Working with risks
A risk can be an uncertainty or an opportunity that may arise from business decision-making. There are risks that may affect the day-to-day functioning of your organization. These risks must be identified and mitigated for a smooth flow of operations in your organization.
What are the different types of risks?
There are many categories of risks, including but not limited to:
- Compliance and regulatory risk e.g., introduction of new rules or legislation
- Financial risk e.g., interest rate rise on business loan or a non-paying customer
- Operational risk e.g., breakdown or theft of key equipment
Each risk needs to be identified, associated to related library objects, and assessed. Then, your organization can decide the best methods to prioritize and mitigate those risks.
Adding a risk
To add a risk in the Risk Manager, perform the following steps:
- Open the Risk Manager app.
The Risk Manager home page opens.
- Click + Add Risk.
- In the Add Risk panel, enter a name for your risk.
- Add any other details necessary and click one of the following:
- Add Risk to save the risk and close the panel.
- Save & Add New to save the risk and add another one.
Result After adding, your risks are created.
- Optional. Click on the risk name to view the detailed risk page and add more details.
Add or change the owner of a risk
To add or update the owner of a risk, perform the following steps:
- Open the Risk Manager app.
The Risk Manager home page opens.
-
From the Risk list, click on the name of the risk where you want to add or update the owner.
The Details tab opens.
- In the Risk Owner field, select a user and click Save Changes.
Result The risk is assigned to the user selected, and an email notification is sent to the assigned user.
Moving a risk through different workflows
After creating a risk, you can advance it through different workflow states based on your needs and requirements. Some workflow states may require some fields to be filled in, ensure to meet the criteria to advance the risk.
To move a risk from Draft to Identification and then Analysis state, perform the following steps:
- Open the Risk Manager app.
The Risk Manager home page opens.
-
Click on the name of the risk you want to work with.
The detailed risk page opens with the Details tab.
- Enter the information about the risk, including the ID, description, owner and click Save Changes.
- In the top right, click Identify.
Result The workflow status changes to Identification.
- After verifying that your risk has all the required details, click Validate.
Result The workflow status changes to Analysis.
Note
You can follow the steps mentioned above to advance the risk through the rest of the workflow states according to your needs.
Linking a risk to different objects
A risk is related to different assets and other library objects, across your organization. It is important to capture this relationship and link the risk with these objects, so that you can accurately calculate the impact of a risk on these objects.
To link a risk to different objects, perform the following steps:
- Open the Risk Manager app.
The Risk Manager home page opens.
-
Click on the name of the risk you want to work with.
The detailed risk page opens with the Details tab.
- Go to the Relationship tab and do the following:
- To link an asset, click Link Assets.
The Link Assets dialog box opens.
- Select the type of asset and the asset.
- Click Link Assets.
Result The asset is linked to the risk.
- To link a control, click Link Controls.
The Link Controls dialog box opens.
- Select the type of control and the control.
- Click Link Controls.
Result The control is linked to the risk.
- To link a risk assessment, click Link Risk Assessments.
The Link Assessments dialog box opens.
- Select the type of risk assessment and the assessment.
- Click Link Risk Assessments.
Result The risk assessment is linked to the risk.
- To link an asset, click Link Assets.
Note
- You can follow the same steps as above to link a risk to additional library objects such as other risks, processes, and objectives, if these objects are configured in Risk Manager.
- You can quickly link objects from the home page also by expanding the risk row and clicking Add Relationship. This is applicable only if you have not yet linked the risk to any entity.
- When you link objects with each other, a two-way link is created. For example: When you link your risk to a control, the linked risk is displayed in the Relationship tab of the control and the control is displayed in the Relationship tab of the risk. If the links are not working both the ways, contact Support for assistance.
Unlinking the risk from other objects
You can unlink relationships of a risk with different assets and other library objects.
To unlink a risk relationship, perform the following steps:
- Open the Risk Manager app.
The Risk Manager home page opens.
-
Click on the risk you want to work with.
The detailed risk page opens with the Details tab.
- Go to the Relationship tab and click the unlink icon on the object that you want to remove the link from.
The Unlink relationship dialog box opens.
- Click Unlink Object.
Result The link is removed from the risk.
Associating a risk with an organizational unit
Create a relationship between a risk in Risk Manager and an organizational unit. Organizational units constitute the foundation of the enterprise, linking diverse organizational entities across different company segments. This hierarchy also stores departmental and business unit details. You can relate a risk to multiple organizational units.
Here is how you can associate a risk with an organizational unit:
- Open the Risk Manager app.
The Risk Manager home page is displayed.
-
Select the name of the risk that you want to update.
The risk details page is displayed.
-
Under the Details tab, in the Related Org Unit field, search select any of the preconfigured organizational units you want to relate the risk to.
-
Select Apply Selection.
-
Select Save Changes.
ResultThe risk is updated. On the Risk Manager home page, you can view the organizational unit associated with the specific risk under the Org Unit column.
Note
-
The organizational unit hierarchy is preconfigured by the System Admins in your organization. For more information about the hierarchies in the organizational structure, contact your System Admin. If you are a System Admin, you can view the list of preconfigured organizational units in the platform settings (navigate to Platform Settings and click Org Structure). To learn more about organizational units, see Overview of Organizational Structure.
-
Additionally, you can associate organizational units with assessment records.
Assessing a risk
Once your risk is identified, validated, and associated to different objects, you can assess the risk and calculate the risk scores. You have to assess your risk to evaluate the potential threat level of the risk towards the organization. You can do this by triggering assessments.
To assess a risk, perform the following steps:
- Open the Risk Manager app.
The Risk Manager home page opens.
-
Click on the risk you want to assess.
The detailed risk page opens.
- In the top right, click Assess.
Result Assessments are generated, based on objects linked to the risk. To learn more, see How are assessments generated?
Note
You can also add risk assessments manually from the Risk Event Assessment tab.
How are assessments generated?
Assessments are generated based on your risk's association with other entities such as assets and controls.
- If the risk is associated to only an asset, then only a risk event assessment is generated.
- If the risk is associated to both an asset and a control, both risk event assessment and control assessment are generated.
- If the risk is associated to only a control, then too both risk assessment and control assessment are generated, but with a few differences such as naming convention.
For example: You have a risk called Virus Threat added, and it is associated to both an asset and a control as follows:
- Asset - Laptop
- Control - Anti-virus Software
Now, you trigger to generate assessments by clicking Assess, the following things happen:
- The workflow status changes to Assessment.
- A risk assessment is generated, with the naming convention: <Risk name> - <Asset name>. For example, Virus Threat - Laptop.
- The risk assessment is associated to both the risk and the asset. You can view the risk assessment from the Risk Event Assessment tab of the Risk page and in the Assessments tab of the asset in the Asset Manager app.
- The following fields from the risk are copied to the risk assessment: Risk ID, Risk Description, and Risk Owner.
- A control assessment is generated, with the naming convention: <Control name> - <Risk name> - <Asset name>. For example, Anti-virus Software - Virus Threat - Laptop.
- The control assessment is associated to the control, the risk, and the asset. You can view the control assessment from the Control Assessments tab of the Control page.
- The following fields from the control are copied to the control assessment: Control ID, Control Description, and Control Owner.
Calculating risk scores
There are two ways of calculating the risk scores:
- Using default configuration Default configuration is used to calculate the risk score. For example: The likelihood and impact fields are set at a 3 x 3 matrix (low, medium, and high). You can calculate the risk score of one risk (or a risk assessment) at a time using this method. For more information, see Using default configuration.
- Using custom configuration You can customize the formula to calculate the risk and assessment scores. You can calculate scores of multiple risks (or risk assessments) at a time using this method. For more information see, Risk and assessment scoring configuration in Risk Manager.
Using default configuration
After triggering assessments, you can calculate the risk scores. You can do this by calculating the inherent risk score in both the risk and the risk assessment records.
To calculate the inherent risk score, you will need to know the Impact and Likelihood of a risk. See the table below for reference.
Likelihood | High |
Medium |
High | High |
---|---|---|---|---|
Medium |
Low |
Medium | High | |
Low |
Low |
Low | Medium | |
Low | Medium | High | ||
Impact |
To calculate the risk scores of a risk assessment using the default configuration, perform the following steps:
- Open the Risk Manager app.
The Risk Manager home page opens.
-
Click on the risk you want to work with.
The detailed risk page opens.
- Go to the Risk Event Assessment tab and click the name of the risk assessment to open it.
- Ensure you have filled in the necessary information, and in the top right, click Assess.
Result The workflow status changes to Assessment.
- Now, in the top right, click Score.
Result The risk score is calculated and displayed in the Inherent Risk Score field.
Note
Ensure the Impact and Likelihood fields are filled in and saved before clicking Score.
- Click Approve to finalize the risk score.
Result The risk score is finalized and the workflow status changes to Monitoring.
- Optional. You can begin the assessment again by clicking Reassess.
Deleting a risk
To delete a risk, perform the following steps:
- Open the Risk Manager app.
The Risk Manager home page opens.
-
Click on the risk you want to delete.
The detailed risk page opens.
- In the upper right, click More optionsand then Delete.
- In the confirmation dialog box, click Delete again.
Result The risk is deleted.
What's next?
You can begin working with controls to mitigate the risks. For more information, see Working with controls.