Platform: Risk Assessment Platform
Applies to: Super Admin and Company Admin Users
The purpose of this feature is to create Risk Models based on organisational specific risk management framework requirements.
The Risk Assessment Platform is fully configurable and allows every aspect of the risk management framework to be tailored to suit your organisation’s requirements.
The risk platform is built around a four-level risk hierarchy and relative risk weightings can be applied at all levels, which cascades from the lowest level (risk indicators) to the highest level (risk groups):
The Risk Models are based on the following hierarchy and weightings can be applied at each level to derive the relative importance of risk attributes at each level:
- Level 1- Risk Groups - primary risk groups (e.g. customer risk, product risk, channel risk)
- Level 2- Risk Categories (optional) - secondary risk categories associated with each risk group (e.g. customer type, customer location, customer occupations)
- Level 3- Risk Factors - risk sub-categories associated with each risk category (e.g. individual customers, non-individual customers)
- Level 4- Risk Indicators - risk characteristics, expressed as questions
Working with Risk Models
Risk Model Management
The key functionality contained within this component of the application includes:
- Global - list of out of the box/purchased risk models maintained by Arctic
- Company - list of risk models created by a company
- Search – enter search text
- Bulk Update – update multiple records at one time
- Export CSV import template – downloads a blank starting template to create a CSV import
- New Risk Model - create a new risk model
- Action - resume, publish, unpublish, archive, delete, edit name or description
The Risk Model screen has two tabs.
- Global - Risk models that have been purchased with the platform licence. Super Admin can view, archive or export published Global Risk Models and can add/import, resume, delete or export in-progress Risk Models. Super Admin can only view Company Risk Models.
- Company - Risk models that are created/customised by the Company. Company Admin can view, archive or export published Company Risk Models and can add/import, resume, delete or export in-progress Risk Models. Company Admin can only view Global Risk Models.
Creating a Risk Model
After selecting the New Risk Model button a pop-up appears.
Complete the details:
- Domain - risk topic area that the model will be associated with e.g. Anti -Money Laundering (AML)
- Methodology - select a methodology to create an automatic risk model, leave this field blank to create a manual risk model
- Name - unique name for the risk model
- Description - optional
- Start From
- A blank template - to build the risk model from scratch (refer to building a risk model below)
- Existing risk model - to use another model as a starting point for the new model.
- Import - import the risk model from a CSV file
- Include categories - determines whether the model should have risk categories (level 2) or not
- Automatic / Manual model type - read-only. Is dependent on whether a methodology was selected
Manual Risk Models
Manual Risk Models operate where the user selects the likelihood and impact of the risk occurring which calculates the Overall Inherent Risk Rating by using the Inherent Risk Rating Matrix in the Methodology selected in the Assessment.
Automatic Risk Models
Automatic Risk Models operate using the mapping of a risk rating (based on the rating scale in the Methodology selected in the risk model) against each answer in the answer sets linked to the risk indicators in the model.
In addition to the risk model (manual or automatic), controls are added to the Assessment Unit, weighted, and an overall control effectiveness rating is calculated.
The Residual Risk is derived by a lookup of the Residual Risk Matrix defined in the Methodology selected in the Assessment, where the Inherent Risk Ratings are plotted against the Control Effectiveness Ratings.
Creating a new risk model -> Start from Existing
The user can select a previously created risk model and start from that point, which essentially copies the previous model and can be edited as described below in Building the Risk Model.
If there are existing risk models (purchased, or customised content) for the relevant domain, they can be used as the basis of the new risk model.
- Click the New Risk Model button.
- In the popup window populate mandatory fields as described in the chapter above.
- In the Start From field select the risk model to be customised.
Note: The Start From field shows only risk models matching the selected Domain and Methodology.
- Click Create on the popup.
- The edit risk model screen will appear so the groups, categories, risk factors, risk indicators and their weightings can be customised.
- To edit a group, category, risk factor, or risk indicator: select it in the panel on the left and click the pencil button in the panel on the right.
- To link answer sets to a risk indicator, use the dropdown and select an answer set from the list.
- Once all your weightings add to 100% for each group, category, risk factors, risk indicators, and you have populated all mandatory fields (names, risk factor description, answer sets) you can publish the risk model. See below for applying weightings to the risk model.
Creating a new risk model -> Start from Import
In the New Risk Model popup if you select “Import” refer to the Importing Risk Models article.
Building the Risk Model
If you have selected to start model "New" or from an existing model, the Risk Model edit screen will display after clicking Create in the New Risk Model popup. The screen consists of 2 panels:
- Left-hand side pane - add/edit/copy the elements in the Risk Model hierarchy and set the weighting of each element at the different levels in the hierarchy.
- Right-hand side pane - add/edit/copy risk model attributes and assign answer sets to risk indicators
Example of a risk model started from an existing risk model:
Example of a risk model started from "New":
Click the + icon in the right pane to add Risk Groups.
Step 1 - Adding Risk Groups
After one Risk Group has been added the >> icons direct the user to create the next level down in the risk hierarchy (e.g. Risk Categories or Risk Factors if no categories exist).
The Risk Group Name and Risk Group Description can be edited using the pencil icon, copied using the duplicate paper icon and deleted using the rubbish bin icon.
The diagram below shows multiple Risk Groups that have been copied.
Step 2 - Adding Risk Categories (optional level)
The next step is to create risk categories that are associated with each Risk Group (if you have selected to ‘include categories’ when creating the model).
Step 3 - Adding Risk Factors
The next step is to create Risk Factors that are associated with each Risk Category.
Step 4 - Adding Risk Indicators
The next step is to create Risk Indicators that are associated with each Risk Factor.
Step 5 - Linking Answer Sets to each Risk Indicator
The next step is to assign an Answer Set to each Risk Indicator in the model.
Open the dropdown beside the risk indicator question and select an answer set from the list.
Answer Sets are created in App Setup > Answer Sets.
Answer sets must be created and published before they will appear for selection in the risk model.
When creating answer sets, it is recommended to come up with a clear naming convention for Answer Sets. If there are multiple Answer Sets with different answers and ratings this will assist in linking the correct Answer Set to a Risk Indicator.
In an automatic model, risk indicators are required and must each be linked to an answer set. Only the answer sets matching the methodology of the risk model will appear for selection. In automatic answer sets, a risk rating must be assigned to each answer within the set, based on the methodology.
In a manual model, risk indicators and answer sets are optional. In manual answer sets, no risk rating is assigned to the answers.
To assign answer sets to each Risk Indicator ensure you are in edit mode for the Risk Indicator (click edit pencil) and select the Answer Set from the dropdown list. Click on the tick to save the Risk Indicator.
Applying Risk Weightings
The Risk Assessment Platform is built on the premise that not all risks or controls are of equal importance.
Note: Refer Conducting a Risk Assessment - Risk Analysis, to see how control weighting is applied.
The Risk Weighting functionality allows risks to be relatively weighted at all levels of the Risk Model to define their relative importance. Alternatively, the default setting is for equal risk weighting at all levels of the risk model.
Group, Category, Risk Factor and Risk Indicator Weighting
Risk weights across the entire model can be applied equally by clicking the scale icon at the top of the left-hand panel.
To modify the weightings for each Risk Group, Category, Risk Factor or Risk Indicator click the % value next to the first item of that level (i.e., next to the first group, first category within the group, etc) in the left-hand pane to open the edit popup. The title of the popup indicates which element of the hierarchy is being weighted. The weight of each item within the hierarchy can be adjusted using the slider or entering the weighting (all weightings for each part of the model hierarchy must sum to 100%).
The risk model must be published before it can be used in an Assessment.
Please sign in to leave a comment.