Risk Management

Learn how to implement Asset, Third Party and Business Risk Management in eramba. Given the large number of relationships that Risks have with other modules, this course is probably the longest in our entire curricula.

  • Episodes11
  • Duration50m 14s
  • LanguagesEN
Episode 11

Reviewing Risks

How to review items on the module

Introduction

Every time an item is created in the Risk module, eramba will automatically create two reviews for that Risk.

  • One will be automatically completed and will be used by eramba to track the starting point of that Risk.
  • The other will be incomplete, with a "Planned Date" set on the day you asked eramba to review the Risk in the future.

Changes to the next review date will be handled by working with reviews (as opposed to simply editing the Risk item). For this reason is very important you understand how reviews work.

Review Tab

Your reviews will be stored in the Review tab, not in the Risk tab.

If you want to access all reviews for any given risk you can always use the shortcut counter.

Reviewer Role

When eramba or you create review records, by default eramba will assign to the reviewer role of the review record whoever was set on the parent asset as "Risk Originator Contact".

In the screenshot above we show a Risk where the role is taken by the group "IT Teams". In the screenshot below, at the review records for this Risk, we can see the "Reviewer" role is owned by that group as well.

Changing the role in the parent item will automatically update all incomplete reviews. You can define who inherits review records by going to settings / Reviewers.

Changes to this setting will take effect immediately updating all incomplete reviews. All new review records will use this setting. Remember that you can create custom roles in the parent item (Approver, Supervisor, etc) and include those custom roles as well as part of your reviews.

Review Attributes

A review record is composed of the following fields:

  • Planned Date: when the review is supposed to be completed
  • Actual Date: when the review was completed
  • Description: a brief description of this review, this field is filled once the review is completed.
  • Reviewer: the team who is meant to lead the completion of the review. This field by default inherits whoever you set on the Risk on the role "Risk Originator Contact"
  • Next Review Date: every time you create a review you need to record when the next review will take place

A completed review will have all those fields completed. An incomplete review will have all fields incomplete except "Planned Date" and "Reviewers".

Comments & Attachments

Each review record holds a review and its attributes (version, when it was done, by whom, etc) - you will also need to record the interactions that took place to get all that done (approvals, discussions about the content, etc).

For these types of interactions, we use Comments & Attachments. Every review should have in theory some discussions recorded that explain interactions in between both parties (the GRC team and whoever the review is being done with).

When you or the person providing feedback click on Comments & Attachments, they can write whatever they want, for example, "We are reviewing the Risk, we will let you know". You can then click there as well and reply. In the end, a trail of conversations will be logged where "who", "wrote what" and "when" will be evident.

Is of course important to remind you that accessing those menus is completely controlled by Access Lists, so you can remove the "Remove" function, etc to those that provide you with feedback.

Review Status

eramba ships with pre-defined statuses that distinguish between the current review and past (completed) or future (planned) reviews. These statuses are defined on the "Status" menu and can of course be renamed to whatever works best for you.

  • Planned: an incomplete review with a planned date in the future
  • Completed: a completed review record
  • Current: the last completed review record (based on the actual date)

Review Scenarios

When a Risk is created for the first time (using the web interface or CSV templates), two “review” records will be created automatically and stored on the “Reviews” tab.

From this point onwards the following typical scenarios might trigger:

  • A non-planned (Ad-Hoc) review must take place to review the Risk
  • The planned review is due or is about to be due and you would like to complete the review record
  • An existing, incomplete review with a Planned Date in the future needs to be corrected because the review date or the "Reviewer" is wrong
  • You would like to delete a review record
  • You don't want to track reviews in eramba

For each one of these situations you can handle reviews with the following process explained in the coming sections of this episode.

Ad-Hoc Review

If you need to create an Ad-hoc review, on the Review tab, click on Actions and Add.

On the "Risk" tab you will tell eramba which existing Risk in the Risk module requires a new review.

On the "Current Tab" you will describe the reasons for the risk review.

Simply save the review record.

Planned Review

If you want to complete a planned review because is just about to be due or is already past, then you just need to edit the review record and complete the fields as requested:

You must complete all fields on the "Current Review" - these fields reflect the review you are working on. 

The "Next Review" tab is used to tell eramba when the next review must be completed and by whom.

Once you save this review record you will have completed the Review and added a new, incomplete, review for that date in the future.

Updating Planned Reviews

If a planned review date or the assigned reviewer is not ok, then you need to simply follow the same steps as when a normal planned review is completed (previous section). Just keep versions and on the description field mention the date is wrong and that it needs to be updated.

On the "Next Review" tab you will be able to provide a new future review date and reviewer.

Deleting Reviews

In some cases you might need to delete reviews, for example, we have an incomplete review in there that could be deleted as we have newer reviews defined already. Simply use the item menu for that Review and Delete it.

Avoid Doing Reviews

If you don't want to do reviews in eramba, simply delete them. You can use the bulk delete function for this.

Review Process

As mentioned before the review process is typically an interaction between two roles, the "GRC Contact" and the "Risk Originator Contact".

There are two ways on how the review process can be executed, Offline and Online:

Off-line

This is the recommended method for organisations that are not used to eramba or have not been doing reviews in an automated way. The review process is:

  • eramba may or not send notifications to both roles letting them know about the upcoming review
  • The "GRC Contact" discusses the review with the "Risk Originator Contact" over email, in person, etc
  • The "GRC Contact" completes the review record in eramba
  • The "GRC Contact" updates evidence as Comments & Attachments to the review

Online

This is the recommended method for organisations that are used to eramba or have been doing reviews in an automated way. The review process is:

  • eramba must send notifications to both roles before or after the review planned date
  • The email notification includes a link where the "Risk Originator Contact" must click and log into eramba.
  • eramba will show the review record, the "Risk Originator Contact" click on Comments & Attachments and provide feedback
  • eramba triggers a notification to both roles that a new comment has been created
  • They both repeat these interactions until the review is defined
  • The "GRC Contact" edits the review and completes it. All evidence of the review is already on the review record as Comments & Attachments.