Defining risks and procedures
Document and assure that operational risks are mitigated by procedures. You can either define risks first and then procedures, or vice versa.
You can define risks and procedures in a Workplan workflow, which consists of a set of steps or procedures that the assurance team will execute, and the documentation of the outcome of each step.
If you need to perform more complex types of projects, you can define risks and controls in an Internal Control workflow.
What are risks and procedures?
A risk is an effect of uncertainty on an objective, with the effect having a positive or negative deviation from what is expected.
A procedure is a set of measures or actions taken to manage risk and increase the likelihood that established objectives will be achieved.
Terms for "risk" or "procedure" can vary, depending on your organization's configurations. For example, a risk may be called a requirement, and a procedure may be called a control.
Before you start
Before you can define risks and procedures, you need to:
- Create a project or a framework.
- Define objectives.
Depending on your organization's project or framework configuration, objectives may also be called sections, processes, cycles, functional areas, application systems, or another custom term.
How it works
When you associate a risk with a procedure, you are specifying the measures or courses of action for how the risk will be mitigated. The combination of identified risks and corresponding procedures is called a Project Plan.
A risk can be associated to many procedures and a procedure can be associated with many risks. For each procedure you define, a test is automatically created.
Defining complex relationships between procedures and tests
The Project Plan creates a one-to-one relationship between each procedure and the associated test. If you need to define more complex relationships between procedures and tests you have two options:
Relationship | Description | How do I achieve this? |
---|---|---|
One-to-many |
A relationship between one test and many testing results |
Apply the test against multiple items (e.g. enterprise application systems) and record the test results from all of the items in the same test. |
Many-to-one |
A relationship between a single testing result and multiple tests |
Execute and record the testing result in the first test and link to the testing result from other tests. Note
You can copy the URL from the browser address bar, and paste it into the Procedure Results field for the other tests where the results apply. |
Limitations
Each objective can contain a maximum of 1000 risks and 1000 procedures.
Example
Defining risks and procedures
Scenario
You are an Executive that owns an entire FCPA Compliance Investigation project. One of the procedure gaps identified is related to inappropriate corporate expenses and is owned by HR. The Board wants to know who owns the remediation.
Process
The table below illustrates the risks and procedures you defined as part of your organization's Project Plan. To follow up on the procedure gap (T&E-01), you assign the appropriate HR staff member as the owner of the procedure.
Risk | Associated Procedure(s) |
---|---|
T&E-A: Inappropriate corporate expenses are being hidden through use of subordinate staff. | T&E-01: Obtain a list of employees with corporate credit cards, including title of employee. Scan list to identify any employees to whom corporate cards would not typically issued. For example, clerical or administrative staff. |
T&E-B: Employees are paying foreign officials and hiding the expenses in their travel reimbursement requests. |
|
Result
- The HR staff member receives an email notification and is able to assist with updating the procedure definition.
- You are able to report to the board who owns the remediation of T&E-01.
Permissions
Professional Managers and Professional Users can define and associate risks and procedures.
Define risks and procedures
Note
- Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
- If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.
- Do one of the following:
- To define risks and procedures in a project:
From the Launchpad home page (www.highbond.com), select the Projects app to open it.
If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.
- Open a project, and click the Fieldwork tab.
- To define risks and procedures in a framework:
- Open Frameworks.
- Open a framework, and click the Sections tab.
- To define risks and procedures in a project:
- Locate the appropriate objective, click Go To, and select Project Plan.
- Do any of the following:
- To define a risk, click Add Risk, enter the necessary information, and click Save.
- To define a procedure, click Procedure next to the View by label, click Add Procedure, enter the necessary information, and click Save.
- To associate risks and procedures, do the following:
- Ensure that you have created at least one risk and one procedure.
- Next to the risk or procedure, click Associate Risk or Associate Procedure, define the appropriate associations, and click Save.
Risk fields
Rich text fields cannot exceed 524,288 characters.
Tip
To enable spell check on rich text fields, do one of the following:
- Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
- Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words
Field | Description |
---|---|
Title optional |
a meaningful title for the risk The maximum length is 255 characters. |
Description |
a statement about the risk |
Risk ID optional |
the identifying number for the risk The maximum length is 255 characters. |
Impact optional |
a rating of the consequences of the risk occurring |
Likelihood optional |
a rating of the probability of the risk occurring |
Custom Risk Scoring Factors optional |
specifies the custom risk scoring factors associated with the risk Project Admins and Project Type Admins can define custom attributes for risks under Manage project types. Tip
You can automate risk assessments for Impact, Likelihood, and Custom Risk Scoring Factors. For more information, see Automating operational risk assessments. |
Attributes optional |
specifies the attributes associated with the risk Project Admins and Project Type Admins can define custom attributes for risks under Manage project types. |
Supporting Evidence optional |
allows you to link Results data to your documentation in Projects to consolidate information, easily sign-off on when remediation is complete, and inform assessments Note
This option is only available if your organization uses Results. |
Procedure associated to this Risk optional |
allows you to associate a procedure to the risk |
Entity Coverage optional |
allows you to tag the risk to one or more entities for reporting purposes Note
Only Professional Managers and Professional Users can tag a procedure with an entity by clicking Show content and selecting each entity to associate with the procedure. Changes are automatically saved. |
History |
View a complete history of field-level changes that have been made to the risk |
Procedure fields
Rich text fields cannot exceed 524,288 characters.
Tip
To enable spell check on rich text fields, do one of the following:
- Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
- Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words
Field | Description |
---|---|
Title optional |
a meaningful title for the procedure The maximum length is 255 characters. |
Description |
a statement about the procedure |
Procedure Reference Number |
the identifying number for the procedure The maximum length is 255 characters. Note
The number is appended to the end of the objective prefix. |
Owner optional |
allows you to assign a licensed or non-licensed user as the owner of the procedure for tracking and reporting purposes Users assigned the Contributor Tester or Contributor User role are typically assigned as an owner of a procedure. Owners can be assigned based on a regional, business unit, or project-related framework. Once a person is assigned as an owner of a procedure, they receive an email notifications with a link to the procedure, granting them write access to the assigned procedure, and read access to objectives and risks. Email notifications sent from Projects redirect Diligent One users to the Assessments app. Each card within Assessments has a link back to Projects. Users who are not registered on Diligent One receive a public URL. Note
If you bulk upload procedures and specify a person in the Owner field, their name displays in Projects, but they are not automatically assigned the procedure and notified via email. |
Custom Procedure attributes optional |
specifies the attributes associated with the procedure Project Admins and Project Type Admins can define custom attributes for procedures under Manage project types. |
Relevant Assertions optional |
allows you to tag the procedure to one or more Relevant Assertions |
COSO Principles optional |
allows you to tag the procedure with one or more COSO Principles Note
The Projects app supports the 2013 COSO Framework which includes 17 COSO Principles. |
Risk associated to this Procedure optional |
allows you to associate a risk to the procedure |
Procedure Weight optional |
expresses the percentage of the risk that the procedure mitigates The default setting for procedure weight is 100%. You can input a procedure weight between 0% to 100%. The sum of procedure weights can add up to any number. For more information, see Assurance components. |
Entity Coverage optional |
allows you to tag the procedure to one or more entities for reporting purposes Note
Only Professional Managers and Professional Users can tag a procedure with an entity by clicking Show content and selecting each entity to associate with the procedure. Changes are automatically saved. |
History |
View a complete history of field-level changes that have been made to the procedure |