Risk Management

The risk management process and can be linked to Organizational parts, Processes, Strategies, Resources or External parties – thus providing support for most risk methods such as strategy, operational, ERM, aggregated risk portfolio.

Risks are identified, assessed, handled through mitigating actions or connection to controls. Approval process is set-up according to selected parameters. Risk report is created, which can also be scheduled. Support for risk aggregation. For each risk, a metrics is calculated, which facilitates communication in the organization. The risk register is given a result for the total.

Prep & ID

In this preparatory step, the risks to be assessed are identified. A number of tools support this. Connections can be made to; goals, incidents, threats, vulnerabilities, existing controls and risk libraries.

The scope is specified by which organizational parts are included, which can be visualized in diagrams. Purpose and method are described. Teams and responsibilities are specified.

The risk register is configured with periods and permissions, as well as an approval process.

Risks are identified and justified, why this particular risk is selected. Risk owners are appointed.

Assessment

The identified risk is assessed. Additional categorizations and descriptions can be made. Connection to, for example, affected organizational parts, processes, assets.

Assessment can be made quantifiable or qualitative. Scales and categories for probability, consequence, impact, are configured dynamically.

A qualitative risk can be assessed, for example, in scales 1-4 and presented in a risk matrix. The risk value can be converted to a percentage, which facilitates risk reporting.

Quantifiable risks can be given values ​​for probability, e.g. maximum-most probable-least and be visualized – so-called BETA distribution.

The total risk register can be given an overall assessment, for example on the basis of a predefined scale.

Handling

In the handling step, it is possible to create mitigating actions to reduce the risk. Two main methods are used.

Risk reduction by creating a mitigating actions. Cost can be calculated, type specified, responsible for the action, connection to other risks that this action reduces, due date.

Risk reduction by connecting to a control. The control can be selected from the control library. Common method within control and auditing.

When the risk has been handled, it is possible to make a new risk assessment after the planned actions have been introduced. This is usually called net risk and the initial assessment is gross risk.

Aggregation

Aggregation of risks is done by creating a new risk register, for example at the highest level in the organization. The risks of the underlying units can be linked to the respective aggregated risks.

For aggregation, iFACTS functionality for connectivity is used. Here, all parts of the information model are visualized, e.g. organizations, processes, assets, risks, threats, incidents, etc. and these can be linked to the aggregated risk together with their results. Visualized by dependency graph.

Risk Report

The risk report can be created from all existing parts of the risk process, e.g. description, purpose, analysis, team, risks, results, approval.

The report is built via the SSRS tool and can be linked to permissions and distributed to relevant parts of the organization.

The risk report can also be connected to a follow-up or reporting schedule.

Skeppsbron 3, Malmö, Sweden | +46-40-10 77 99 | info@ifacts.se