Platform: Risk Assessment Platform
Applies to: User roles; e.g. Standard and Approver.
Get started creating risk assessments
Sections in this topic:
Key Roles
There are several key roles and functions within the risk assessment platform:
- Super Admin* - Administers the platform including global content, user and company accounts and default settings.
- Company Admin - Administers their companies’ content and users.
- End Users - Conduct assessments through the end-to-end workflow.
* This is only applicable to on-premise installs of the platform, otherwise this role is held by the Arctic Intelligence support team.
Super Admin
This user role is documented separately here and is available to partners with on-premise installs of the platform.
Company Admin
Company Administrators have the ability to modify the App Setup and Settings and use the To Do menu.
App Setup menu
- Answer Sets - Create and manage the answer sets used in the risk models
- Controls - Create and manage the library of controls, control tests & suggested evidence
- Country Risk Models - Create and manage the default country risk rating values
- Domains – Create and manage risk domains
- Methodology - Define and manage the risk methodologies
- Risk Models - Create or import risk model(s) that are available to end-users
- Supporting Document Templates - Define lists of documents that support the assessment of risk
Settings menu
- Account Management - Check the license type and the number of users and assessments
- Audit Trail - Check changes to the assessments, who made them, when, and the original value
- Authentication - Manage authentication settings for Single Sign-On.
- Branding - Configure and manage company logos, favicons, and colours of the platform pages for the company
- Dropdown Configuration - Manage the dropdown values
- Email Templates - Manage the templates used for email notifications
- Notifications - Manage email notifications such as reminders and alerts
- Report Configuration - Configure default sections to be included in the report
- User Access Controls - Application role management and user and security management
To Do menu
- Actions and Incidents - Create and manage actions, findings, incidents, and issues.
- Risk Assessment History - Information for risk assessments
- Dashboard - A dashboard view of all work assigned to the user for easy access.
End-User
End-users have the ability to create and update assessments, assessment units and their contents, such as risks and controls, and create and manage actions. There are multiple end-user (EU) roles available by default, with variations in permissions, but all have the following permissions in common.
To Do menu
The To Do menu gives end-users access to:
- Actions and Incidents - Create and manage actions, findings, incidents, and issues.
- Risk Assessment History - Information for risk assessments
- Dashboard - A dashboard view of all work assigned to the user for easy access.
Assessments
The Risk Assessment History page displays a list of all assessments created on the account. From here, most end-user roles provide access to:
- Assessment information - The name of the assessment, methodology, and country risk model.
After opening an assessment, depending on the end-user role, they can access further details contained within the assessment:
- Assessment Context - Executive summary, detailed context and organisational context that covers the scope of the entire assessment.
- Assessment Units - The risk assessment units (business-wide or granular) that comprise the assessment, their name, risk model, and weighting in the overall assessment.
- Assessment Report – View a report that aggregates findings across all the assessment units of the assessment, then generate a report for the board/senior management.
Assessment Units
From the Assessment Unit page of the assessment, end-users can view and select the assessment units it contains, and the assessment unit information:
- Context - Same as assessment context but includes Assessment Team and Distribution Team.
- Supporting Docs - Related documents that provide supporting evidence to the assessment.
- Workflow - Assign risk factors and controls to assignees and approvers and track their progress.
- Risk Analysis - Conduct the inherent risk evaluation.
- Controls Assessment - Conduct the controls effectiveness evaluation.
- Report – View a report that aggregates the risk and control ratings to arrive at the residual risk for the assessment unit, then generate a report for the board/senior management.
Conducting An Assessment
The Risk Assessment History page is the landing page and contains a summary of all in-progress and completed risk assessments.
The Risk Assessment History page columns:
- Assessment Name - Unique name for the assessment.
- Methodology - The methodology used for the assessment and its assessment units.
- Status - The status of the assessment will be either Not Started, In-Progress or Published.
- Start Date - Date the assessment was created.
- Publish Date - Date the assessment was published.
- Overall Residual Risk Rating – The overall residual risk rating for the assessment aggregates the residual risk from its assessment units.
- Status % - Completion % of risk factors and controls across all its assessment units by status.
- Actions:
- Resume - Use the Resume button (
) to update information in the in-progress assessment.
- Publish - Use the Publish button (
) to finalise the assessment so no edits can be made.
Note: All assessment units must be published and the Report page must be complete. - Review - Use the Review button (
) to view data in the published assessment.
- Unpublish - Use the Unpublish button (
) to return the assessment status to In Progress.
- Action menu - Use the Action button (
) to access these functions:
- Run Assessment Report - generate a Word report of the assessment
- Configure Assessment Report - configure sections to include in the generated report
- Assessment Details - edit the name or reporting period of the assessment
- Custom Weighting Groups - edit or delete custom weighting groups
- Delete Assessment - delete the assessment
Note: Assessments with Published or Archived assessment units cannot be deleted. - Attach Final Report - attach a customised version of the assessment report
- Audit Trail - view the audit trail of the assessment
- Export assessment data to CSV or XLSX
- Resume - Use the Resume button (
Use the filters and search options in the column headers to filter the results.
To download an overview of all assessments use the Export Assessments to Excel button ().
To create a new assessment press the New Assessment button.
In the New Assessment popup window, complete the details:
- Methodology - Select the methodology to be used for the assessment.
Note: This affects which risk models can be selected when creating assessment units. - Name - Enter a name for the assessment
- Start From - Optional, to copy data from an existing assessment
- Country Risk Model - Select a country risk model for the assessment
Press the Create button to create the assessment.
The assessment is created and opened. The assessment consists of 3 parts:
The progress bar in the upper right indicates the overall progress toward completion of the assessment's assessment unit's risks and controls, by status.
The Action Menu () contains options to run an assessment report, configure the assessment report, edit details of the assessment, delete it, modify custom weighting groups, view the audit trail, export assessment data to CSV or Excel, and more.
Assessment Context
Use the assessment's Context page to provide context for the assessment, such as scope, assumptions and approach.
This page is not mandatory and can be left blank if preferred.
The Context page consists of three parts:
- Executive Summary
- Detailed Context
- Organisational Context
Use the Copy From if you wish to copy the context from an existing assessment or assessment unit.
Executive Summary
- Background and Purpose - Explain how and why the risk assessment is being conducted.
- Overall Scope and Approach - Explain the type of assessment, coverage and how the assessment is to be carried out.
- Key Limitations and Assumptions - Describe constraints identified or assumptions made during the assessment.
Detailed Context
- Detailed Scope - Provide more context on the scope.
- Detailed Approach - Provide more context on the approach.
- Detailed Limitations and Assumptions - Provide more context on the constraints identified or assumptions.
Organisational Context
- Legal structure of the organisation - Type of organisation being assessed.
- Is the business part of a subsidiary of another entity - To determine the complexity of the business.
- Legal name of the group or parent entity - Mandatory if "Yes" is selected above.
- Country where the business is registered - Country where the business was first registered/incorporated.
- Country where the business is headquartered - Location of main headquarters by country.
- Number of outlets branches or offices - To determine the complexity of business operations.
- Countries where the business operates - To assess the country risk of the business.
- Annual revenue - the size of the organisation by revenue.
- Number of employees - The size of the organisation by headcount (including casual staff/contractors).
- Countries where the business uses third party distributors or agents - To assess the third party risk in relation to country risk.
- Approximate number of customers - To assess the complexity of the business by volume of customers.
- Countries where the business has customers - To assess the customer risk in relation to country risk.
- Attachments - Links (URLs) or attachments can be uploaded as supporting information, such as organisational charts etc.
Press the Next button, or select the Assessment Unit chevron, to proceed to the next section.
Assessment Unit
The Assessment Unit History page details all of the assessment units that are in progress or published within the main assessment. This allows assessments of different countries, operating groups, business divisions, functional areas, or product lines (or whatever other risk cross-section you choose) to be assessed in a hierarchical manner.
The progress bar in the upper right indicates the overall progress toward completion of the assessment unit's risks and controls, by status.
The Action Menu () in the upper right contains options to run an assessment report, configure the assessment report, edit details of the assessment, modify custom weighting groups, view the audit trail, export assessment data to CSV or Excel, and more.
Custom Weighting Groups
Create custom weighting groups using the Weight column header. Define assessment units to include/exclude from the group, and their relative weightings, then save the grouping. Display that configuration by selecting the custom grouping in the Custom Weighting Group dropdown.
The Assessment Unit History Columns
- Assessment Unit - Unique name for the assessment unit.
- Model - Risk model used for the assessment unit.
- Weight - The weight of the assessment unit in relation to other assessment units in the assessment. Select this column heading to adjust the weights and create custom weighting groups:
- Exclude/include assessment units from the custom group
- Change the order of assessment units
- Change the weight of assessment units
- Use Save As to give the custom group a name and create as many variations as needed.
- Use Save to overwrite the default.
- Type - The type of assessment unit (based on the linked risk model)
- Automatic - The inherent risk rating is calculated based on answers to questions by the assessor, where those answers are linked to ratings in the methodology.
- Manual - The inherent risk rating is calculated based on the risk likelihood and impact rating selected by the assessor, via a lookup against the methodology's inherent risk matrix.
- Status - The status of the assessment unit will be either Not Started, In-Progress or Published.
- Start Date - Date the assessment unit was created.
- Publish Date - Date the assessment unit was published.
- Overall Residual Risk – The overall residual risk rating for the assessment unit.
- Status % - Completion % of risk factors across the assessment unit, by status.
- Actions:
- Resume - Use the Resume button (
) to update information in the in-progress assessment unit.
- Publish - Use the Publish button (
) to finalise the assessment unit so no edits can be made.
Note: All risks/controls units must be approved and the Report page must be complete. - Review - Use the Review button (
) to view data in the published assessment unit.
- Unpublish - Use the Unpublish button (
) to return the assessment unit status to In Progress.
- Action menu - Use the Action button (
) to access these functions:
- Country Risk Ratings - access a list of selected countries and their ratings
- Run Assessment Unit Report - generate a Word report of the assessment unit
- Configure Assessment Unit Report - configure sections to include in the generated report
- Assessment Unit Details - edit the name, risk model, supporting docs template, or Owners (restricted users) of the assessment unit
- Delete Assessment Unit - delete the assessment unit
- Attach Final Report - attach a customised version of the assessment report
- Audit Trail - view the audit trail of the assessment
- Export assessment data to CSV or XLSX
- Resume - Use the Resume button (
To create an assessment unit, press the New Assessment Unit button.
To learn how to evaluate risks and controls in the assessment unit, see Creating the Assessment Unit.
Assessment Report
The Assessment Report aggregates the risk across all assessment units in the Assessment. This report can be generated as a Word doc at any time during the assessment process and is based on all assessment unit data entered to that point.
The Assessment Report page shows the Overall Ratings for all assessment units in the assessment, or the assessment units defined in the selected Custom Weighting Group (if any).
Users may also add comments and actions related to the assessment that should be brought to the attention of the board/senior management in the Executive Summary.
Creating the Assessment Unit
Click New Assessment Unit to create a new assessment unit and start the analysis process.
In the New Assessment Unit popup window, complete the details:
- Name - Enter a name for the assessment unit.
- Start From - Optional, to copy data from an existing assessment unit.
- Model - Select the risk model for the assessment unit.
Note: the dropdown only displays risk models that use the same methodology as the assessment. - Supporting Document Template - Optional, to include a checklist of supporting documents.
Note: the dropdown only displays templates that use the same methodology as the assessment. - Control Metric - Optional, to remove the unselected metrics from the controls assessment.
- Owners - Optional, to give restricted users access to the assessment unit.
The Assessment Unit consists of up to 5 parts:
Assessment Unit Context
The context contains the same questions as the assessment context but should be completed relevant to the scope of the particular assessment unit.
There are two additional sections in the assessment unit context that will appear in the appendix of the assessment unit report:
- Assessment Team - the name, title and email address of people involved in the assessment.
- Distribution List - the name, title and email address of people to receive the outputs.
Press the Next button, or select a chevron at the top of the page, to proceed to the next section.
Supporting Documents
Documents needed to complete the assessment unit can be uploaded to the supporting documents section.
This section is optional and appears when a supporting document template is selected at assessment unit creation.
- "Click here" hyperlink – User's notification preferences for when documents are uploaded.
- Filter - Use the filter options to identify requested documents that have not been provided.
- Share - Use the Share button (
) to email users to upload documents to the assessment unit.
- Edit - Use the Edit button (
) to edit and save a new supporting document template against the assessment unit.
- Expand/Collapse - Show or hide the detailed comments for each supporting document.
- Yes/No - Flag whether a requested document should be provided or not.
- Attachments - Appears if Yes is ticked; click the Attachment icon and upload the document.
- Status - Displays a tick when a file is attached or when no file is needed.
- Comments - Can be added at any time.
Press the Next button, or select a chevron at the top of the page, to proceed to the next section.
Workflow
The workflow section provides an overview of the allocation and status of risk factors and controls. This feature also allows the allocation of the risk and control analysis workload across a team.
The workflow page consists of 3 tabs:
- Workflow Summary - Summary of the status of each risk factor and control and who they are allocated to.
- Assign Risk Factors - A list of the risk factors in the model and the ability to set assignees and approvers for each.
- Assign Controls - A list of the controls added to the assessment unit and the ability to set assignees and approvers. Controls are added to the assessment unit from the Controls Assessment page.
Workflow Summary
The workflow summary provides a breakdown of the risks and controls, by status and by assignee/approver.
Responsibilities:
- Assignee - First line doer/reviewer
- Approver - Second/third/fourth line approver/reviewer
Statuses:
- Not Assessed - No updates have been made to the risk or control.
- In Progress - The analysis has started but not all questions in the risk are answered.
- Complete - The analysis has started and all questions answered, but the risk or control has not been submitted for review/approval.
- Awaiting Approval - The analysis has been submitted and is awaiting approval.
- Approved - The analysis has been approved.
Workflow - Assign Risk Factors
This screen allows risk factors to be allocated between team members. There can be one (1) assignee and up to three (3) approvers per risk factor.
- Filter - Use the Filter button (
) to expand the filter section.
- Select - Use the checkboxes to select risk factors to update.
- Add Approver - Use the Add button (
) to add more approval stages, up to a maximum of 3 approvers for all risks.
- Assignee - Select an assignee for the selected risk(s) and press the Update button.
- Approver - Select an approver for the selected risk(s) and press the Update button.
Note: At least 1 approver must be different to the Assignee. - Notify - select risks and press the Notify button to email users of those risks. For more details, see the chapter "Notifying Assignees and Approvers" in Conducting a Risk Assessment - Workflow.
Workflow - Assign Controls
This screen allows the controls to be allocated between team members. There can be one (1) assignee and up to three (3) approvers per control.
Add controls to the assessment unit on the Controls Assessment page.
- Filter - Use the Filter button (
) to expand the filter section.
- Select - Use the checkboxes to select controls to update.
- Add Approver - Use the Add button (
) to add more approval stages, up to a maximum of 3 approvers for all risks.
- Assignee - Select an assignee for the selected control(s) and press the Update button.
- Approver - Select an approver for the selected control(s) and press the Update button.
Note: At least 1 approver must be different to the Assignee. - Notify - select controls and press the Notify button to email users of those controls. For more details, see the chapter "Notifying Assignees and Approvers" in Conducting a Risk Assessment - Workflow.
Press the Next button, or select a chevron at the top of the page, to proceed to the next section.
Risk Analysis
The Risk Analysis page provides a view of the risk factors in the assessment unit, and this is also where analysis of each risk factor is conducted, with comments and supporting evidence.
The Risk Analysis page consists of 2 tabs:
- Inherent Risk Summary - Dashboard summarising the risk factors within the model.
- Inherent Risk Questionnaire - Details page for each risk factor where data is captured.
Inherent Risk Summary
This is a dashboard summarizing the risk groups, risk categories (optional) and risk factors in the risk model selected at assessment unit creation. It is designed to monitor the progress of risk factors across the assessment unit.
- Collapse all - Use the "Collapse all" button (
) to hide all tiers below Group level.
- Expand all - Use the "Expand all" button (
) to show all tiers.
- Filter - Use the Filter button (
) to expand the filter section
The Risk Analysis Columns:
- Inherent Risk Factors - The name of the risk factors, categories and groups.
- Model Weight - The relative importance of the risk factor/category/group as defined in the model. Used to calculate the overall inherent risk rating for the assessment unit.
- Status - The status of the risk factor will be either Not Assessed, In-Progress, Completed, Awaiting Approval or Approved. See an explanation of the risk statuses.
- Assignee - The user allocated to analyse the risk factor and submit their assessment.
- Approver - The user allocated to review and approve the analysis.
- Inherent Risk Rating - This is calculated from the answers to the risk indicators based on the linked methodology.
Select a risk factor name to begin the analysis for that risk factor and capture detailed data.
Inherent Risk Questionnaire
Every risk factor in the risk model has a risk questionnaire page for assessing risk.
This is a detailed view of the risk factor, with risk indicators to assess the risk.
The risk questionnaire page consists of:
- Navigation Panel (left) - Lists all the risk factors to quickly jump to a specific risk.
- Status (lower left) - The status of the risk factor will be Not Assessed, In-Progress, Completed, Awaiting Approval or Approved.
- Risk Factor (upper left) - Name and description (optional) of the risk factor from the model.
- Weight - The relative importance of the risk factor, as defined in the model.
- Assignee - The user allocated to complete details for the risk factor.
- Approver - The user allocated to approve the risk factor after it is submitted by the assignee.
- Risk Indicators - Optional in manual risk models, and required in automatic risk models, are the questions relating to the risk, with associated answers for the assignee to select.
- Comments - For providing additional context behind the risk factor and answers.
- Attachments - Use to attach supporting documentation.
- Inherent Risk Rating (lower right) - Is either automatically calculated in automatic risk models or derived from the impact and likelihood matrix in manual risk models.
- Controls Effectiveness Rating - Is automatically calculated from the linked controls' weightings and their category's weighting.
- Link controls to the risk by using the link icon (
).
- Link controls to the risk by using the link icon (
- Residual Risk Rating - Is derived by a lookup of the Residual Risk Matrix in the Methodology selected at Assessment creation, based on the Inherent Risk and Control Effectiveness ratings of the risk factor.
- Actions - Use the Add button (
) to add actions. Enter an action title, select an action owner, type the action description and then Save (
). The selected owner will receive a notification email.
- Submit – Submit the risk data with or without comments.
- Approve/Reject/Reopen - Approve/reject/reopen the risk with or without comments by the approver allocated on the risk. Note: The risk analysis pages can also be reopened.
Overrides
Approvers and users with 'Override' permissions can override ratings on the risk questionnaire page. Doing this will prompt the user to enter override comments that will appear in the audit and in the reports. Ratings that can be overridden:
- Risk Indicator Rating
- Risk Factor Inherent Risk Rating
- Risk Factor Residual Risk Rating
Controls Assessment
The Control Assessment page provides a view of the controls in the assessment unit, and this is also where the controls are added and assessment of each control is conducted, with comments and supporting evidence.
The Controls Assessment page consists of 2 tabs:
- Controls Summary - Dashboard summarising the controls linked to the assessment unit.
- Controls Questionnaire - Details page for each control where data is captured.
Controls Summary
This is a dashboard summarizing the control categories and controls added to the assessment unit. It is designed to monitor the progress of controls across the assessment unit.
Controls Summary columns:
- Controls - Unique name of the control
- Key - Optional, to identify a control as being key in mitigating risks. Appears in the report and does not affect the rating calculations.
- Weight - The relative importance of the control and control category. Used to calculate the controls effectiveness rating for the assessment unit. Adjust the weight of controls and categories by selecting the hyperlink (weight in blue text).
- Status - The status of the control will be Not Assessed, Completed, Awaiting Approval or Approved.
- Assignee - The team member allocated to analyse the assess the effectiveness of the control and submit their assessment.
- Approver - The team member allocated to review and approve the analysis.
- Control Effectiveness - this is calculated from the answers to the control metrics based on the linked methodology.
- Actions - delete the control from the assessment unit or link the control to risk factors
Use the Add Controls button to add controls from the control library. The popup lists Controls matching the domain of the risk model selected at Assessment Unit creation.
Select a control name to begin the analysis of the effectiveness of that control and capture detailed data.
Controls Questionnaire
This is a detailed view of the control with control metrics to assess its effectiveness.
Every control in the assessment unit has a questionnaire page for assessing the effectiveness and contains the following:
- Control Category (upper left) - Name of the category of control.
- Status (lower left) - The status of the control will be Not Assessed, Completed, Awaiting Approval or Approved.
- Collapse/Expand all - Show or hide the sections Control Test Results and Actions.
- Control Name - Name of the control added to the assessment from the control library.
- Type - The type of control: Preventative, Detective, Corrective, Unspecified, Unknown.
- Key - Optional, to identify a control as being key in mitigating risks. Appears in the report and does not affect the rating calculations.
- Weight - The relative importance of the control and control category. Used to calculate the overall controls effectiveness for the assessment unit. Adjust the weight of controls and categories by selecting the hyperlink (weight in blue text).
- Assignee - The user allocated to complete details for the control.
- Approver - The user allocated to approve the control after it is submitted by the assignee.
- Control Metrics - The questions relating to the effectiveness of the control.
- Control Effectiveness Rating - This is derived from the answers to the metric questions, based on the methodology selected at assessment creation.
- Comments - For providing additional context behind the control and metric answers.
- Control Test Results - Information to conduct testing of the control and suggested evidence (optional), with space to add comments about the testing results and evidence.
- Stakeholders Consulted - Details of people consulted to assess the control.
- Attachments - Use to attach supporting documentation.
- Actions - Use the Add button (
) to add actions. Enter an action title, select an action owner, type the action description and then Save (
). The selected owner will receive a notification email.
- Submit – Submit the control data with or without comments.
- Approve/Reject - Approve/reject the control with or without comments by the approver allocated on the risk. Note: The control questionnaire pages can also be reopened.
Assessment Unit Report
The final stage in the process is to review the overall risk ratings, add comments or actions for the board/senior management, generate the report, and publish to save a view-only audit of the assessment unit.
This report page shows the Overall Inherent Risk Rating, Overall Control Effectiveness, and Overall Residual Risk Rating for the assessment unit.
Scrolling down reveals graphs for Inherent Risk Rating by Group, Controls Effectiveness by Category, and Residual Risk by Risk Factor.
Users with override permissions are able to override the Residual Risk Rating for the Assessment Unit. This will prompt the user to enter comments on the override that will appear in the audit and generated reports.
Hovering over a section of the bar charts will display the rating label, count, and percentage. Clicking on a section of the bar chart will drill down to the risks/controls that belong to the respective rating.
Overall Risk Comments (under Inherent Risk Rating by Group, Control Effectiveness by Group, and Residual Risk by Risk Factor) are mandatory only when the assessment unit is ready to be published.
Users may also add any Actions related to the assessment unit that should be brought to the attention of the board/senior management in the Executive Summary.
A Word version of the Assessment Unit report can be produced at any time from the Action menu ().
Comments
0 comments
Please sign in to leave a comment.