Assessing residual risk

Assess the risk that remains when controls and other mitigating factors have been put in place.

Before you start

Before you can assess residual risk, you must assess inherent risk and define risk treatment.

How it works

After assessing inherent risk and defining how the risk is being treated, you perform a preliminary treatment evaluation that assesses how much the treatment reduces the risk. This allows you to identify areas where the business is exposed to risk beyond the company's risk appetite.

Assessing residual risk involves specifying a treatment percentage to define how much of the treatment reduces the inherent risk. The treatment percentage is based on the expected effectiveness of treatment efforts in place, before controls have been tested to provide assurance.

Specifying percentages

You can specify a percentage between 0-100%. The total Treatment % can add up to more than 100%. However, an aggregate treatment greater than 100% may indicate that your company can consider revising the treatment of the risk and reduce costs associated with treating the risk.

As you enter each percentage, the Treatment % for all treatments associated with an operating segment automatically updates. The Residual Risk Score and Residual Risk Heat values automatically update.

Permissions

Only Strategy Admins or Oversight Executives can complete this task.

Steps

Navigate to the Treatment tab

  1. Open the Strategy app.
  2. Do one of the following: 
    • In Risk Profile, click the risk you want to open.
    • Select Heatmaps > Strategy Heatmap, click on a bubble, and click the appropriate risk listed under Associated Risks.
    • Select Heatmaps > Risk Heatmap, hover your cursor over a risk in the list, and click Assess This Risk.
  3. Click the Treatment tab.

    The residual risk assessment displays.

Specify a treatment percentage

  1. Click the name of the appropriate operating segment, entity, or business unit to expand it.
  2. Optional. To view the weight of a risk scoring factor, hover your mouse over the name of the risk scoring factor.
  3. Next to the relevant treatment, click the % input under a risk scoring factor.

    Framework objectives that have been linked to the risk as a treatment are appended with (Framework).

    The only value you can edit on the Treatment tab is the Treatment % associated with a single treatment. If you need to re-assess inherent risk, go to the Assessment tab.

  4. Specify the treatment percentage to define how much of the treatment reduces the risk.

    You can view additional information about the treatment by clicking on each treatment.

    Tip

    You can use the following keyboard shortcuts on the Treatment tab: 

    • Navigate forward Tab
    • Navigate backwardsShift +Tab
    • Exit from Treatment tab Esc
  5. Optional. To edit links between the strategic risk and objectives, click Edit Treatment Links, and make any necessary updates.
    Caution

    If any treatments are being used to aggregate assurance information or calculate residual risk, unlinking the treatments permanently removes all associated work.

Optional. Move the risk to the Accept or Mitigate state

Complete one of the following actions:

  • To accept the risk, select Accept and choose the duration to accept the risk for.
  • To mitigate the risk, select Mitigate and select the duration to mitigate the risk for.

    You can add a mitigation timeline for risks that have been assessed and moved to the Accepted, Audit, or Continuously Audit state.

    Notes

    • Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
    • If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.

Close the Treatment tab

Click exit in the upper-right corner.