Assessing inherent risk

Assess the risk that exists when no controls or other mitigating factors have been put in place.

Before you start

Before you can assess inherent risk, you must do the following:

How it works

Inherent risk is a calculation that derives from an assessment of an untreated risk. You assess inherent risk based on the risk scoring framework defined by your company.

Assessing inherent risk involves:

  1. associating risks with strategic objectives defined in the Strategy Map
  2. assessing risk across all operating segments on multiple risk scoring factors

Once you specify scores, the Strategy app automatically calculates the inherent risk.

Permissions

Only Strategy Admins or Oversight Executives can assess inherent risk.

Steps

Note

  • Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
  • If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.

Navigate to the Assessment tab

  1. Open the Strategy app.
  2. Do one of the following: 
    • In the Risk Profile, click the risk you want to assess.
    • Select Heatmaps > Strategy Heatmap, click on a bubble, and click the appropriate risk listed under Associated Risks.
    • Select Heatmaps > Risk Heatmap, hover your cursor over a risk in the list, and click Assess This Risk.
  3. Click the Assessment tab if it does not open by default.

Apply tags to a risk

If a Strategy Admin or Oversight Executive has created tags, you can apply those tags to risks. Then, you can use those tags to filter risks on the Risk Profile, Risk Heatmap, and Strategy Heatmap.

  • To create a new tag to apply to the risk, click in the Risk Tags field, enter a name for the tag, and press Enter.
  • To apply an existing tag to the risk, click the Risk Tags field and select the appropriate tag(s).
  • To remove a tag from the risk, click next to the tag name.

Associate a risk with strategic objectives

  1. Click in the Strategic Objectives field.
  2. Select each strategic objective to include from the dropdown list. You must add at least one strategic objective before you can assess the risk. The names in the dropdown list correspond to the right column values on the Strategy Map page.
  3. Optional. To remove a strategic objective, click the next to the strategic objective and click Remove to confirm.
    Caution

    Removing a strategic objective permanently removes all associated assessments.

Assess the risk

  1. Click the appropriate input area under a risk scoring factor. To view the weight of a risk scoring factor, hover your mouse over the name of the risk scoring factor.
  2. Specify a score using the 3, 5, 10 point or a custom scale to assess the risk across operating segments. You can automate risk assessments using assessment drivers. For more information, see Automating strategic risk assessments.
    Tip

    You can use the following keyboard shortcuts: 

    • Edit a score Select value + # ("1-9" for points values between 1-9, and "0" for a point value of 10).
    • Navigate forwardTab
    • Navigate backwardsShift +Tab
    • Exit from Assessment tabEsc
  3. Optional. To clear a score, click the appropriate score and select Clear.
    Tip

    To quickly clear a score, click the appropriate score and press X, Delete, or Backspace on your keyboard.

  4. Repeat steps 1-2 for each risk scoring factor.

Comment on a risk, attach a file, or view history

Optionally, you can do any of the following.

  • To post a comment or attach a file to the risk, click the Discussion tab. The maximum attachment size is 1GB.

    Note

    For security reasons, Diligent One does not accept file attachments with the following extensions: .bat, .com, .dmg, .exe, or .scr.

  • To view the history of changes to the risk, click the Activities tab.

Move the risk to the Accept or Mitigate state

Optionally, you can complete one of the following actions.

  • To accept the risk, select Accept and choose the duration to accept the risk for.
  • To mitigate the risk, select Mitigate and select the duration to mitigate the risk for.

    You can add a mitigation timeline for risks that have been assessed and moved to the Accepted, Audit, or Continuously Audit state.

Close the Assessment tab

When you are done assessing a risk, click exit in the upper-right corner.

The Inherent Risk Score and Inherent Risk Heat values display on the left side of the risk item in Risk Profile.