disclosure:
1) 5 – Absolute Uncertainty
2) 4 – Remote
3) 3 – Moderate
4) 2 – High
5) 1 – Almost Certain
[068] Attributes associated with one or more identified risks may comprise but are not limited to:
1) Risk Description
2) Risk Probability(P)
3) Risk Severity(S) (Liability, future operational loss will have high severity)
4) Risk Detection(D)
5) Risk Score (P*S*D)
6) Risk Surface area (indicates data exposure)
7) Risk State (Open, Close, Hibernate)
8) Risk Mitigation Steps
9) Projected Risk score reduction after implementing mitigation steps
[069] At step 408, the system 200 estimates, by the one or more hardware processors, one or more mitigation plans based on the calculated risk score maintained in the risk catalogue. In an embodiment, at step 408, the system 100 may dynamically generate one or more mitigation plans based on the calculated risk score for each of the plurality of identified entity risks. In some cases, stakeholder(s) can provide mitigation plan(s), and corresponding measure to take action(s). Each of the one or more dynamically generated mitigation plans may comprise an estimated timeline and a reducible risk score candidate (e.g., anticipated risk score reduction) based on one or more parameters specific to the entity. For instance, the estimated timeline may comprise, but are not limited to, Short Term mitigation plan(s), Mid Term mitigation plan(s), Long Term mitigation plan(s), and the like.
[070] The one or more parameters may comprise, but are not limited to, created profile, project type, industry domain, chosen risks by other projects in the enterprise, chosen risk mitigation steps for the risks, by the same project in the enterprise, chosen risk mitigation steps for the risks, by similar projects in the enterprise, and the like.
[071] Alternatively, the mitigation plans may be generated based on existing mitigation plans, wherein the generated mitigation plans for the entity under consideration may be unique and/or a combination of existing mitigation plans stored in the memory 204, in one example embodiment. The mitigation plan(s) that is/are being generated for the entity under consideration may be unique and not similar (or not identical) to one or more existing mitigation plans comprised in the system 100, in one example embodiment of the present disclosure. Alternatively, the mitigation plan(s) that is/are being generated for the entity under consideration may be a combination of the one or more existing mitigation plans comprised in the system 100, in another example embodiment of the present disclosure.
[072] In scenarios, where the mitigation plans may be combination of the one or more existing mitigation plans, the identified risks for the current entity under consideration may be similar, or identical or different from risks for which the one or more existing mitigation plans were previously generated for other entities (or for the same entity, which may be, was considered previously). Thus the generation of mitigation plan(s) by the system 100 involves intelligence wherein the system 100 queries database(s) for similar risk(s) being previously identified. Based on the database(s) being queried, and output(s) retrieved from these database(s) (e.g., output could be that risk(s) of the current entity may or may not be overlapping with risk(s) stored in the memory 204), the system 100 intelligently and dynamically generates mitigation plan(s). In scenarios, where the system 100 selects one or more mitigation plans from the memory 204, the meaning of expression ‘generates’ herein could be interpreted as mitigation plans generation based on the selected mitigation plans.
[073] The system 100 may also query historical data and pattern of identified risks (which are comprised in the memory 204) for selection and generation of mitigation plans for the current entity, wherein the system 100 may be trained with the historical data and pattern of identified risks being detected. Once the system 100 is trained, the system 100 may automatically learn and suggest a set of mitigation plans based on the identified risks (e.g., the identified risks could be entirely new or some of them (or all of them) may have been identified in the past for the same entity or different entity/entities). In such scenarios wherein the system 100 is trained, the system 100 utilizes this training and may automatically analyse the severity, probability, and detection of the identified risks for dynamically generating mitigation plans. For implementation of the above learning and training using the historical data/pattern for automatic suggestions and dynamic generation of mitigation plans, the system 100 may be implemented with automation technique(s), artificial intelligence (AI) based technique(s), and/or machine learning models (known in the art), in one example embodiment. In one embodiment, the automation technique(s), artificial intelligence (AI) based technique(s), and/or machine learning models are comprised in the memory 104 of the system 100 which are executed and invoked to perform the methodology (or each step) of the present disclosure as mentioned above. By implementation of the system 100 with the automation technique(s), artificial intelligence (AI) based technique(s), and/or machine learning models, the present disclosure enables the system and method herein to perform the steps of the method of FIG. 4, on the fly and take appropriate intelligent decision(s) for identifying risk(s), computing risk score for each identified risk based on the one or more criteria as mentioned above, and suggest (or recommend) the dynamically generated mitigation plan(s) for resolution of the risk(s), and the like. The generated (or selected) mitigation plans may be provided to one or more stakeholder(s), wherein the stakeholder(s) may modify according to requirement(s). There may be scenarios wherein the generated (or selected) mitigation plans by the system may be used as is by stakeholders for resolution of the identified risk(s).
[074] At step 410, the system 200 generates one or more risk profiles based on the mapped data attributes, calculated score and a plurality of estimated mitigation plan(s). In other words, upon (dynamically) generating the one or more mitigation plans, generating a risk profile based on the set of responses to being mapped to the set of predefined data attributes. Here, a graphical representation of risk profile may also be mapped to a current state of the risk profile, in one example embodiment. At step 412, the system 200 reviews the one or more risk profile(s) and updates with current risk score to identify a risk state from the risk action index with predefined time duration. In other words, attributes associated with the generated risk profile may be periodically tracked to update the risk score associated with each of the plurality of identified entity risks. Further, the updated risk score associated with each of the plurality of identified entity risks may be analysed to determine a risk state of the entity. Furthermore, an analysis of an impact of each of the plurality of identified entity risks may be performed or carried out based on the one or more criteria, and the plurality of identified risks or at least a subset of the identified risks may be prioritized for attaining a status of the plurality of identified entity risks. The status of the plurality of identified entity risks comprises one of a hibernation mode, an open mode and a close mode. For example a certain risk depending upon its severity, probability and occurrence of that particular risk in future being determined, the risk may either may set of be open, or take appropriate action(s) to attain a close status, or set the risk in hibernation for a pre-determined time interval (to refrain from further impact on the entity or associated components) and attain the hibernated risk at a later stage when the pre-determined time interval expires or is nearing expiration, in one example embodiment.
[075] In the present disclosure 200, the risk assessment enterprise framework provides an enterprise risk score with grading and maturity. This risk assessment enterprise framework provides attention to projects that require high focus that brings awareness and accountability of individual entities to enhance data privacy policies. The risk score is estimated after applying mitigation plan with actions and steps to keep some of the one or more groups in alive state. The method has built-in Statistics based computational techniques, to normalize the risk score. Based on the risk score, risk surface area, this risk assessment enterprise framework provides attention to projects that require high focus that brings awareness and accountability of individual entities to enhance data privacy/security policies. The risk score helps to mark high focus operational units/projects and perform a close review of risk mitigation plans implementation.
[076] In a nutshell, the risk profile for a given entity acts as a dashboard, thereby giving a holistic view on different characteristics, for example:
1) Risk Analytics
2) Enterprise Risk score card
3) Top N Risks (e.g., refer FIG. 5)
4) Top N High Focused Projects (e.g., refer FIG. 6)
5) Top N High Risk score projects (e.g., refer FIG. 7)
6) Top N non-mitigated risks (e.g., risk(s) that may be identified and set to hibernate mode status) beyond planned closure date (e.g., refer FIG. 8)
7) Projects that need to adhere to defined compliance in the enterprise (e.g., refer FIG. 8)
8) Risk granular level details based on states: Open, Close and Hibernate.
[077] Moreover, the risk profile provides several insights on various parameters, for instance, revisiting hibernated risks after defined duration using Artificial Intelligence/Automation, generating alerts for non-mitigated risks beyond planned closure date, generating alerts for projects where project risk score >= 100 (wherein 100 may be a pre-defined threshold (and also re-configurable) set by the system 100 itself (based on historical data/pattern and training) or by a user (who has configured the system), generating alerts, when there is increasing trend in risk score, providing live updates on (i) risk score, (ii) mitigation plans, (iii) resolution technique(s), (iv) state(s) of identified risk(s), and the like.
[078] FIG. 5, with reference to FIGS. 1 through 4, depicts a graphical representation of top ‘n’ risks associated with an entity as identified by the system 100 of FIG. 1 in accordance with an example embodiment of the present disclosure. Along x-axis are depicted risk(s) that are identified as top ‘n’ risk(s), and along y-axis are depicted the range of risk scores (e.g., from 0 to 100). More specifically, FIG. 5 depicts top 5 risks across projects in an enterprise.
[079] FIG. 6, with reference to FIGS. 1 through 5, depicts a graphical representation of high focused projects in an enterprise along with associated risk score and risk surface area as identified by the system 100 of FIG. 1 in accordance with an example embodiment of the present disclosure. Along x-axis are depicted risk(s) that are high focused projects with corresponding risk score and risk surface area thereof. Along y-axis are depicted the range of risk scores (e.g., from 0 to 300). More specifically, FIG. 5 depicts high focused projects in an enterprise along with their risk score and risk surface area (e.g., an exposure level of each identified risk) for corresponding project. For instance, in FIG. 6, Project 2 of the enterprise has a high risk score. Additionally, FIG. 6 further depicts, project 5 that has a risk surface area higher than any of the other projects.
[080] FIG. 7, with reference to FIGS. 1 through 6, depicts a graphical representation illustrating top ‘n’ high risk score computed for each project associated with an enterprise, in accordance with an example embodiment. As can be seen in FIG. 7, along x-axis is risk score being represented, and along y-axis is projects being represented. More specifically, it is observed that among the 5 projects that have high risk score, project 2 has the risk score higher than any other projects (e.g., project 1, project 3, project 4, and project 5).
[081] FIG. 8, with reference to FIGS. 1 through 7, depicts a graphical representation illustrating top ‘n’ non-mitigated risks beyond planned closure date associated with an enterprise, in accordance with an example embodiment.
[082] FIG. 9, with reference to FIGS. 1 through 8, depicts a graphical representation illustrating number of projects that need to adhere to defined compliance in the enterprise, in accordance with an example embodiment. For instance, there are 2 projects that need to adhere General Data Protection Regulation (GDPR) compliance. Likewise, there are 3 projects that need to adhere Health Insurance Portability and Accountability Act (HIPAA) compliance. There could be instance where a certain project may not be adhering one or more complying guidelines. In other words, project ‘x’ may need to not only adhere GDPR compliance but also HIPAA compliance.
[083] FIG. 10, with reference to FIGS. 1 through 9, depicts a table representation illustrating risk score computed for each identified risk by the system 100 of FIG. 1 in accordance with an example embodiment of the present disclosure. For instance, as depicted in FIG. 10, given one or more project(s) of an entity under consideration, an exemplary enterprise risk score card may be as follows: average risk score = 22, median risk score = 64, risk score range: low = 1, risk score range: high = 240, and number of high focused (also referred as focus) projects = 22.
[084] The present disclosure provides systems and methods, wherein the system 100 is enabled with automatic intelligence (through one or more rule configurations) to automatically update one or more queries in one or more respective databases (e.g., databases could be formed based on domain(s), technology/(ies), industry type, operational unit(s) type, entity type(s), project(s) undertaken, type of application(s) executed, resource utilization, and the like). One or more rules can be re-configurable, in one example embodiment. For instance, rule(s) may constitute as provided below by way of example and shall not be construed as limiting the scope of the present disclosure:
1) Rule 1: For a given entity, gather input data (from web crawling or through user/stakeholder) after a specific time interval (e.g., say 30 days).
2) Rule 2: If there are any change in the information gathered (for current mitigation plans) in real time when compared with information gathered for the same entity in the past, modify the mapping of set of responses with the pre-defined attributes so as to attain to current (or latest) mapped data.
3) Rule 3: If anomalies observed in mapping, raise a flag and identify risk and its nature (e.g., probability, severity, detection, risk exposure level, impact over information/data being made accessible, and the like)
4) Rule 4: Depending upon risk type and its nature, automatically initiate corresponding identified risk for taking appropriate actions. For instance, risk can be initiated as:
a. Set current identified risk to open status/mode – requires immediate attention, alert stakeholders for resolution.
b. Set current identified risk to hibernate status/mode – requires attention after ‘x’ days, alert stakeholders for resolution after ‘x’ days expire or nearing expiration of ‘x’ days.
c. Set current identified risk to hibernate status/mode if already taken action and alert stakeholder(s).
5) Rule 5: Update risk score if corresponding action is attained.
6) Rule 6: Periodically review status of risks – say every 15 days and alert stakeholders on the status and nature of risk(s) being identified.
7) Rule 7: Based on the nature of risk(s) being identified – system 100 may either take appropriate actions to minimize risk and perform risk resolution or may alert stakeholders to intervene and resolve the same.
[085] Given any change in technology or digital trends, the system may update these databases and further can periodically perform information gathering (either through web crawling or by receiving input data from stakeholder(s). The periodic information gathering enables the system 100 to periodically identify risk(s) pertaining to specific entities/enterprises, thereby dynamically generating mitigation plans for risk resolutions. The above automation may be performed using the one or more exemplary rules, defined in the system 100. These rules can further be updated and re-configured by the system 100 (and/or with assistance from stakeholder(s)) based on the historical data/pattern visualized in (i) risk identification, (ii) risk relevance, (iii) resolution of risk(s), (iv) time taken to resolute each risk, (v) mitigation plan (type), (vi) periodic review and tracking of risk(s), and the like, in one example embodiment. The historical data/ (or historical pattern) as mentioned in the above examples are (or may be) comprised in the memory 104 and are retrieved to perform the methodology of the present disclosure, in one example embodiment.
[086] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[087] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g. using a plurality of CPUs.
[088] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
[089] The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
[090] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[091] It is intended that the disclosure and examples be considered as exemplary only, with a true scope and spirit of disclosed embodiments being indicated by the following claims.
,CLAIMS:1. A processor implemented method, comprising:
receiving, via one or more hardware processors, an input data pertaining to an entity, wherein the input data corresponds to one or more domains;
querying, via the one or more hardware processors, one or more databases to identify and select a set of unique context sensitive based queries specific to the input data;
obtaining, a set of responses for the set of unique queries specific to the input data;
mapping the set of responses to a set of predefined data attributes to identify a plurality of entity risks;
calculating, a risk score for each of the plurality of identified entity risks, based on one or more criteria comprising (i) a probability of the plurality of identified entity risks, (ii) a severity associated with each of the plurality of identified entity risks, and (iii) detection of the plurality of identified entity risks; and
dynamically generating one or more mitigation plans based on the calculated risk score for each of the plurality of identified entity risks, wherein each of the one or more dynamically generated mitigation plans comprises an estimated timeline and a reducible risk score candidate based on one or more parameters specific to the entity.

2. The processor implemented method of claim 1, further comprising upon dynamically generating the one or more mitigation plans, generating a risk profile based on the set of responses to being mapped to the set of predefined data attributes.

3. The processor implemented method of claim 2, further comprising periodically tracking attributes associated with the generated risk profile to update the risk score associated with each of the plurality of identified entity risks.

4. The processor implemented method of claim 3, further comprising analyzing the updated risk score associated with each of the plurality of identified entity risks to determine a risk state of the entity.

5. The processor implemented method of claim 1, further comprising
performing an analysis of an impact of each of the plurality of identified entity risks based on the one or more criteria; and
prioritizing at least a subset of the plurality of identified entity risks for attaining a status of the plurality of identified entity risks, wherein the status of the plurality of identified entity risks comprises one of a hibernation mode, an open mode and a close mode.

6. The processor implemented method of claim 1, wherein the step of querying, via the one or more hardware processors, one or more databases to identify and select a set of unique context sensitive based queries comprises:
dynamically generating one or more queries based on the input data; and
identifying at least a subset of the one or more queries as part of the set of unique context sensitive based queries.

7. The processor implemented method of claim 1, further comprising identifying, using the input data, one or more focused projects based on at least one of (i) the set of responses to the set of context sensitive based queries, (ii) the calculated risk score associated with each of the plurality of identified risks, and (iii) an exposure level of each of the plurality of identified risks pertaining to the entity.

8. A system (100), comprising:
a memory (102) storing instructions;
one or more communication interfaces (106); and
one or more hardware processors (104) coupled to the memory (102) via the one or more communication interfaces (106), wherein the one or more hardware processors (104) are configured by the instructions to:
receive, an input data pertaining to an entity, wherein the input data corresponds to one or more domains;
query, one or more databases comprised in the memory (104), to identify and select a set of unique context sensitive based queries specific to the input data;
obtain, a set of responses for the set of unique queries specific to the input data;
map the set of responses to a set of predefined data attributes to identify a plurality of entity risks;
calculate, a risk score for each of the plurality of identified entity risks, based on one or more criteria comprising (i) a probability of the plurality of identified entity risks, (ii) a severity associated with each of the plurality of identified entity risks, and (iii) detection of the plurality of identified entity risks; and
dynamically generate one or more mitigation plans based on the calculated risk score for each of the plurality of identified entity risks, wherein each of the one or more dynamically generated mitigation plans comprises an estimated timeline and a reducible risk score candidate based on one or more parameters specific to the entity.

9. The system of claim 8, wherein the one or more hardware processors are further configured by the instructions to generate a risk profile based on the set of responses to being mapped to the set of predefined data attributes.

10. The system of claim 9, wherein the one or more hardware processors are further configured by the instructions to periodically track attributes associated with the generated risk profile to update the risk score associated with each of the plurality of identified entity risks.

11. The system of claim 10, wherein the one or more hardware processors are further configured by the instructions to analyze the updated risk score associated with each of the plurality of identified entity risks to determine a risk state of the entity.

12. The system of claim 8, wherein the one or more hardware processors are further configured by the instructions to:
perform an analysis of an impact of each of the plurality of identified entity risks based on the one or more criteria; and
prioritize at least a subset of the plurality of identified entity risks for attaining a status of the plurality of identified entity risks, wherein the status of the plurality of identified entity risks comprises one of a hibernation mode, an open mode and a close mode.

13. The system of claim 8, wherein the set of unique context sensitive based queries are identified and selected by:
dynamically generating one or more queries based on the input data; and
identifying at least a subset of the one or more queries as part of the set of unique context sensitive based queries.

14. The system of claim 8, wherein the one or more hardware processors are further configured by the instructions to identify, using the input data, one or more focused projects based on at least one of (i) the set of responses to the set of context sensitive based queries, (ii) the calculated risk score associated with each of the plurality of identified risks, and (iii) an exposure level of each of the plurality of identified risks pertaining to the entity.