Platform: Risk Assessment
Applies to: Super Admin and Company Admin Users
The purpose of this feature is to allow the Super Admin and Company Admin users to select from a series of out-of-the-box Risk Assessment Methodologies or create bespoke methodologies based on organisation-specific risk management framework requirements.
About Methodologies
The Risk Assessment Methodology allows the customisation of:
- Inherent Risk Ratings and Inherent Risk Matrix
- Residual Risk Ratings and Residual Risk Matrix
- Control Effectiveness Ratings and Control Effectiveness Matrix
- Control Metric Ratings
- Country Risk Ratings
- Rounding Tolerance
Methodologies that are available out-of-the-box (viewable in the Global tab):
- Arctic Global 4 x 4 Methodology
- Arctic Global 5 x 5 Methodology
- Arctic Global 6 x 6 Methodology
Methodology Dependencies
When creating App Setup content, the first step is to decide whether to use the global methodologies or create a bespoke methodology for the company.
If a bespoke methodology is required, it must be created and finalised before any other App Setup content is created, such as Answer Sets and Risk Models, as they are dependent on the Methodology.
A methodology must be published before it can be used to create other App Setup content or Assessments.
While a methodology is being used by any Answer Sets, Risk Models, Country Risk Models, or Assessments, it cannot be unpublished or edited. If a methodology needs updating, you must either:
- Delete (not Archive) all the dependent assets (Answer Sets, Risk Models, Country Risk Models, and Assessments)
OR - Create a new methodology by copying the published one. This will require the re-creation of all the content dependent on the original methodology, such as Answer Sets, Risk Models, and Country Risk Models.
For more information, see FAQ: What are the dependencies for App Setup content, such as the Risk Model or Methodology?
View Methodologies
Users with appropriate permissions can view the list of Methodologies in App Setup > Methodology.
There are two tabs on the Methodology page:
- Global - The Super Admin can work with methodologies in the Global tab. These methodologies are available to all companies.
- Company - Company Admin users can work with methodologies in the Company tab. These methodologies are created by and maintained by the company admin for the company and are only available to that company.
Methodologies can have one of two statuses:
- In Progress - In this state, the methodology can be edited but not used to create Answer Sets, Risk Models, Country Risk Models, or Assessments.
- Published - In this state, the methodology cannot be edited but can be used to create other App Setup content and Assessments.
Depending on the status of the methodology and its dependencies, these functions are available:
- Update - Use the Resume button () to edit a Methodology with the "In Progress" status.
- Publish - Use the Publish button () to publish a Methodology.
-
View - Use the View button () to view details of a Methodology with the status "Published".
Note: Only the Description of ratings can be edited in Published methodologies. - Unpublish - Use the Unpublish button () to unpublish a methodology and make changes.
Note: This function is only available for published methodologies that are not linked/used in Answer Sets, Risk Models, Country Risk Models, or Assessments. -
Actions column - Use the Actions button () to open the menu:
- Methodology Details - Edit the name or description of the methodology
- Methodology Report - Generate a Word report of the methodology details.
- Delete Methodology - Delete the methodology. Available when the methodology is In Progress or Published with no dependent assets.
- Archive Methodology - Archive the methodology. Available when the methodology is Published and has dependent assets.
- Export Methodology - Exports the methodology contents to a JSON file.
- Audit Trail - Displays the audit of actions such as status, name, and description changes.
- Export Rationale CSV - Download a CSV file containing all rationale text entered into the methodology.
Note: A published methodology can only be unpublished if it is not linked to a Risk Model, Answer Set, Country Risk Model, or Assessment.
Create a Methodology
- Press the New Methodology button.
- Enter a name (required) and a description (optional).
-
Use the Start From field to:
- Start with a blank page
- Select an existing methodology to copy from (recommended)
- Import from a JSON file
- Press the Create button.
- The Methodology configuration window opens.
-
Complete all required fields, such as the ratings and matrices. See Configuring the Methodology.
Note: autosaves are triggered every time the focus leaves a field. - Press the Publish button to finalise the methodology and make it available for use.
Configure the Methodology
There are 2 sections in the Methodology configuration window: Ratings and Calculation Rules.
Methodology Ratings
The Ratings section defines the list of ratings for each of the following:
- Inherent Risk Ratings - represents the risk before controls are applied. Used by answer sets, risk models, and throughout the assessments.
- Residual Risk Ratings - the resulting risk after controls are applied. Used by the assessments.
- Country Risk Ratings - the ratings for countries. Used by the country risk model and the assessments.
- Control Effectiveness Ratings - represents the effectiveness of controls to mitigate the inherent risk. Used by the assessments.
- Control Metric Ratings -
Add or remove ratings in the lists using the Add () and Delete () buttons.
You can change the rating name, colour, and description for each rating.
Important: We advise against changing the "Not Applicable" rating label. This rating is the first in each list and has the value "0"; this rating is always excluded from all the calculations.
Methodology Calculation Rules
The Calculation Rules section contains matrices that define each of the following:
-
Inherent Risk Matrix - map combinations of Likelihood and Impact ratings to an Inherent Risk rating. Only used for 'manual' assessments where Likelihood x Impact derives the inherent risk.
- Add or remove Likelihood ratings (rows) in the table with the Add () and Delete () buttons.
- Add or remove Impact ratings (columns) in the table with the Add () and Delete () buttons.
- Edit the Likelihood and Impact labels and descriptions with the Edit () button.
-
Residual Risk Matrix - map combinations of Inherent Risk and Control Effectiveness ratings to a Residual Risk rating. The residual risk in assessments is always a lookup of this matrix.
- The rows (inherent risk) automatically reflect ratings defined in the Ratings tabs.
- The columns (control effectiveness) automatically reflect ratings defined in the Ratings tabs.
- Define the residual risk rating for each row/column combination. The values in the dropdowns automatically reflect ratings defined in the Ratings tab.
-
Control Effectiveness - map combinations of metric questions and answers to a Control Effectiveness rating, e.g. Design x Performance x Documented = effectiveness rating.
- Add or remove Control Metric Questions (columns) with the Add () and Delete () buttons at the bottom of the columns.
- Add or remove valid answer combinations (rows) with the Add () and Delete () buttons.
- Map metric ratings to metric questions with the Edit () button.
- Rounding Tolerance - define the point at which the calculated rating value rounds up or down to the closest rating. Rounding is only used to display a rating in the assessment, never in the calculations. For example, if the inherent risk calculated value is 2.7, the rounding determines whether to display the rating associated with value 2 or with value 3; meanwhile, 2.7 is used in all further calculations.
Update a Methodology
Only methodologies with status In Progress can be updated.
To update an In Progress methodology, press the Resume button () to the right of the methodology row. The Methodology configuration page will open.
Your changes are automatically saved every time the cursor focus changes.
Press the Publish button when the methodology configuration is complete and ready to be finalised and used.
About Updating Methodologies
To retain the data integrity of existing and historical assessments, methodologies cannot be updated while they are in use by assessments and app setup content.
While a methodology is being used by any Answer Sets, Risk Models, Country Risk Models, or Assessments, it cannot be unpublished or edited. If a methodology needs updating, you must either:
- Delete (not Archive) all the dependent assets (Answer Sets, Risk Models, Country Risk Models, and Assessments)
OR - Create a new methodology by copying the published one. This will require the re-creation of all the content dependent on the original methodology, such as Answer Sets, Risk Models, and Country Risk Models.
For more information, see FAQ: What are the dependencies for App Setup content, such as the Risk Model or Methodology?
Archive or Delete a Methodology
To archive or delete a methodology, open its Action menu () and select the appropriate action:
- Delete - available for methodologies with no dependencies, meaning it has not been used in any Answer Sets, Risk Models, Country Risk Models, or Assessments.
- Archive - available for methodologies with one or more dependencies. Archive a control to hide it from the methodology list and prevent it from being used in future assessments or app setup content.
Documenting Rationale in the Methodology
Users with appropriate permissions can document their rationale within the methodology.
To display the rationale options, select the Rationale checkbox in the Methodology Details popup.
Once the rational options are enabled, the following functions become available within the methodology:
- Rationale text fields - for each rating on the inherent, residual, country, control effectiveness, and control metric tabs.
- Rationale buttons - press to open a popup for each combination of ratings on the inherent risk matrix, residual risk matrix, and control effectiveness matrix tabs. Look for the book icon.
- Rationale fields are on the Rounding Tolerance tab, and the Methodology Details popup.
The rationale can also be updated after the methodology is published.
Export the rationale for a methodology using the Export Rationale CSV option in the Methodology's action menu.
Comments
0 comments
Please sign in to leave a comment.