Platform: Risk Assessment Platform
Applies to: Super Admin and Company Admin Users
The purpose of this feature is to create Risk Models based on organisation-specific risk management framework requirements.
The Risk Assessment Platform is fully configurable and allows every aspect of the risk management framework to be tailored to suit your organisation’s requirements.
The risk platform is built around a four-level risk hierarchy, and relative risk weightings can be applied at all levels, which cascades from the lowest level (risk indicators) to the highest level (risk groups):
The Risk Models are based on the following hierarchy, and weightings can be applied at each level to derive the relative importance of risk attributes at each level:
- Level 1 - Risk Groups - primary risk groups (e.g. customer risk, product risk, channel risk)
- Level 2 - Risk Categories (optional) - secondary risk categories associated with each risk group (e.g. customer type, customer location, customer occupations)
- Level 3 - Risk Factors - risk sub-categories associated with each risk category (e.g. individual customers, non-individual customers)
- Level 4 - Risk Indicators - risk characteristics, expressed as questions
Working with Risk Models
Risk Model Management
The key features of this page:
- Global tab - list of out-of-the-box/purchased risk models maintained by Arctic
- Company tab - list of risk models created by the company
- Search – enter search text
- Bulk Update – update multiple records at one time
- Download Risk Model Import File Format – downloads a blank starting template to create a CSV import file
- New Risk Model - create a new risk model
- Action - resume, publish, unpublish, archive, delete, edit name or description
- Use the table headers to filter and search
The Risk Model screen has two tabs.
- Global - Risk models that have been purchased with the platform licence. Super Admin can view, archive, or export published Global Risk Models and can add/import, resume, delete or export in-progress Risk Models. Super Admin can only view Company Risk Models.
- Company - Risk models that are created/customised by the Company. Company Admin can view, archive or export published Company Risk Models and can add/import, resume, delete or export in-progress Risk Models. Company Admin can only view Global Risk Models.
Creating a Risk Model
Users must have the appropriate permissions to create risk models.
1. To create a new risk model, press the New Risk Model button.
2. A popup appears to enter details about the new risk model:
3. Complete the details:
- Domain - risk topic area that the model will be associated with, e.g. Anti-Money Laundering (AML)
- Methodology - select a methodology to create an automatic risk model, and leave this field blank to create a manual risk model.
- Name - unique name for the risk model
- Description - optional
- Start From
- New - To build the risk model from scratch (refer to building a risk model below)
- Another risk model - To use another model as a starting point for the new model.
Note: The Start From field lists risk models matching the selected Domain and Methodology.
- Import - To create the risk model from a CSV file. See Importing Risk Models
- Include categories - Optional; select to add a tier for risk categories (level 2)
- Create Linked Data Set - Optional; available on accounts with the Data Sets add-on. Select to create an API data set that mirrors the risk model in order to complete assessments from an API data feed.
- Show Rationale - Optional; select to show Rationale fields to document your rationale for the configuration of your risk model.
- Automatic / Manual model type - This field is read-only and is dependent on whether a methodology has been selected.
Manual Risk Models
Manual Risk Models operate where the user selects the likelihood and impact of the risk occurring, which calculates the Overall Inherent Risk Rating by using the Inherent Risk Rating Matrix in the Methodology selected in the Assessment.
Automatic Risk Models
Automatic Risk Models operate using the mapping of a risk rating (based on the rating scale in the Methodology selected in the risk model) against each answer in the answer sets linked to the risk indicators in the model.
4. Press the Create button.
5. The new risk model is opened in edit mode.
6. Configure the contents of the risk model by defining risk groups, categories (optional), risk factors, risk indicators and their linked answer sets (for more details, see Building the Risk Model):
- To edit an entry (group, category, risk factor, risk indicator), select it in the panel on the left and click the pencil button in the panel on the right.
- To add a new entry, select the parent in the panel on the left, and click the + button in the panel on the right.
- To delete an entry, select it (or its parent) in the panel on the left, and click the delete button in the panel on the right.
7. Link answer sets to risk indicators using the dropdown to select an answer set from the list.
Note: answer sets are listed that match the methodology of the risk model.
8. Apply weightings and ensure all weightings add up to 100% for each group, category, risk factor, and risk indicator. Alternatively, use the 'scales' button at the top to distribute weightings for the entire risk mode equally. See Applying Risk Weightings.
9. Press the Publish button to publish the risk model.
Building the Risk Model
If you have selected to start the risk model from "New" or from an existing model, the Risk Model edit screen will display after clicking Create in the New Risk Model popup. The screen consists of 2 panels:
- Left-hand side pane - add/edit/copy the elements in the Risk Model hierarchy and set the weighting of each element at the different levels in the hierarchy.
- Right-hand side pane - add/edit/copy risk model attributes and assign answer sets to risk indicators
Example of a risk model started from an existing risk model, with the Rationale option selected:
Example of a risk model started from "New":
Step 1 - Adding Risk Groups
Click the icon in the panel on the right to add Risk Groups.
After one Risk Group has been added, the button directs the user to create the next level down in the risk hierarchy (e.g. Risk Categories or Risk Factors if no categories exist).
The Risk Group Name and Risk Group Description can be edited using the pencil button (), copied using the duplicate button () and deleted using the bin button ().
The diagram below shows multiple Risk Groups that have been copied.
Step 2 - Adding Risk Categories (optional level)
The next step is to create risk categories that are associated with each Risk Group (if you selected ‘include categories’ when creating the model).
Step 3 - Adding Risk Factors
The next step is to create Risk Factors that are associated with each Risk Group (or Risk Category if you selected 'include categories' when creating the risk model).
Step 4 - Adding Risk Indicators
The next step is to create Risk Indicators that are associated with each Risk Factor. These are the questions your users will answer in the assessments to determine inherent risk.
Step 5 - Linking Answer Sets to each Risk Indicator
The next step is to assign an Answer Set to each Risk Indicator in the model.
Open the dropdown beside the risk indicator question and select an answer set from the list.
You can do this from the Risk Factor level or drill down to the Risk Indicator level.
Risk Factor level:
Risk Indicator level:
Answer Sets are created in App Setup > Answer Sets.
Answer sets must be created and published before they will appear for selection in the risk model.
When creating answer sets, it is recommended to come up with a clear naming convention. If there are multiple Answer Sets with different answers and ratings, this will assist in linking the correct Answer Set to a Risk Indicator.
In an automatic model, risk indicators are required and must each be linked to an answer set. Only the answer sets matching the methodology of the risk model will appear for selection. In automatic answer sets, a risk rating must be assigned to each answer within the set based on the methodology.
In a manual model, risk indicators and answer sets are optional. In manual answer sets, no risk rating is assigned to the answers.
To assign answer sets to each Risk Indicator, ensure you are in edit mode for the Risk Indicator (click the edit button ()) and select the Answer Set from the dropdown list. Click on the tick () to save the Risk Indicator.
Applying Risk Weightings
The Risk Assessment Platform is built on the premise that not all risks or controls are of equal importance.
Note: Refer to Conducting a Risk Assessment - Risk Analysis to see how control weighting is applied.
The Risk Weighting functionality allows risks to be relatively weighted at all levels of the Risk Model to define their relative importance. Alternatively, the default setting is for equal risk weighting at all levels of the risk model.
Group, Category, Risk Factor and Risk Indicator Weighting
Risk weights across the entire model can be applied equally by clicking the scale icon at the top of the left-hand panel.
To modify the weightings for each Risk Group, Category, Risk Factor, or Risk Indicator, click the % value next to the first item of that level (i.e., next to the first group, first category within the group, etc.) in the left-hand pane to open the edit popup. The title of the popup indicates which element of the hierarchy is being weighted. The weight of each item within the hierarchy can be adjusted using the slider or entering the weighting (all weightings for each part of the model hierarchy must sum to 100%).
Risk Factor Weighting
Risk Indicator Weighting
Publishing the Risk Model
The risk model must be published before it can be used in an Assessment.
If you selected "Create Linked Data Set" when creating the risk model, an API Data Set will be automatically created that reflects the risk model. The Data Set can be viewed in App Setup > Data Set.
Documenting Rationale in the Methodology
Users with appropriate permissions can document their rationale within the risk model.
To see the Rationale buttons and fields, select "Show Rationale" in the Risk Model Details.
Use the rationale button () beside the element you want to add your rationale to. A popup window will appear where you can type.
Rationales can be added to explain:
- Risk Model details / New Risk Model popup window.
- The weightings for risk groups, categories, risk factors, and risk indicators.
- Answers and ratings in answer sets linked to the risk indicators.
- Answer Set details / New Answer Set popup window.
The rationale can be updated after the risk model is published.
Export the rationale for a risk model using the Export Rationale CSV option in the risk model's action menu.