Automating strategic risk assessments

In the Strategy app, you can create assessment drivers based on a metric from the Results app to automate risk assessments and notify key stakeholders when changes occur.

What is an assessment driver?

An assessment driver is an automation tool that allows you to keep your assessments current, in real-time. You can create multiple assessment drivers to automate different risk and control assessments.

Before you start

Before you can automate a risk assessment, you must set up a Strategy Map, configure risk scoring settings, and add risks to your risk profile.

To turn on the Automate option, you or someone on your team needs to complete the following tasks:

How it works

After you have completed the prerequisite tasks, you create an assessment driver by:

  1. selecting the risk assessment you want to automate
  2. defining metric ranges that will be used to populate inherent risk scores for the risk assessment

Whenever this risk assessment changes, stakeholders that subscribe to updates associated with the risk are automatically notified via the daily summary email, enabling them to take appropriate action.

Why do assessment drivers automate inherent risk scores? 

Assessment drivers automate inherent risk scores to inform you about your company's current level of risk. Since risk assessments are an on-going and iterative process, inherent risk scores may change with time.

Based on the inherent risk score, you can determine whether the risk poses a threat to your company or if the risk is less critical. Risk response options may include increasing or decreasing resources associated with risk treatment, as needed.

Do assessment drivers impact treatment percentages?

Assessment drivers do not impact treatment percentages. The treatment percentage should be a reflection of how much the treatment mitigates the risk itself, as opposed to the inherent risk score.

Can I view historical data associated with assessment drivers?

You can use Time Machine to view automated scores from a particular time period in the past. You cannot view historical data about previous configurations of assessment drivers.

When are stakeholders notified about changes for automated risk assessments?

Stakeholders that subscribe to updates about the risk are notified via the daily summary email whenever:

  • inherent risk scores change (the daily summary email reports the last inherent risk score value at the end of the day compared to the previous daily summary score)
  • an assessment driver has been disabled due to an error

What changes in Strategy impact the way assessment drivers work?

Depending on the change, assessment drivers are either disabled or permanently deleted. In both scenarios, the most recent inherent risk score is retained and the risk assessment becomes a manual process.

Change Impact
Deleting a metric in Results that has been linked to a risk in Strategy

Once a metric is associated with an assessment driver, any metric configuration changes you make in Resultsdisables the risk assessment automation in Strategy.

Note

You can fix the problems in Results or Strategy and re-enable the assessment driver.

Changing the configuration of a metric in Results

Changing the severity scale associated with a risk scoring factor

Any associated assessment drivers are disabled.

  • If the score value remains (i.e. previously 1 = Low and now 1 = None), the same score is retained.
  • If the score value is no longer available (i.e. previously 5 = Very High, and now you are using a 3-point scale), the score is removed so that you can reassess the risk.
Unlinking a metric from a risk in Strategy

Any associated assessment drivers are permanently removed.

Deleting a risk scoring factor
Deleting an operating segment
Deleting a risk
Disassociating a strategic objective from a risk

Example

Automating a strategic risk assessment

Scenario

You are the CEO of an organization that offers a subscription-based service. You have identified maintaining annual recurring revenue (ARR) in the North America region as a strategic risk. ARR is directly related to how much customers pay the organization and whether or not they renew their subscription.

The metric that you use to help assess and monitor the ARR risk is called "ARR at risk". As customer churn increases, the impact of renewing key customers also increases.

Process

First, you configure risk scoring by quantifying the impact of financial loss associated with the ARR risk as follows:

  • > $1,000,000 = Low
  • ≥ $1,000,000 < $5,000,000 = Medium
  • ≥ $5,000,000 < $10,000,000 = High
  • ≥ $10,000,000 < $25,000,000 = Very High
  • ≥ $25,000,000 = Critical

Then, you link the "ARR at risk" metric you created in the Results app to the ARR risk in the Strategy app.

Finally, you create an assessment driver by defining a series of metric ranges that will be used to populate inherent risk scores:

Result

The risk assessment is automated:

If you subscribe to updates about the risk, you are notified via the daily summary email whenever a change to the risk assessment occurs.

Permissions

Strategy Admins and Oversight Executives can automate risk assessments. Oversight Reviewers can only view automated risk assessments. Strategy Admins can manage automated risk assessments across the company.

Configure an automated risk assessment

Create an assessment driver to automate a risk assessment and notify key stakeholders when changes occur.

Navigate to the Assessment tab

  1. Open the Strategy app.
  2. Do one of the following: 
    • In the Risk Profile, click the risk you want to open.
    • Select Heatmaps > Strategy Heatmap, click on a bubble, and click the appropriate risk listed under Associated Risks.
    • Select Heatmaps > Risk Heatmap, hover your cursor over a risk in the list, and click Assess This Risk.
  3. Click the Assessment tab if it does not open by default.

Select a risk assessment to automate

  1. In the Assessment tab, click the appropriate input area where a risk scoring factor and operating segment intersect. The scoring options display.
  2. Click Automate. The New Assessment Driver side panel opens, with the risk, operating segment, and risk scoring factor pre-selected.

    Note

    • Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
    • If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.

Specify a metric and define ranges

  1. Click the Select a Metric... dropdown list to specify the metric that will be used to populate inherent risk scores. The metric displays along with an input area for specifying ranges. The metric must generate a numeric value. You cannot use metrics based on dates. You can only select metrics that have been linked to the selected risk.
    Note

    If you previously linked a metric, and archived the collection in Results where the metric is located, the metric is protected in a read-only state. No data can be added or changed.

  2. Select the appropriate operator (less than or greater than) and define the conditions that need to occur for the risk assessment to automatically update to the specified score.

    As you enter values in the right column, the left column is auto-populated with the next sequential value, and the score changes color once you have entered a number for the row.

    You can enter any number of decimal places for each value. However, upon saving, values only display up to two decimals.

    Tip

    You can use Tab to quickly move vertically down the right column.

  3. Optional. Disable the Assessment Driver if you do not want to automate the risk assessment immediately.

    By default, the Assessment Driver is enabled , and the assessment is automated immediately after saving.

  4. Click Save.
    Note

    You must define all metric ranges before you can save.

View or edit automated risk assessments

  1. Open the Strategy app.
  2. Do one of the following:
    • In the Risk Profile, click the risk you want to open. If any assessment drivers have been disabled due to an error, an error icon displays beside the Settings menu option.
    • Select Heatmaps > Strategy Heatmap, click on a bubble, and click the appropriate risk listed under Associated Risks.
    • Select Heatmaps > Risk Heatmap, hover your cursor over a risk in the list, and click Assess This Risk.
  3. Click the Assessment tab if it does not open by default.
  4. View automated risk assessments:
  5. Edit or enable / disable an assessment driver by clicking the automated risk assessment and selecting Edit.

Optional. Delete an assessment driver

Note

When you delete an assessment driver, the most recent inherent risk score is retained, and the risk assessment becomes a manual process.

  1. Open the Strategy app.
  2. Do one of the following:
    • In the Risk Profile, click Assessment Drivers, select the appropriate assessment driver, click Delete, and click Delete to confirm.
    • From the Assessment tab in a risk, click the appropriate automated assessment, click Delete, and click Delete to confirm.

Manage automated risk assessments

View and manage all automated risk assessments across your company.

Navigate to the Assessment Drivers page

  1. Open the Strategy app.
  2. Click Settings. The Users page opens.
  3. From the left panel, click Assessment Drivers. The Assessment Drivers page opens.

Add a new assessment driver

  1. From the Assessment Drivers page, click + Add. The New Assessment Driver side panel opens.
  2. Select the appropriate risk, operating segment, and risk scoring factor from the dropdown lists.

    You can only select a risk that has a metric linked to it and you can only select operating segments that have been associated with the risk. If an assessment driver was previously set up for a risk scoring factor, (automation set) displays beside the risk scoring factor.

    Note

    • Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
    • If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.
  3. Click the Select a Metric... dropdown list to define the metric that will be used to populate inherent risk scores.

    The metric must generate a numeric value. You cannot use metrics that calculate dates such as the highest, lowest, or average date is a datetime field. You can only select metrics that have been linked to the selected risk.

    Note

    If you previously linked a metric, and archived the collection in Results where the metric is located, the metric is protected in a read-only state. No data can be added or changed.

  4. Optional. Read the tour notes to familiarize yourself with the next steps.
  5. Select the appropriate operator (less than or greater than) and define the conditions that need to occur for the risk assessment to automatically update to the specified score.

    As you enter values in the right column, the left column is auto-populated with the next sequential value, and the score changes color once you have entered a number for the row.

    Tip

    You can use Tab to quickly move vertically down the right column.

  6. Optional. Disable the assessment driver if you do not want to apply the automated assessment immediately.

    By default, the assessment driver is enabled , and the assessment is automated immediately after saving.

  7. Click Save.
    Note

    You must define all metric ranges before you can save.

Edit an assessment driver

  1. Optional. From the Assessment Drivers page, filter risks by name or by operating segment.

    Risks are sorted alphabetically by title.

    If an error icon displays next to the risk assessment, an error has occurred. For more information, see What changes in Strategy impact the way assessment drivers work?

  2. Click next to the risk assessment and make any necessary changes.

Enable or disable an assessment driver

From the Assessment Drivers page, do one of the following:

  • To enable an assessment driver, turn on the switch next to the appropriate risk assessment.

    The risk assessment is automated.

  • To disable an assessment driver, turn off the switch next to the appropriate risk assessment.

    The most recent inherent risk score is retained, and the risk assessment becomes a manual process.

Delete an assessment driver

Note

When you delete an assessment driver, the most recent inherent risk score is retained, and the risk assessment becomes a manual process.

  1. From the Assessment Drivers page, next to the appropriate risk assessment, click the trash bin .
  2. Click Delete in the confirmation dialog box.