Purpose: To set the details of a control once attached to a risk.
To Access: Risk Management - Risk Evaluation (or Risk Review) - select a control - select Edit from the Risk Select Action dropdown list.
Data fields:
Risk Name - a short description of the risk. Cannot be changed here. See Changing Library Data
Description of Risk - full description of the risk. Cannot be changed here. See Changing Library Data.
Risk Context – definition of the external and internal parameters that organisations must consider when they manage risk.
Risk Owner - the person responsible for managing the risk.
Risk Category - Select up to three levels of risk categories for the risk. The hierarchical risk categories are set up in the Administration module by the system administrator.
Cause of Risk - The factor or event that gives rise to the risk. More than one cause can be entered.
Financial Statement Assertion: The assertion made in the financial statements that may be impacted by the risk. A new assertion can be added by clicking the New button above the dropdown list.
Risk No: A reference number for the risk.
Risk Appetite Statement - When a risk category is selected from the Risk Categories dropdown lists and if a risk category has a risk appetite statement (entered via the Risk Category Maintenance function in the Administration Module), you can retrieve the risk appetite statement by clicking the link. The system will retrieve the risk appetite statement for the lowest level risk category selected and if there is no risk appetite statement, the system will retrieve the risk appetite statement from the second level risk category and if none, the first risk category. If there is no risk appetite statement for any of the risk categories selected, the field will be blank. The user can modify the statement to suit the nature of the specific risk. The risk appetite statement should support the Acceptable Residual Risk level.
Acceptable Residual Risk (Risk Appetite) - Select an acceptable residual risk level for this risk and/or enter the monetary value of the residual risk that the organisation is willing to accept for this risk. This is a reflection of the organisation's risk appetite.
Consequence - select an appropriate consequence level from the dropdown list. If a rating guide has been prepared (in the Administration module), click the link to open the consequence rating guide.
Likelihood - select an appropriate likelihood level from the dropdown list. Click the link to open the likelihood rating guide.
Value at Risk (Inherent Risk Value) - the dollar value of the inherent risk.
Value at Risk (Residual Risk Value) - the monetary value of the risk after application of the implemented controls. You can let the system calculate the residual risk value by clicking the Calc button when an inherent risk value has been entered. You can calculate the value yourself using other methods and enter it manually.
Accept Residual Risk - whether the residual risk, if any, is accepted by the operation. A residual risk may be accepted by the operation based on the materiality of the consequence and offsetting influence of other controls. A reason should be given for accepting the residual risk. Click the Reason button to enter the reason. Where a residual risk is not accepted, an action plan should be entered by clicking the Action Plan button.
Effect - a description of the effect of the risk for reporting purposes. A new effect can be added by clicking the New button next to the dropdown list.
Comment - any notes or comments on the risk that are not captured elsewhere. This can be made compulsory by the system administration when the risk rating is changed.
The result of the risk evaluation is summarised in real time for both the current risk and the targeted risk (if all proposed and agreed controls were implemented). Click the Current Risk or the Targeted Risk button to view the respective results.
The blue line on the Heat Map shows the Acceptable Residual Risk level, that is, acceptable if the residual risk (RR) is to the left of the blue line and unacceptable if it is to the right of the line.
If there is any incidents linked to this risk, the incidents will be listed. You can view (but not modify) the incidents by clicking the Open link if you are authorised to view the incident.
Additional functions:
See also:
Defining consequence and likelihood in risk rating