Defining risk treatment
Define relationships between objectives in the Projects app and strategic risks in the Strategy app to aggregate and track assurance and testing results associated with operational risks and controls.
Before you start
Before you can define relationships between strategic risks in the Strategy app with objectives in the Projects app, and develop a dashboard of risk and project outcomes, you need to complete a few tasks in Strategy and Projects.
Strategy
Add risks to your company's risk profile.
Projects
- Create a project and / or framework.
- Define objectives, risks, and controls in projects and / or frameworks.
- Execute procedures, perform walkthroughs and tests, and identify issues.
It is often easier to link risks to framework objectives than project objectives. Strategy can account for Issues you create in project objectives if those project objectives are linked to framework objectives. See the next section, How it works, for details.
How it works
You link a strategic risk in the Strategy app with one or more objectives from projects and frameworks in the Projects app. Once linked, you can track assurance and testing results associated with operational risks and controls to develop a dashboard of risk and project outcomes.
The linkage helps you ensure complete coverage of all operational risks identified during annual risk assessments, and allows you to determine how well your company is mitigating risk.
Linking framework objectives vs project objectives
In the Projects app, you can define relationships between frameworks and projects. Frameworks can contain objectives that are linked to multiple projects.
In the Strategy app, if you link a project objective to a strategic risk, you are aggregating information from an individual project. If you link a framework objective to a strategic risk, you are typically aggregating information from multiple projects.
Strategic risk linked to project objective
Strategic risk linked to framework objective
Some issues are not brought into Strategy
Not all issues you create in child projects are brought into Strategy. To ensure an issue appears in Strategy:
- Create the issue inside a linked objective. Issues created outside a linked objective are not brought into Strategy.
- Publish the issue.
For guidance on the best way to set up issues, see Recording issues.
Linking restrictions
- Linking options You can only link strategic risks to either the parent framework objective or the child project objectives - not both.
- Linking a framework objective If you previously linked a project objective that is associated with a framework objective, and choose to link the framework objective instead, the framework objective is linked to the strategic risk.Caution
In this scenario, the link to the project objective, and any associated treatment values input as part of the residual risk assessment, is permanently removed.
- Linking a project objective If you previously linked a framework objective that is associated with a project objective, you cannot select the project objective (it has already been accounted for since it is associated with the framework objective).
Example
Defining risk treatments
Scenario
You have identified the following strategic risk in your organization:
Failure of key third-party vendors Third parties provide key components of our financial business infrastructure which include technology, products, and services. Any change in these third parties or any failure to handle current or higher levels of activity could adversely affect our ability to deliver products and services to clients and disrupt our business.
You also have a series of control objectives that will be used to mitigate this risk:
- Selection & Acquisition
- Risk, Compliance, & Viability Management
- Performance Monitoring
- Relationship Management
- Transition & Renewal
- Successful on-boarding of new customers
- Identify
Process
You add the strategic risk in Strategy and create the control objectives in Projects. Then, using Strategy, you link the control objectives to the strategic risk.
Result
A relationship is defined between the strategic risk and the associated control objectives, allowing you to track assurance and testing results, and assess residual risk:
Permissions
Strategy Admins or Oversight Executives can define risk treatment.
Steps
First, navigate to the Treatment tab
- Open the Strategy app.
- Do one of the following:
- Click the Treatment tab.
Second, link the strategic risk to objectives
- Click Link Treatment. The Define Risk Treatment screen opens.
- Optional. Search for projects or frameworks by name. Results are automatically filtered as you type.
- Select the appropriate objectives from each project and / or framework:
Note
To select objectives, your role must allow you to view the objectives in the project or framework. For more information about roles in Projects, see User and admin access to Projects .
- Click the side arrow to display a list of objectives in the project or framework.
- Select the objectives you want to link to the strategic risk, or select the project or framework to link all objectives.
For more information, see Linking framework objectives vs project objectives.
- Optional. To view an objective in Projects, click view beside the appropriate objective.
- Click Link # Treatments.
Result The residual risk assessment displays, allowing you to specify a treatment percentage to define how much of the treatment reduces the inherent risk. For more information, see Assessing residual risk.
- Optional. To edit links between the strategic risk and objectives, click Edit Treatment Links, and make any necessary updates.Caution
If you remove a link to an objective, any associated treatment values input as part of the residual risk assessment are permanently removed.
- Click exit in the upper-right corner.
Third, track treatment areas
- Do one of the following:
- Click the Assurance tab.
- View the following information and click to close the window:Note
The information on the Assurance tab is aggregated from Projects. For more information, see Getting started with assurance for risk
Tracking information Description Remarks Overall Assurance
displays the aggregated assurance value across all Treatment Areas
Calculation:
Total Operational Inherent Risk Score - Total Operational Residual Risk Score / Total Operational Inherent Risk Score
Operational Inherent Risk Score displays the aggregated inherent risk score across all Treatment Areas Calculation:
SUM (Inherent Risk Scores for operational risks associated with linked objectives)
Operational Residual Risk Score displays the aggregated residual risk score across all Treatment Areas Calculation:
SUM (Residual Risk Scores for operational risks associated with linked objectives)
Results displays the aggregated testing results across all Treatment Areas Results are displayed in a stacked bar chart that includes the number of:
- passing controls
- failing controls
- controls not tested
If you hover your mouse over a particular bar, the control count displays. The x-axis is dynamically updated for each risk based on the count of controls across all treatments.
Treatment Areas displays treatments associated with the risk The following metrics are displayed for each treatment area:
- assurance
- number of passing controls
- number of failing controls
- number of controls not tested
You can view each treatment in Projects by clicking view next to the appropriate treatment.
Framework objectives that have been linked to the risk as a treatment are appended with (Framework).
Cost Impact displays the cost impact of the risk in dollars The Cost Impact value derives from published issues in Projects that have a value specified in the Cost Impact field. Transactions displays the number of transactions associated with the risk The Transactions value derives from execute procedures, walkthroughs, and tests in Projects that have linked evidence and published issues associated with evidence. Issue Trends displays a monthly summary of the Total, New, and Remediated issues associated with the risk You can click on the type of issue in the graph legend to show or hide particular types of issues in the graph. Issue displays each identified issue associated with the risk You can click the arrow to view detailed information about each issue. In the expanded view, you can click View in Projects to view issue details.
Issue are sorted alphabetically by severity.