Platform: Risk Assessment
Applies to: Super Admin and Company Admin Users
The purpose of this feature is to allow the Super Admin and Company Admin users to select from a series of out-of-the-box Risk Assessment Methodologies or create bespoke methodologies based on organisation-specific risk management framework requirements.
The Risk Assessment Methodology allows the customisation of:
- Inherent Risk Ratings and Inherent Risk Matrix
- Residual Risk Ratings and Residual Risk Matrix
- Control Effectiveness Ratings and Control Effectiveness Matrix
- Control Metric Ratings
- Country Risk Ratings
- Rounding Tolerance
Methodologies that are available out-of-the-box (Global):
- Arctic Global 4 x 4 Methodology
- Arctic Global 5 x 5 Methodology
- Arctic Global 6 x 6 Methodology
Methodology Dependencies
When creating App Setup content, the first step is to decide whether to use the global methodologies or create a bespoke methodology for the company.
If a bespoke methodology is required, it must be created and finalised first before any other App Setup content is created, such as Answer Sets and Risk Models, as they are dependent on the Methodology.
A methodology must be published before it can be used in the creation of other App Setup content or Assessments.
While a methodology is being used by any Answer Sets, Risk Models, or Assessments, it cannot be unpublished or edited. If a methodology needs updating, you must either:
- Delete (not Archive) all the dependent assets, such as Answer Sets, Risk Models, Assessments; OR
- Create a new methodology by copying the published one.
Note: Creating a new methodology will require the re-creation of all the content dependent on the original methodology, such as Answer Sets and Risk Models.
For more information, see FAQ: What are the dependencies for App Setup content, such as the Risk Model or Methodology?
The Methodology Page
There are two tabs on the Methodology page:
- Global - The Super Admin can work with methodologies in the Global tab. These methodologies are available to all companies.
- Company - Company Admin users can work with methodologies in the Company tab. These methodologies are created by and maintained by the company admin for the company and are only available to that company.
Methodologies can have one of two statuses:
- In Progress - The methodology can be changed. It is not available when creating Answer Sets, Risk Models, or Assessments.
- Published - The methodology cannot be changed. It is available when creating Answer Sets, Risk Models, or Assessments.
Depending on the status of the methodology, and its dependencies, these functions are available:
- Update - Use the Resume button () to edit a Methodology with the status "In Progress".
- Publish - Use the Publish button () to publish a Methodology that is complete and requires no further changes.
- View - Use the View button () to view details of a Methodology with the status "Published".
Note: Only the Description of ratings can be edited in Published methodologies. - Unpublish - Use the Unpublish button () to unpublish a methodology and make changes.
Note: This function is only available for published methodologies that are not linked/used in Answer Sets, Risk Models or Assessments. - Action - Use the Actions button () to open the menu:
- Methodology Details - Edit the name or description of the methodology
- Delete Methodology - Delete a methodology that is In Progress or Published with no dependent assets.
- Archive Methodology - Archive a methodology that is Published and has dependent assets.
- Export Rationale CSV - Download a CSV file containing all rationale text entered into the methodology.
Note: A published methodology can only be unpublished if it is not linked to a Risk Model, Answer Set, or Assessment.
Example showing actions available to methodologies based on their status and dependencies:
Creating a New Methodology
- Open the App Setup menu and select Methodology.
- Press the New Methodology button.
- Enter a name (required) and a description (optional).
- Select an existing methodology to copy from.
- Press the Create button.
- Complete all required fields in the Methodology window, such as the ratings and matrices.
Note: autosaves are triggered every time the focus leaves a field. - Press the Publish button to finalise the methodology and make it available for use.
Updating a Methodology
Open the App Setup menu and select Methodology.
Identify the in-progress methodology to be updated and press the Resume button () to open the Methodology configuration page.
Note: Only methodologies with status In Progress can be updated.
The page automatically saves when the cursor focus changes.
When the configuration of the methodology is complete, and it is ready to be finalised and used, press the Publish button.
Archiving or Deleting a Methodology
Open the App Setup menu and select Methodology.
Identify the methodology, open the Action menu () and select the appropriate action:
- Delete Methodology - Available for methodologies with the status In Progress or that are Published but not linked to any Models, Answer Sets, or Assessments
- Archive Methodology - A methodology with status Published that is linked to a Risk Model, Answer Set, or Assessment can be archived. Press the Archive button to archive it.
Documenting Rationale in the Methodology
Users with appropriate permissions can document their rationale within the methodology.
The following rational options are available:
- Rationale fields - alongside the Description field for each rating on the inherent, residual, country, control effectiveness, and control metric tabs.
- Rationale buttons - open a popup for each combination of ratings on the inherent risk matrix, residual risk matrix, and control effectiveness matrix tabs. Look for the book icon.
- Rationale fields on the Rounding Tolerance tab and on the Methodology Details popup.
The rationale can be updated after the methodology is published.
Export the rationale for a methodology using the Export Rationale CSV option in the Methodology's action menu.
Comments
0 comments
Please sign in to leave a comment.