Risk Management

Learn how to implement Asset, Third Party and Business Risk Management in eramba. Given the large number of relationships that Risks have with other modules, this course is probably the longest in our entire curricula.

  • Episodes11
  • Duration50m 14s
  • LanguagesEN
Episode 9

Creating Risks

How to create items on the module

Introduction

This episode describes how a Risk is created and which fields are key. To complete these steps you should have by now identified all your Risk inputs and solutions.

No matter if you are planning to use CSV imports or APIs we still recommend you try the web interface on your first Risks to get used to the interface and adjust custom fields as needed.

A form will then appear. Most of the fields should be pretty obvious by now after you have identified Risk inputs and solutions, but some might not be straightforward, so we’ll cover them in more detail in this guide.

Risk Roles

Every Risk has two roles, “Risk GRC Contact” and “Risk Originator Contact.” These must be assigned to an eramba user or group (recommended option) based on your Risk Identification process.

  • Risk Originator Contact: the person who performs an activity that creates a Risk. For example, if finance wishes to keep money in the office then that would produce a Risk. The finance department would then be the originator.
  • Risk GRC Contact: the person that has an interest in the Risk to be documented and treated. Typically, this role falls under the GRC team.

Is very important you have a consistent approach to these roles because you will be using notifications and you want the right people to receive them. We also typically advise using groups (as opposed to users, as shown in the screenshot above). Groups contain more than one user which ensures more chances of getting feedback.

Risk Review

You will need to provide a Review Date where both parties will discuss the Risk, its Inputs and Solutions.

The review process is discussed in detail later on in the roll-out phase implementation.

Analysis Tab

The Analysis tab is where the Risk is described as it was initially found and classified based on your settings. This form changes depending on which Risk module you are using because the inputs to the risk will differ.

In the “Asset Risk” module you will need to provide an asset (one or more) from the Asset Module. This means you need to create your Assets beforehand for your Risks. We sometimes recommend creating a “Generic Asset” in case you want to quickly create a Risk and later create the right asset.

Threats and Vulnerabilities (from a database you can find in “Settings”)  will be automatically suggested to you based on the Asset “Type”. You can add or remove threats and vulnerabilities as you wish.

In the “Business Impact Analysis” module you will need to provide a Business Unit from the BU module and one or more Processes from those selected BUs. This means you need to create Business Units and Processes beforehand for your Risks.

Based on your Processes continuity settings eramba will calculate the summarized Revenue Per Hour, MTO and RTO figures.

Treatment Tab

On the treatment tab is where you describe what the organization wants to do in regards to your Risks. You will provide eramba with one of the following four options: Accept, Transfer, Avoid and Mitigate. This again should have been clear to you already from the previous phases (Risk Solutions identification and creation).

For each one of these options and based on the settings defined under “Settings” / “Treatment Options” you will need to provide: Internal Controls, Policies, Exceptions and Projects.

In the Business Impact module, you also have the option to link Continuity Plans. After you have defined your Treatment strategy you need to classify the risk once again assuming the risk treatment selection you did.

Response Plan

So you have agreed and documented that a problem exists and despite its low likelihood, it can still happen. It makes sense to draw a plan you will follow if this happens. You can choose here a procedure from the Policy Module to follow when a Risk materializes.

Custom Tabs

We recommend you create a custom field/tab where you can document the status of your Risks. We typically use a single-select dropdown to which Dynamic Status is applied.

Spreadsheets

If you plan to create Risks with spreadsheets then you need to keep in mind that multiple CSV imports will be required. We typically prepare one spreadsheet with one tab for each associated Risk module item.

The Risk Input phase is recorded directly on this tab, the same goes for the Risk solution items and Risks. Once the assessment is concluded all the information will be on the sheet which then can be imported one step at a time.

If you have already sheets with your Risks, you will simply do the same process but copy/paste columns as needed to accommodate that data into our CSV templates.