Performing an operational risk assessment

You can use Projects to easily and effectively organize all the tasks involved in performing an operational risk assessment and quantify how much risk an organization faces.

Ultimately, the testing results in a project can roll up into your organization's Inherent Risk and Residual Risk scores, which gives you a real-time picture of how much risk remains before and after controls have been put in place.

Scenario

You are a Risk Management leader that owns an entire Operational Risk Assessment project. Your team has a mature and refined risk assessment process, and evaluates risk across multiple dimensions (Likelihood, Impact, Velocity, and Vulnerability) on a three-point scale (1-Low, 2-Medium, and 3-High).

Previously, you created a project from a project template. Now, you need to evaluate the inherent risk score of one of the risks in the Information Technology General Controls objective to determine the raw risk the organization faces if no controls or other mitigating factors have been put in place.

As you assess each risk in the project, you also want to be able to determine how much risk remains after controls have been put in place. This information will come in handy when it comes time to prepare the final risk assessment report.

Before you start

This tutorial walks you through the key areas in Projects that relate to the task of performing an operational risk assessment.

Before you start this tutorial, you need to do two things:

  1. Ensure that you have the appropriate permissions to create a project.
  2. Open the Projects app and create a project using the Operational Risk Assessment project template.

Define your risk scoring framework

Let's get started by setting up our project. The first step in the risk assessment process is to develop a common set of assessment criteria (a risk scoring framework) that can be used across entities, departments, or operating units. Risk Management leaders are typically responsible for setting up the risk scoring framework and may either be responsible for assessing risk themselves, or may delegate assessment responsibilities to other team members.

  1. From the Launchpad home page (www.highbond.com), select the Projects app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.

  2. From the Projects home page, under System administration, click Manage project types.
  3. Next to Operational Risk Assessment, click Edit, and then click the Risks and Controls tab.

    There are many configuration options on this page, but you don't have to worry about this. Your focus will be on the Risk Scoring Factors section, which is where you will define how risk will be assessed in the project.

  4. Scroll down the page to the Risk Scoring Factors section.

    You notice that the risk scoring factors for Impact, Likelihood, and Velocity are already set up for you. Your organization also evaluates risk on Vulnerability using a three-point scale, so you need to set up one more risk scoring factor as part of your risk scoring framework.

  5. Click Add Risk Scoring Factor, fill out the Risk Scoring Factor 2 section as follows, and then scroll down the page and click Save:

    Note

    Click +Add three times to label the points under Choices.

Result You have defined a risk scoring framework that can be used to assess risk on a three-point scale (1-Low, 2-Medium, and 3-High) using the following risk scoring factors: Likelihood, Impact, Velocity, and Vulnerability. Now, you can begin assessing inherent risk using your risk scoring framework.

Assess inherent risk

Now that you know how you will be assessing risk in the project, you can move onto assessing risk. You need to specifically assess a risk associated with management not establishing an appropriate control environment for managing IT. In collaboration with other members on the risk management team, you have determined the impact of the risk as Low, and the likelihood of the risk as Medium. You have also determined the velocity as Medium and the vulnerability as High.

  1. Click the Diligent One instance dropdown list, click Projects , select the Operational Risk Assessment project, and click the Fieldwork tab.
  2. Click Go To next to the Information Technology General Controls objective, and then select Risk Control Matrix.
  3. Click ITC-R.01: Untitled Risk, scroll down to the Risk Rating section, and assess the risk as follows:

Result You have assessed the inherent risk of ITC-R.01: Untitled Risk. Both the inherent and residual risk scores are automatically updated. At the moment, the residual risk score is the same as the inherent risk score because the controls associated with the risk have not been tested, and have not been confirmed as operating effectively.

Specify which controls are designed to mitigate the risk

The benefit to using a project template is that it already comes with a pre-built risk control matrix. So, all you have to do is confirm the appropriate controls have been associated with the risk, and that each control has been assigned an appropriate weight.

  1. Scroll up the page, and click the Risk Control Matrix tab.
  2. Next to ITC-R.01: Untitled Risk, click Associate Control.

    You confirm that the appropriate controls (ITC-01, ITC-02, and ITC-03) have been associated with the risk. Each of the controls has a specified control weight of 100%, but you determine that this information is not accurate.

  3. Update the following control weights and click Save:
    • ITC-01 25%
    • ITC-02 25%
    • ITC-03 50%

Result You have specified which controls have been designed to mitigate the risk, and expressed the percentage of risk that is mitigated by each control.

Evaluate control effectiveness

Great, your risk and control associations are setup accurately. Now, you need to test each control to evaluate operating effectiveness. If one or more of the controls are operating effectively, the residual risk score will be lower than the inherent risk score.

  1. Click the Control Assessments tab.
  2. Next to ITC-01, click View / Edit, scroll down the page, and select Effective from the Is this control Effective? field, and click Save.
  3. Repeat steps 1 and 2 for ITC-02, and ITC-03, but mark ITC-02 as Effective and ITC-03 as Not Effective.

Result You have evaluated the operational effectiveness of each control. ITC-01 and ITC-02 are defined as "passed", while ITC-03 is defined as "failed".

View residual risk

This last step is an easy one. Let's see how much risk remains after our controls have been put in place.

  1. Click the Risk Control Matrix tab, and click ITC-R.01: Untitled Risk.
  2. Scroll down the page to the Rating section, and view the residual risk score.

Result The residual risk score is 50% of the inherent residual risk score. If all controls were operating effectively, the residual risk score would be 0.0, meaning that the controls in place reduce the risk by 100%. However, since only two of the three controls passed (ITC-01 and ITC-02, both weighed at 25% each), the controls in place reduce the risk by 50%.

Discussion

Now that you have performed an operational risk assessment, learn about the next steps you can take, and options for reporting on inherent and residual risk at aggregate levels.

What's next?

To demonstrate why you determined a control to be effective or not effective, you fill out the Assessment Results section of each control assessment, and add supporting documentation by uploading files or linking evidence from the Results app. In this scenario, one of the control assessments (ITC-03) failed, so you can also log an issue to note the exception.

Automating risk assessments

Performing operational risk assessments can be a time-consuming and manual process. To increase efficiency, you can create assessment drivers to automate risk assessments - which allows you to react more quickly to change, and deliver information to the right person at the right time.

For more information, see Automating operational risk assessments.

What's the bigger picture?

Previously, you viewed the inherent and residual risk scores for a single risk (ITC-R.01: Untitled Risk). However, reporting at the individual risk level is quite granular. Often, you need to report on inherent and residual risk at an aggregate level. For example, you may need to report on the aggregate inherent and residual risk scores across all risks in a single objective, or across all risks in the project.

Viewing aggregate risk scores at the objective level

You can view the aggregate inherent and residual risk scores across all risks in a single objective by clicking Progress in the project:

Viewing aggregate risk scores at the project level

You can view the aggregate inherent and residual risk scores across all risks in the project by clicking the Results tab: