Defining risk treatment

Define relationships between objectives in the Projects app and strategic risks in the Strategy app to aggregate and track assurance and testing results associated with operational risks and controls.

Before you start

Before you can define relationships between strategic risks in the Strategy app with objectives in the Projects app, and develop a dashboard of risk and project outcomes, you need to complete a few tasks in Strategy and Projects.

Strategy

Add risks to your company's risk profile.

Projects

  1. Create a project and / or framework.
  2. Define objectives, risks, and controls in projects and / or frameworks.
  3. Execute procedures, perform walkthroughs and tests, and identify issues.
Tip

It is often easier to link risks to framework objectives than project objectives. Strategy can account for Issues you create in project objectives if those project objectives are linked to framework objectives. See the next section, How it works, for details.

How it works

You link a strategic risk in the Strategy app with one or more objectives from projects and frameworks in the Projects app. Once linked, you can track assurance and testing results associated with operational risks and controls to develop a dashboard of risk and project outcomes.

The linkage helps you ensure complete coverage of all operational risks identified during annual risk assessments, and allows you to determine how well your company is mitigating risk.

Linking framework objectives vs project objectives

In the Projects app, you can define relationships between frameworks and projects. Frameworks can contain objectives that are linked to multiple projects.

In the Strategy app, if you link a project objective to a strategic risk, you are aggregating information from an individual project. If you link a framework objective to a strategic risk, you are typically aggregating information from multiple projects.

Strategic risk linked to project objective

Strategic risk linked to framework objective

Some issues are not brought into Strategy

Not all issues you create in child projects are brought into Strategy. To ensure an issue appears in Strategy:

  • Create the issue inside a linked objective. Issues created outside a linked objective are not brought into Strategy.
  • Publish the issue.

For guidance on the best way to set up issues, see Recording issues.

Linking restrictions

  • Linking options You can only link strategic risks to either the parent framework objective or the child project objectives - not both.
  • Linking a framework objective If you previously linked a project objective that is associated with a framework objective, and choose to link the framework objective instead, the framework objective is linked to the strategic risk.
    Caution

    In this scenario, the link to the project objective, and any associated treatment values input as part of the residual risk assessment, is permanently removed.

  • Linking a project objective If you previously linked a framework objective that is associated with a project objective, you cannot select the project objective (it has already been accounted for since it is associated with the framework objective).

Example

Defining risk treatments

Scenario

You have identified the following strategic risk in your organization:

Failure of key third-party vendors Third parties provide key components of our financial business infrastructure which include technology, products, and services. Any change in these third parties or any failure to handle current or higher levels of activity could adversely affect our ability to deliver products and services to clients and disrupt our business.

You also have a series of control objectives that will be used to mitigate this risk:

  • Selection & Acquisition
  • Risk, Compliance, & Viability Management
  • Performance Monitoring
  • Relationship Management
  • Transition & Renewal
  • Successful on-boarding of new customers
  • Identify

Process

You add the strategic risk in Strategy and create the control objectives in Projects. Then, using Strategy, you link the control objectives to the strategic risk.

Result

A relationship is defined between the strategic risk and the associated control objectives, allowing you to track assurance and testing results, and assess residual risk:

Permissions

Strategy Admins or Oversight Executives can define risk treatment.

Steps

First, navigate to the Treatment tab

  1. Open the Strategy app.
  2. Do one of the following: 
    • In the Risk Profile, click the risk you want to open.
    • Select Heatmaps > Strategy Heatmap, click on a bubble, and click the appropriate risk listed under Associated Risks.
    • Select Heatmaps > Risk Heatmap, hover your cursor over a risk in the list, and click Assess This Risk.
  3. Click the Treatment tab.

Second, link the strategic risk to objectives

  1. Click Link Treatment. The Define Risk Treatment screen opens.
  2. Optional. Search for projects or frameworks by name. Results are automatically filtered as you type.
  3. Select the appropriate objectives from each project and / or framework:

    Note

    To select objectives, your role must allow you to view the objectives in the project or framework. For more information about roles in Projects, see Projects app permissions.

    1. Click the side arrow to display a list of objectives in the project or framework.
    2. Select the objectives you want to link to the strategic risk, or select the project or framework to link all objectives.

      For more information, see Linking framework objectives vs project objectives.

    3. Optional. To view an objective in Projects, click view beside the appropriate objective.
  4. Click Link # Treatments.

    Result The residual risk assessment displays, allowing you to specify a treatment percentage to define how much of the treatment reduces the inherent risk. For more information, see Assessing residual risk.

  5. Optional. To edit links between the strategic risk and objectives, click Edit Treatment Links, and make any necessary updates.
    Caution

    If you remove a link to an objective, any associated treatment values input as part of the residual risk assessment are permanently removed.

  6. Click exit in the top-right corner.

Third, track treatment areas

  1. Do one of the following: 
    • In the Risk Profile, click the risk you want to open.
    • Select Heatmaps > Strategy Heatmap, click on a bubble, and click the appropriate risk listed under Associated Risks.
    • Select Heatmaps > Risk Heatmap, hover your cursor over a risk in the list, and click Assess This Risk.
  2. Click the Assurance tab.
  3. View the following information and click to close the window:
    Note

    The information on the Assurance tab is aggregated from Projects. For more information, see Getting started with assurance for risk

    Tracking informationDescriptionRemarks

    Overall Assurance

    displays the aggregated assurance value across all Treatment Areas

    Calculation:

    Total Operational Inherent Risk Score - Total Operational Residual Risk Score / Total Operational Inherent Risk Score
    Operational Inherent Risk Scoredisplays the aggregated inherent risk score across all Treatment Areas

    Calculation:

    SUM (Inherent Risk Scores for operational risks associated with linked objectives)
    Operational Residual Risk Scoredisplays the aggregated residual risk score across all Treatment Areas

    Calculation:

    SUM (Residual Risk Scores for operational risks associated with linked objectives)
    Resultsdisplays the aggregated testing results across all Treatment Areas

    Results are displayed in a stacked bar chart that includes the number of:

    • passing controls
    • failing controls
    • controls not tested

    If you hover your mouse over a particular bar, the control count displays. The x-axis is dynamically updated for each risk based on the count of controls across all treatments.

    Treatment Areasdisplays treatments associated with the risk

    The following metrics are displayed for each treatment area:

    • assurance
    • number of passing controls
    • number of failing controls
    • number of controls not tested

    You can view each treatment in Projects by clicking view next to the appropriate treatment.

    Framework objectives that have been linked to the risk as a treatment are appended with (Framework).

    Cost Impactdisplays the cost impact of the risk in dollarsThe Cost Impact value derives from published issues in Projects that have a value specified in the Cost Impact field.
    Transactionsdisplays the number of transactions associated with the riskThe Transactions value derives from execute procedures, walkthroughs, and tests in Projects that have linked evidence and published issues associated with evidence.
    Issue Trendsdisplays a monthly summary of the Total, New, and Remediated issues associated with the riskYou can click on the type of issue in the graph legend to show or hide particular types of issues in the graph.
    Issue displays each identified issue associated with the risk

    You can click the arrow to view detailed information about each issue. In the expanded view, you can click View in Projects to view issue details.

    Issue are sorted alphabetically by severity.