Introduction
Repeated risk assessments are key to the risk management process.
We distinguish inherent versus repeated residual assessments:
Inherent Risk Assessment: Evaluates the natural level of risk that exists in the absence of any controls or mitigation measures. This initial assessment identifies potential threats and their likely impact and likelihood, providing a baseline understanding of the raw risk the organisation faces in its operations or strategic initiatives.
Residual Risk Assessment: Evaluates the level of risk that remains after controls and mitigation strategies have been implemented. This assessment measures the effectiveness of existing risk management efforts, indicating the extent to which risks have been reduced and identifying any remaining vulnerabilities that may still need to be addressed.
The frequency of residual risk assessment is down to your risk management policy and may vary for different risks/risk categories. This can be defined for the risk in the General form and can generate assessment tasks with due dates to serve as reminders (if associated workflow is deployed).
Assessment Main Screen
Navigating to the Assessment tab of the risk shows the following screen:
Assessment History Graph
Shows the Risk Rating scores of previous assessments for this risk over time as a graph. Gives you an instant view of the assessment trend.
Appetite Overrides
Shows the 'Management Approach' relevant to the current Risk Rating, as defined via the Risk Category. Change Override Appetite Thresholds? to 'Yes' to reveal fields to specify override values for Risk Appetite and Tolerance thresholds. The values shown are the defaults defined for the Risk Category, change them if those defaults are not to be applied.
Inherent & Most Recent Residual Assessment
Showing the two key assessments for this risk - the original inherent and the current residual.
Assessment List
The list of all assessments on file for this risk.
Creating a Risk Assessment
Click + New Risk Assessment above the Assessment List.
Risk Assessment Form
See this explanation of fields in the form:
| Field | Comment |
| Assessment Type | Filled in by the system (Inherent for initial assessment, Residual for subsequent ones) |
| Assessment Date | Enter the Date the Assessment took place. |
| Comments | Add relevant comments e.g. describing your considerations for the assessment scores applied |
| Assessment Guidance |
This field is shown as entered in the General Form, to provide guidance to be considered by the user when deciding Likelihood and Consequence scores for this assessment |
| Likelihood |
Select one of the following to reflect the likelihood relating to this Risk: (1) Rare (2) Unlikely (3) Possible (4) Likely (5) Almost Certain |
| Consequence |
Select one of the following to reflect the consequences relating to this Risk: (1) Insignificant (2) Minor (3) Moderate (4) Major (5) Extreme |
| Risk Rating from Category | This field will automatically be calculated and updated as the Assessment is saved, based on Likelihood and Consequence scores. It will show the RAG (Red-Amber-Green) status for these scores as per the settings defined for the Risk Category. |
| Rating: Likelihood x Consequence | This field will be calculated as the Assessment is saved, by multiplying the Likelihood and Consequence scores |
Note: The Risk Assessment name will Auto-Populate (on Save) and cannot be modified by the user.
Risk Rating and Appetite RAG
The Risk Rating (calculated as Likelihood x Consequence as explained above) is converted to the overall Risk RAG as well as Appetite RAG. These RAGs resulting from the most recent risk assessment will be shown for the risk at the top of the risk screen as well as in views and reports. Having saved the assessment, you may need to refresh the screen for this to be updated (it may take a few seconds as it requires a business rule to execute).