Defining risks and procedures

Document and assure that operational risks are mitigated by procedures. You can either define risks first and then procedures, or vice versa.

Note

You can define risks and procedures in a Workplan workflow, which consists of a set of steps or procedures that the assurance team will execute, and the documentation of the outcome of each step.

If you need to perform more complex types of projects, you can define risks and controls in an Internal Control workflow.

What are risks and procedures?

A risk is an effect of uncertainty on an objective, with the effect having a positive or negative deviation from what is expected.

A procedure is a set of measures or actions taken to manage risk and increase the likelihood that established objectives will be achieved.

Terms for "risk" or "procedure" can vary, depending on your organization's configurations. For example, a risk may be called a requirement, and a procedure may be called a control.

Before you start

Before you can define risks and procedures, you need to:

Create a project or a framework.
Define objectives.

Note

Depending on your organization's project or framework configuration, objectives may also be called sections, processes, cycles, functional areas, application systems, or another custom term.

How it works

When you associate a risk with a procedure, you are specifying the measures or courses of action for how the risk will be mitigated. The combination of identified risks and corresponding procedures is called a Project Plan.

A risk can be associated to many procedures and a procedure can be associated with many risks. For each procedure you define, a test is automatically created.

Defining complex relationships between procedures and tests

The Project Plan creates a one-to-one relationship between each procedure and the associated test. If you need to define more complex relationships between procedures and tests you have two options:

Relationship	Description	How do I achieve this?
One-to-many	A relationship between one test and many testing results	Apply the test against multiple items (e.g. enterprise application systems) and record the test results from all of the items in the same test.
Many-to-one	A relationship between a single testing result and multiple tests	Execute and record the testing result in the first test and link to the testing result from other tests. Note You can copy the URL from the browser address bar, and paste it into the Procedure Results field for the other tests where the results apply.

Limitations

Each objective can contain a maximum of 1000 risks and 1000 procedures.

Example

Defining risks and procedures

Scenario

You are an Executive that owns an entire FCPA Compliance Investigation project. One of the procedure gaps identified is related to inappropriate corporate expenses and is owned by HR. The Board wants to know who owns the remediation.

Process

The table below illustrates the risks and procedures you defined as part of your organization's Project Plan. To follow up on the procedure gap (T&E-01), you assign the appropriate HR staff member as the owner of the procedure.

Risk	Associated Procedure(s)
T&E-A: Inappropriate corporate expenses are being hidden through use of subordinate staff.	T&E-01: Obtain a list of employees with corporate credit cards, including title of employee. Scan list to identify any employees to whom corporate cards would not typically issued. For example, clerical or administrative staff.
T&E-B: Employees are paying foreign officials and hiding the expenses in their travel reimbursement requests.	T&E-02: Determine target organizations which include employees who interacts with government /or 3rd party agents. Also, determine who the sales person(s) responsible for the government account are. T&E-03: Obtain a list of all Travel & Entertainment employee reports, including amounts, and the GL account coded that were processed for the investigation and run through an Analytics anti-corruption key word search. T&E-04: All names listed on expense report as attendee or other should be run through a restricted list using Analytics. All exceptions should be investigated. T&E-05: Run all expense reports through expense type thresholds. Select sample to test for reasonableness.

Risk

Associated Procedure(s)

T&E-A: Inappropriate corporate expenses are being hidden through use of subordinate staff.

T&E-01: Obtain a list of employees with corporate credit cards, including title of employee. Scan list to identify any employees to whom corporate cards would not typically issued. For example, clerical or administrative staff.

T&E-B: Employees are paying foreign officials and hiding the expenses in their travel reimbursement requests.

T&E-02: Determine target organizations which include employees who interacts with government /or 3rd party agents. Also, determine who the sales person(s) responsible for the government account are.
T&E-03: Obtain a list of all Travel & Entertainment employee reports, including amounts, and the GL account coded that were processed for the investigation and run through an Analytics anti-corruption key word search.
T&E-04: All names listed on expense report as attendee or other should be run through a restricted list using Analytics. All exceptions should be investigated.
T&E-05: Run all expense reports through expense type thresholds. Select sample to test for reasonableness.

Result

The HR staff member receives an email notification and is able to assist with updating the procedure definition.
You are able to report to the board who owns the remediation of T&E-01.

Permissions

Professional Managers and Professional Users can define and associate risks and procedures.

Define risks and procedures

Notes

Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.

Do one of the following:
- To define risks and procedures in a project:
  1. Open the Projects app.
  2. Open a project, and click the Fieldwork tab.
- To define risks and procedures in a framework:
  1. Open Frameworks.
  2. Open a framework, and click the Sections tab.
Locate the appropriate objective, click Go To, and select Project Plan.
Do any of the following:
- To define a risk, click Add Risk, enter the necessary information, and click Save.
- To define a procedure, click Procedure next to the View by label, click Add Procedure, enter the necessary information, and click Save.
To associate risks and procedures, do the following:
1. Ensure that you have created at least one risk and one procedure.
2. Next to the risk or procedure, click Associate Risk or Associate Procedure, define the appropriate associations, and click Save.

Risk fields

Note

Rich text fields cannot exceed 524,288 characters.

Tip

To enable spell check on rich text fields, do one of the following:

Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words

Field	Description
Title optional	a meaningful title for the risk The maximum length is 255 characters.
Description	a statement about the risk
Risk ID optional	the identifying number for the risk The maximum length is 255 characters.
Impact optional	a rating of the consequences of the risk occurring
Likelihood optional	a rating of the probability of the risk occurring
Custom Risk Scoring Factors optional	specifies the custom risk scoring factors associated with the risk Project Admins and Project Type Admins can define custom attributes for risks under Manage project types. Tip You can automate risk assessments for Impact, Likelihood, and Custom Risk Scoring Factors. For more information, see Automating operational risk assessments.
Attributes optional	specifies the attributes associated with the risk Project Admins and Project Type Admins can define custom attributes for risks under Manage project types.
Supporting Evidence optional	allows you to link Results data to your documentation in Projects to consolidate information, easily sign-off on when remediation is complete, and inform assessments Note This option is only available if your organization uses Results.
Procedure associated to this Risk optional	allows you to associate a procedure to the risk
Entity Coverage optional	allows you to tag the risk to one or more entities for reporting purposes Note Only Professional Managers and Professional Users can tag a procedure with an entity by clicking Show content and selecting each entity to associate with the procedure. Changes are automatically saved.
History	View a complete history of field-level changes that have been made to the risk

Field

Description

Title

optional

a meaningful title for the risk

The maximum length is 255 characters.

Description

a statement about the risk

Risk ID

optional

the identifying number for the risk

The maximum length is 255 characters.

Impact

optional

a rating of the consequences of the risk occurring

Likelihood

optional

a rating of the probability of the risk occurring

Custom Risk Scoring Factors

optional

specifies the custom risk scoring factors associated with the risk

Project Admins and Project Type Admins can define custom attributes for risks under Manage project types.

Tip

You can automate risk assessments for Impact, Likelihood, and Custom Risk Scoring Factors. For more information, see Automating operational risk assessments.

Attributes

optional

specifies the attributes associated with the risk

Project Admins and Project Type Admins can define custom attributes for risks under Manage project types.

Supporting Evidence

optional

allows you to link Results data to your documentation in Projects to consolidate information, easily sign-off on when remediation is complete, and inform assessments

Note

This option is only available if your organization uses Results.

Procedure associated to this Risk

optional

allows you to associate a procedure to the risk

Entity Coverage

optional

allows you to tag the risk to one or more entities for reporting purposes

Note

Only Professional Managers and Professional Users can tag a procedure with an entity by clicking Show content and selecting each entity to associate with the procedure. Changes are automatically saved.

History

View a complete history of field-level changes that have been made to the risk

Procedure fields

Note

Rich text fields cannot exceed 524,288 characters.

Tip

To enable spell check on rich text fields, do one of the following:

Chrome, Firefox, or Safari CTRL + right-click within the field on Windows or Command + right-click on Mac
Internet Explorer or Microsoft Edge open your browser settings and turn on spell check / highlighting of misspelled words

Field	Description
Title optional	a meaningful title for the procedure The maximum length is 255 characters.
Description	a statement about the procedure
Procedure Reference Number	the identifying number for the procedure The maximum length is 255 characters. Note The number is appended to the end of the objective prefix.
Owner optional	allows you to assign a licensed or non-licensed user as the owner of the procedure for tracking and reporting purposes Users assigned the Contributor Tester or Contributor User role are typically assigned as an owner of a procedure. Owners can be assigned based on a regional, business unit, or project-related framework. Once a person is assigned as an owner of a procedure, they receive an email notifications with a link to the procedure, granting them write access to the assigned procedure, and read access to objectives and risks. Email notifications sent from Projects redirect Diligent One users to the Assessments app. Each card within Assessments has a link back to Projects. Users who are not registered on Diligent One receive a public URL. Note If you bulk upload procedures and specify a person in the Owner field, their name displays in Projects, but they are not automatically assigned the procedure and notified via email.
Custom Procedure attributes optional	specifies the attributes associated with the procedure Project Admins and Project Type Admins can define custom attributes for procedures under Manage project types.
Relevant Assertions optional	allows you to tag the procedure to one or more Relevant Assertions
COSO Principles optional	allows you to tag the procedure with one or more COSO Principles Note The Projects app supports the 2013 COSO Framework which includes 17 COSO Principles.
Risk associated to this Procedure optional	allows you to associate a risk to the procedure
Procedure Weight optional	expresses the percentage of the risk that the procedure mitigates The default setting for procedure weight is 100%. You can input a procedure weight between 0% to 100%. The sum of procedure weights can add up to any number. For more information, see Assurance components.
Entity Coverage optional	allows you to tag the procedure to one or more entities for reporting purposes Note Only Professional Managers and Professional Users can tag a procedure with an entity by clicking Show content and selecting each entity to associate with the procedure. Changes are automatically saved.
History	View a complete history of field-level changes that have been made to the procedure

Field

Description

Title

optional

a meaningful title for the procedure

The maximum length is 255 characters.

Description

a statement about the procedure

Procedure Reference Number

the identifying number for the procedure

The maximum length is 255 characters.

Note

The number is appended to the end of the objective prefix.

Owner

optional

allows you to assign a licensed or non-licensed user as the owner of the procedure for tracking and reporting purposes

Users assigned the Contributor Tester or Contributor User role are typically assigned as an owner of a procedure.

Owners can be assigned based on a regional, business unit, or project-related framework. Once a person is assigned as an owner of a procedure, they receive an email notifications with a link to the procedure, granting them write access to the assigned procedure, and read access to objectives and risks. Email notifications sent from Projects redirect Diligent One users to the Assessments app. Each card within Assessments has a link back to Projects. Users who are not registered on Diligent One receive a public URL.

Note

If you bulk upload procedures and specify a person in the Owner field, their name displays in Projects, but they are not automatically assigned the procedure and notified via email.

Custom Procedure attributes

optional

specifies the attributes associated with the procedure

Project Admins and Project Type Admins can define custom attributes for procedures under Manage project types.

Relevant Assertions

optional

allows you to tag the procedure to one or more Relevant Assertions

COSO Principles

optional

allows you to tag the procedure with one or more COSO Principles

Note

The Projects app supports the 2013 COSO Framework which includes 17 COSO Principles.

Risk associated to this Procedure

optional

allows you to associate a risk to the procedure

Procedure Weight

optional

expresses the percentage of the risk that the procedure mitigates

The default setting for procedure weight is 100%. You can input a procedure weight between 0% to 100%. The sum of procedure weights can add up to any number.

For more information, see Assurance components.

Entity Coverage

optional

allows you to tag the procedure to one or more entities for reporting purposes

Note

History

View a complete history of field-level changes that have been made to the procedure

Defining risks and procedures

What are risks and procedures?

Before you start

How it works

Defining complex relationships between procedures and tests

Limitations

Example

Defining risks and procedures

Scenario

Process

Result

Permissions

Define risks and procedures

Risk fields

Procedure fields

Page options

Is this page helpful?

Is this page helpful?