Working with risks

A risk is an uncertainty or opportunity that may result from business decisions. Some risks can affect your organization’s daily operations. Identifying and mitigating these risks ensures smooth operations.

Risks are classified into the following categories:

  • Compliance and regulatory risk For example, introduction of a new rule or legislation.
  • Financial risk For example, an interest rate increase on a business loan or a non-paying customer.
  • Operational risk For example, equipment breakdown or theft.

Each risk must be identified, linked to relevant library objects, and assessed. Your organization can then determine the best methods to prioritize and mitigate those risks.

Adding a risk

Here is how you can add a risk:

  1. From the Launchpad home page (www.highbond.com), select the Risk Manager app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Risk Manager app. The Risk Manager home page opens.

  2. Select + Add Risk.
  3. In the Add Risk panel, enter a name for your risk.
  4. Add any other details necessary and select one of the following:
    • Add Risk to save the risk and close the panel.
    • Save & Add New to save the risk and add another one.

    The risk is created. You can view the risk in the risk details page.

  5. (Optional) Select the risk name to view the risk details page and add more details.

Add or change the owner of a risk

Here is how you can add or update the owner of a risk:

  1. From the Launchpad home page (www.highbond.com), select the Risk Manager app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Risk Manager app. The Risk Manager home page opens.

  2. From the Risk list, select the name of the risk for which you want to add or update the owner.

    The Details tab is displayed.

  3. In the Risk Owner field, select a user and select Save Changes.

    The risk is assigned to the selected user and an email notification is sent to the assigned user.

Moving a risk through different workflows

After creating a risk, you can advance it through different workflow states based on your needs and requirements. Some workflow states may require some fields to be filled in, ensure to meet the criteria to advance the risk.

Here is how you can move a risk from Draft to Identification and then Analysis state:

  1. From the Launchpad home page (www.highbond.com), select the Risk Manager app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Risk Manager app. The Risk Manager home page opens.

  2. Select the risk you want to work with.

    The detailed risk page opens with the Details tab.

  3. Enter the information about the risk, including the ID, description, owner.
  4. Select Save Changes.
  5. In the top right, click Identify.

    Result The workflow status changes to Identification.

  6. After verifying that your risk has all the required details, select Validate.

    Result The workflow status changes to Analysis.

Note

You can follow the steps mentioned above to advance the risk through the rest of the workflow states according to your needs.

Linking a risk to different objects

A risk is related to different assets and other library objects, across your organization. It is important to capture this relationship and link the risk with these objects, so that you can accurately calculate the impact of a risk on these objects.

Here is how you can link a risk to different objects:

  1. From the Launchpad home page (www.highbond.com), select the Risk Manager app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Risk Manager app. The Risk Manager home page opens.

  2. Select the risk you want to work with.

    The detailed risk page opens with the Details tab.

  3. Go to the Relationship tab and do the following:
    • To link an asset, select Link Assets.

      The Link Assets dialog box opens.

      1. Select the type of asset and the asset.
      2. Select Link Assets.

        The asset is linked to the risk.

    • To link a control, select Link Controls.

      The Link Controls dialog box opens.

      1. Select the type of control and the control.
      2. Select Link Controls.

        The control is linked to the risk.

    • To link a risk assessment, select Link Risk Assessments.

      The Link Assessments dialog box opens.

      1. Select the type of risk assessment and the assessment.
      2. Select Link Risk Assessments.

        The risk assessment is linked to the risk.

Note

  • You can follow the same steps as above to link a risk to additional library objects such as other risks, processes, and objectives, if these objects are configured in Risk Manager.
  • You can link objects from the home page by expanding the risk row and selecting Add Relationship. This is applicable only if you have not yet linked the risk to any entity.
  • When you link objects with each other, a two-way link is created. For example, when you link your risk to a control, the linked risk is displayed in the Relationship tab of the control and the control is displayed in the Relationship tab of the risk. If the links are not working both the ways, contact Support for assistance.

Unlinking the risk from other objects

You can unlink relationships of a risk with different assets and other library objects.

Here is how you can unlink a risk relationship:

  1. From the Launchpad home page (www.highbond.com), select the Risk Manager app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Risk Manager app. The Risk Manager home page opens.

  2. Select the risk you want to work with.

    The detailed risk page opens with the Details tab.

  3. Go to the Relationship tab and select the unlink icon on the object that you want to remove the link from.

    The Unlink relationship dialog box opens.

  4. Select Unlink Object.

    The link is removed from the risk.

Associating a risk with an organizational unit

Create a relationship between a risk in Risk Manager and an organizational unit. Organizational units constitute the foundation of the enterprise, linking diverse organizational entities across different company segments. This hierarchy also stores departmental and business unit details. You can relate a risk to multiple organizational units.

Here is how you can associate a risk with an organizational unit:

  1. From the Launchpad home page (www.highbond.com), select the Risk Manager app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Risk Manager app. The Risk Manager home page opens.

  2. Select the risk that you want to update.

    The risk details page is displayed.

  3. Under the Details tab, in the Related Org Unit field, search select any of the preconfigured organizational units you want to relate the risk to.

  4. Select Apply Selection.

  5. Select Save Changes.

    The risk is updated. On the Risk Manager home page, you can view the organizational unit associated with the specific risk under the Org Unit column.

Note

  • The organizational unit hierarchy is preconfigured by the System Admins in your organization. For more information about the hierarchies in the organizational structure, contact your System Admin. If you are a System Admin, you can view the list of preconfigured organizational units in the platform settings (navigate to Platform Settings and click Org Structure). To learn more about organizational units, see Organizational Structure.

  • Additionally, you can associate organizational units with assessment records.

Creating a risk assessment

To assess the potential threat level of the risk to the organization, risk managers can add risk assessments. Assessments are generated based on the objects they are linked to. To learn more, see How are assessments generated?.

Here is how you can create a risk assessment:

  1. From the Launchpad home page (www.highbond.com), select the Risk Manager app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Risk Manager app. The Risk Manager home page opens.

  2. Select the risk for which you want to create a risk assessment.

  3. On the Risk Details page, go to the Risk Assessment tab.

  4. Select Add Risk Assessment.

  5. In the Add Risk Assessment dialog box:

    1. Enter a name for the risk assessment.
    2. Select Add Risk Assessment.

  6. On the Risk Assessments details page, do the following:

    1. Provide a reference ID and add a description.

    2. Assign an owner for the risk assessment.

    3. (Optional) Select an organizational unit.

    4. Select values for Score, Impact and Likelihood.

    5. Choose an inherent risk score from the drop-down list.

  7. Select Save changes. The risk assessment is created and an email is sent to the assessment owner with the link to the assigned assessment.

Assessing a risk

After identifying, validating, and linking a risk to relevant objects, you can assess it and calculate the risk score. Assessing a risk enables you to evaluate its potential threat level to the organization. To do this, trigger an assessment.

Here is how you can assess a risk:

  1. From the Launchpad home page (www.highbond.com), select the Risk Manager app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Risk Manager app. The Risk Manager home page opens.

  2. Select the risk you want to assess.

  3. On the Risk Details page, go to the Risk Assessment tab.

  4. On the Risk Assessment details page, select the risk assessment you want to assess.

  5. On the Risk Assessments details page, do the following:

    1. Provide a reference ID and add a description.

    2. Assign an owner for the risk assessment.

    3. Select values for Impact and Likelihood.

    4. Choose an inherent risk score from the drop-down list.

  6. Select Save Changes, to update the risk assessment.

    Assessments are generated based on objects linked to the risk. To learn more, see How are assessments generated?

How are assessments generated?

Assessments are generated based on your risk's association with other entities such as assets and controls.

  • If the risk is associated to only an asset, then only a risk event assessment is generated.
  • If the risk is associated to both an asset and a control, both risk event assessment and control assessment are generated.
  • If the risk is associated to only a control, then too both risk assessment and control assessment are generated, but with a few differences such as naming convention.

For example: You have a risk called Virus Threat added, and it is associated to both an asset and a control as follows:

  • Asset - Laptop
  • Control - Anti-virus Software

Now, you trigger to generate assessments by clicking Assess, the following things happen:

  • The workflow status changes to Assessment.
  • A risk assessment is generated, with the naming convention: <Risk name> - <Asset name>. For example, Virus Threat - Laptop.
    • The risk assessment is associated to both the risk and the asset. You can view the risk assessment from the Risk Event Assessment tab of the Risk page and in the Assessments tab of the asset in the Asset Manager app.
    • The following fields from the risk are copied to the risk assessment: Risk ID, Risk Description, and Risk Owner.
  • A control assessment is generated, with the naming convention: <Control name> - <Risk name> - <Asset name>. For example, Anti-virus Software - Virus Threat - Laptop.
    • The control assessment is associated to the control, the risk, and the asset. You can view the control assessment from the Control Assessments tab of the Control page.
    • The following fields from the control are copied to the control assessment: Control ID, Control Description, and Control Owner.

Calculating risk scores

There are two ways of calculating the risk scores:

  • Using default configuration Default configuration is used to calculate the risk score. For example: The Likelihood and Impact fields are set at a 3 x 3 matrix (low, medium, and high). You can calculate the risk score of one risk (or a risk assessment) at a time using this method. For more information, see Using default configuration.
  • Using custom configuration You can customize the formula to calculate the risk and assessment scores. You can calculate scores of multiple risks (or risk assessments) at a time using this method. For more information see, Risk and assessment scoring configuration in Risk Manager.

Using default configuration

After triggering assessments, you can calculate the risk scores. You can do this by calculating the inherent risk score in both the risk and the risk assessment records.

To calculate the inherent risk score, you will need to know the Impact and Likelihood of a risk. See the table below for reference.

  Likelihood High

Medium

 High High
Medium

Low

 Medium High
Low

Low

 Low Medium
  Low Medium High
  Impact

Here is how you can calculate the risk scores of a risk assessment using the default configuration:

  1. From the Launchpad home page (www.highbond.com), select the Risk Manager app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Risk Manager app. The Risk Manager home page opens.

  2. Select the risk you want to work with.

    The detailed risk page is displayed.

  3. Go to the Risk Event Assessment tab and select the name of the risk assessment to open it.
  4. Ensure you have filled in the necessary information, and in the top right, select Assess.

    Result The workflow status changes to Assessment.

  5. Now, in the top right, select Score.

    The risk score is calculated and displayed in the Inherent Risk Score field.

    Note

    Ensure the Impact and Likelihood fields are filled in and saved before clicking Score.

  6. Select Approve to finalize the risk score.

    The risk score is finalized and the workflow status changes to Monitoring.

  7. (Optional) You can begin the assessment again by clicking Reassess.

Creating a risk mitigation

Risk mitigation enables you to identify, reduce, track, or eliminate potential threats that could impact the operations, finances, or reputation of your organization. It helps ensure business continuity by proactively managing uncertainties and minimizing losses.

Here is how you can create a risk mitigation:

  1. From the Launchpad home page (www.highbond.com), select the Risk Manager app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Risk Manager app. The Risk Manager home page opens.

  2. Select the risk for which you want to create a risk mitigation.

  3. On the Risk Details page, go to the Risk  Mitigation tab.

  4. Select Add Risk Mitigation.

  5. In the Add Risk Mitigation dialog box, enter a name for the risk mitigation, and select Add Risk Mitigation.

  6. On the Risk Mitigation Details page, do the following:

    1. Select an organizational unit.

    2. Provide a description and plan.

    3. Assign an owner for the risk mitigation.

    4. Select the type of treatment from the drop-down list.

    5. Provide remediation details.

    6. Enter dates for planned completion and actual completion.

  7. Select Save Changes. The risk mitigation is created.

Deleting a risk

Here is how you can delete a risk:

  1. From the Launchpad home page (www.highbond.com), select the Risk Manager app to open it.

    If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Risk Manager app. The Risk Manager home page opens.

  2. Select the risk you want to delete.

    The detailed risk page is displayed.

  3. In the upper right, select More optionsand then select Delete.
  4. In the confirmation dialog box, select Delete.

    The risk is deleted.

What's next?

You can begin working with controls to mitigate the risks. For more information, see Working with controls.