Platform: Risk Assessment Platform
Applies to: End User Roles (e.g. Standard, Approver)
The Risk Analysis page provides a view of the risk factors in the assessment unit, and this is also where analysis of each risk factor is conducted, with comments and supporting evidence.
The Risk Analysis page consists of 2 tabs:
- Inherent Risk Summary - Dashboard summarising the risk factors within the model.
- Inherent Risk Questionnaire - Details page for each risk factor where data is captured.
Inherent Risk Summary
This is a dashboard summarizing the risk groups, risk categories (optional) and risk factors in the risk model selected at assessment unit creation. It is designed to monitor the progress of risk factors across the assessment unit.
- Collapse all () - Hide all tiers below the Group level.
- Expand all () - Show all tiers to Risk Factor level.
- Filter () - Expand the filter to filter the risk factors by Group, Category, Status, Assignee, Approver, Risk Rating.
The Risk Analysis Columns:
- Inherent Risk Factors - The name of the risk factors, categories and groups.
- Model Weight - The relative importance of the risk factor/category/group as defined in the model. Used to calculate the overall inherent risk rating for the assessment unit.
- Status - The status of the risk factor will be either Not Assessed, In-Progress, Completed, Awaiting Approval or Approved. See an explanation of the risk statuses.
- Assignee - The user allocated to analyse the risk factor and submit their assessment.
- Approver - The user allocated to review and approve the analysis.
- Inherent Risk Rating - This is calculated from the answers to the risk indicators based on the linked methodology.
Select a risk factor to begin the analysis for that risk factor and capture detailed data on the risk questionnaire page.
Inherent Risk Questionnaire
Every risk factor in the risk model has a risk questionnaire page for assessing risk.
This is a detailed view of the risk factor, with risk indicators to assess the risk.
The risk questionnaire page consists of:
- Navigation Panel (left) - Lists all the risk factors to quickly jump to a specific risk.
- Status (lower left) - The status of the risk factor will be Not Assessed, In-Progress, Completed, Awaiting Approval or Approved.
- Risk Factor (upper left) - Name and description (optional) of the risk factor from the model.
- Weight - The relative importance of the risk factor, as defined in the model.
- Assignee - The user allocated to complete details for the risk factor.
- Approver - The user allocated to approve the risk factor after it is submitted by the assignee.
Complete the details:
- Risk Indicators - Optional in manual risk models, and required in automatic risk models, these are the questions relating to the risk, with associated answers for the assignee to select.
- Comments - For providing additional context behind the risk factor and answers.
- Attachments - Use to attach supporting documentation.
- Inherent Risk Rating (lower right) - automatically calculated in automatic risk models or derived from the impact and likelihood matrix in manual risk models.
- Controls Effectiveness Rating - automatically calculated from the linked controls' weightings and their category's weighting.
- Link controls to the risk by using the link icon ().
- Residual Risk Rating - derived by a lookup of the Residual Risk Matrix in the Methodology selected at Assessment creation, based on the Inherent Risk and Control Effectiveness ratings of the risk factor.
- Use the New button () to create a new action. Complete the details.
- Use the Link button () to link to an existing action.
- Use the Edit button () to edit a linked action.
- Use the Unlink button () to unlink an action.
- Submit – Submit the risk data with or without comments.
- Approve/Reject - Approve/reject the risk with or without comments by the approver allocated on the risk. Note: The risk analysis pages can also be reopened.
Approvers and users with 'Override' permissions can override ratings on the risk questionnaire page. Doing this will prompt the user to enter override comments that will appear in the audit and in the reports. Ratings that can be overridden:
- Risk Indicator Rating
- Risk Factor Inherent Risk Rating
- Risk Factor Residual Risk Rating
Referencing Country Risk Ratings
Risk indicator questions relating to country risk can be answered by referring to the Country Risk Rating window. The Country Risk Rating popup window displays ratings for countries added to the Assessment Unit's Context page. The country ratings are taken from the Country Risk Model selected at Assessment creation.
To open the Country Risk Rating window, use the Action menu () and select Country Risk Ratings.
The Country Risk Rating window consists of:
- Default Risk Rating - rating from the Country Risk Model selected at Assessment creation.
- Custom Risk Rating - allows you to select a different rating if you disagree with the default rating
- Rationale for Custom Risk Rating - requires you to comment when a custom rating is selected
- % of Business Operations - the breakdown by country is copied from the context
- % of Third Party Distribution - the breakdown by country is copied from the context
- % Customers - the breakdown by country is copied from the context
Submit for Approval
After submission, the risk factor status changes to Awaiting Approval and is locked to prevent editing. The user set as the Approver for that risk factor receives a notification email. The Approver is required to review and either approve, reject or reopen the risk factor with or without comments.
Once all Risk Factors are approved then the report can be finalised for board/senior management adoption and the assessment can be published (locked to prevent changes and cannot be deleted).
How the Methodology and Model apply the Risk Rating Calculations in the Assessment
The risk assessment is performed against a Risk Model, which can be a manual or automatic model.
The Risk Model contains a number of attributes including:
- Risk Groups
- Risk Categories (Optional)
- Risk Factors
- Risk Indicators - an answer set must be linked to each Risk Indicator
During the Risk Analysis step in the risk assessment process, the user answers the risk indicators and:
- If the Risk Model is an automatic model, based on the responses the Overall Inherent Risk Rating is calculated.
- If the Risk Model is a manual model, the user must define the impact and likelihood and, based on this, the Inherent Risk Rating is derived using the Inherent Risk Rating matrix.
After the Overall Inherent Risk Rating has been calculated, the next step is to evaluate the controls, which are added to the Control Assessment page with the Add Controls button.
Control Weightings apply to the control categories and controls. The weighting is used to assess the importance of the Control with respect to managing the risk and is used in the calculation of the Overall Control Effectiveness.
The Overall Inherent Risk Rating and the Overall Control Effectiveness Ratings are plotted against the Residual Risk Matrix (in the Methodology for the Assessment) to look up the defined Overall Residual Risk Rating.