Risk Management Process
Associated with the all the products in the HOPEX suite, HOPEX Risk Mapper is used to model the environment, assess the risks to mitigate them and last but not least, to control them with an efficient control policy.
The process recommended by HOPEX therefore comprises the following steps:
Modeling the environment
Risks must be managed in the external and internal environments of the organization, its strategic objectives and the specific objectives of the risk management activity.
• The external environment defines the external environment in which the organization operates as well as its relationships with this environment.
• The internal environment describes the organization. This ensures that risk management acknowledges the major objectives and constraints of the organization.
• The risk management context is essentially linked to the objectives that the enterprise pursues through its risk management process.
Identifying, analyzing and assessing risks
It is necessary to identify the risks concerned, then analyze and assess them to get the elements required for their treatment.
Identifies risks
It is necessary to determine where, when, why and how events might prevent, degrade, delay or improve the achievement of the organization's objectives.
Internal and external events affecting the achievement of entity objectives must be described with the distinction made between risks and opportunities. The opportunities can then be used to form management strategy or in objective-setting processes.
More specifically, several risk identification methods can be proposed depending on the context:
• Method based on organization objectives achievement
• Method based on lists of risk types, risk factors or controls applied to an appearance context
• Method based on historical data (databases of incidents, claims, faults, etc.)
Analyzing Risks
This consists of completing the identification of each risk by precisely indicating what could occur, where, when, why, and how this could have arisen. This analysis could reveal new risks that were not directly identified in the previous step. The effectiveness of existing controls that could prevent this risk are also assessed.
Assessing Risks
After having identified and analyzed the risks faced by the enterprise, the next step is to estimate their importance so as to highlight the most important risks to be remediated.
Risks are assessed taking into account:
• their occurrence frequency
• their impact
Remediating Risks
Risk assessment is therefore an essential step in obtaining a list of risks requiring remediation, indicating their priority.
The acceptable level for each risk is defined based on previous evaluations.
Remediating risks involves:
• identification of the various options possible
• assessment of these options
• preparation and implementation of remediation plans:
Risk Control Monitoring and Policy
Policies and procedures are established and implemented to help ensure that risk responses are effectively carried out.
Monitoring is accomplished through ongoing management activities or independent assessments, or both.
The topics covered in this guide are:
Information and communication
Relevant information is identified, collected, and communicated in a form and timeframe that enable collaborators to carry out their responsibilities. Effective communication should also occur in a broader sense, flowing downwards, across, and upwards in the entity.
Communication and consultation are important considerations at each step of the risk management process. They should involve dialog with stakeholders with efforts focused on consultation rather than a one-way flow of information from the decision-maker to other stakeholders.
For more information on the functionalities offered by
HOPEX, see
HOPEX Common Features, which describes the tools specific to
HOPEX solutions.