Automating operational risk assessments

In the Projects app, you can create assessment drivers based on a metric to automate operational risk assessments and notify key stakeholders when changes occur.

Before you start

Before you can automate a risk assessment, you need to set up a project with objectives, risks, and controls, and configure risk scoring. To turn on the Automate button, you or someone on your team needs to complete the following tasks:

Create a metric in Results see Monitoring key indicators with metrics
Link the metric to the assessment in a project see Linking evidence from Results

How it works

After you have completed the prerequisite tasks, you create an assessment driver by:

selecting the risk assessment you want to automate
defining metric ranges that will be used to populate inherent risk scores for the risk assessment

Once you create the assessment driver, the assessment is automatically updated whenever the metric value crosses a specified threshold. Whenever the risk assessment changes, stakeholders are automatically notified via the Projects daily summary email, enabling them to take appropriate action.

Why do assessment drivers automate inherent risk scores?

Assessment drivers automate inherent risk scores to inform you about your organization's current level of risk. Since risk assessments are an on-going and iterative process, inherent risk scores may change with time.

Based on the inherent risk score, you can determine whether the risk poses a threat to your organization or if the risk is less critical to your organization. Risk response options may include increasing or decreasing resources associated with risk treatment, as needed.

What changes in Projects impact the way assessment drivers work?

Depending on the change, assessment drivers are enabled, disabled, copied, or permanently deleted.

Change	Impact
Deleting a metric in Results that has been linked to a risk in Projects	Once a metric is associated with an assessment driver, any metric configuration changes you make in Results disables the risk assessment automation in Projects. The most recent inherent risk score is retained and the risk assessment becomes a manual process. Note You can fix the problems in Results or Projects and re-enable the assessment driver.
Changing the configuration of a metric in the Results
Changing the scale associated with a risk scoring factor	Any associated assessment drivers are disabled. If the score value remains (i.e. previously 1 = Low and now 1 = None), the same score is retained. If the score value is no longer available (i.e. previously 5 = Very High, and now you are using a 3-point scale), the score is removed so that you can reassess the risk.
Archiving a project or deleting a project temporarily	Any associated assessment drivers are disabled. The most recent inherent risk score is retained.
Unarchiving a project or restoring a project	Any associated assessment drivers that were not manually disabled or broken prior to archiving the project are automatically re-enabled. The most recent inherent risk score is retained.
Importing controls, cloning or importing objectives, or rolling forward projects	Any associated assessment drivers and linked metrics are copied: when the project type of the source project and target project are the same from archived to active projects or active to active projects within the same Diligent One instance Assessment drivers are automatically enabled in the target project. If the project type of the source project and target project are different, assessment drivers are not copied to the target project.
Unlinking a metric from a risk in Projects	Any associated assessment drivers are permanently removed. The most recent inherent risk score is retained and the risk assessment becomes a manual process.
Deleting a risk scoring factor	Any associated assessment drivers are permanently removed.
Deleting an objective (that contains the risk) from a project
Deleting a risk from a project
Permanently deleting a project

Permissions

Professional Managers and Professional Users can automate risk assessments. All other roles can only view automated risk assessments.

Configure an automated risk assessment

Navigate to a risk in a project

Note

Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.

From the Launchpad home page (www.highbond.com), select the Projects app to open it.

If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.

The Projects home page opens.
Open a project.
The project dashboard opens.
Click the Fieldwork tab.
Locate the appropriate objective, click Go To, and select Risk Control Matrix.
Click the title of the appropriate risk.
Under the Rating section, next to the appropriate risk scoring factor, click Automate RiskScoringFactor .
The Assessment Drivers side panel opens, with the objective, risk, and risk scoring factor pre-selected.

Specify a metric and define ranges

Click the Select a Metric... dropdown list to specify the metric that will be used to populate inherent risk scores. The metric must generate a numeric value. You cannot use metrics based on dates. You can only select metrics that have been linked to the selected risk.
Note
If you previously linked a metric, and archived the collection in Results where the metric is located, the metric is protected in a read-only state. No data can be added or changed.
Select the appropriate operator (less than or greater than) and define the conditions that need to occur for the risk assessment to automatically update to the specified score.
As you enter values in the right column, the left column is auto-populated with the next sequential value, and the score changes color once you have entered a number for the row.
You can enter any number of decimal places for each value. However, upon saving, values only display up to two decimals.
Tip
You can use Tab to quickly move vertically down the right column.
Optional. Disable the Assessment Driver if you do not want to automate the risk assessment immediately.
By default, the Assessment Driver is enabled , and the assessment is automated immediately after saving. Once the Assessment Driver is enabled, you cannot update the value of the risk assessment manually.
Click Save.
Result The risk assessment is automated.
Note
You must define all metric ranges before you can save.

View or edit automated risk assessments

Navigate to the appropriate risk in the project.
Under the Rating section, view automated risk assessments:
- If a score displays an automated icon , the risk assessment automation is enabled.
- If a score displays a warning icon , the risk assessment automation is disabled.
- If a score displays an error icon , an error has occurred.
  For more information, see What changes in Projects impact the way assessment drivers work?
To edit or enable / disable an assessment driver, click Edit RiskScoringFactor next to the appropriate risk assessment.
The Assessment Drivers side panel opens, allowing you to view or configure the assessment driver.

Delete an assessment driver