Common Features > Other Features > Defining the Environment for Solutions > Risks and Controls > Risks
Risks
Accessing risks 
To access risks:
*In the Environment desktop, click Risk Universe > Risks > All Risks.
*The risks covered by a control system can be viewed in the Scope section of the control system page. For more details, see Controls.
To access the most important risks:
*In the Environment desktop, click Risk Universe > Risks > Key Risks.
Risk characteristics 
To access characteristics of a risk:
*Select a risk form a list of risks or key risks and click the Properties button.
The properties page of the risk appears in the right pane.
On this page you can specify for the control:
the risk identification Code
the risk Name
the fact that the risk is high level by selecting the Key Risk check box
the risk Owner
the risk Identification Mode
The risk could have been identified from:
an "incident database"
a "workshop"
a "survey"
an "audit"
the risk Description
*the Risk Status appears grayed and cannot be modified since it is managed by the workflow associated with the risk. For more information, see HOPEX Enterprise Risk Management.
Risk scope 
Risk scope enables definition of risk location. It relates to several component types:
Entities concerned by the risk. For more details, see Entities.
*An entity can be internal or external to the enterprise: an entity represents an organizational element of enterprise structure such as a management, department, or job function. It is defined at a level depending on the degree of detail to be provided on the organization (see org-unit type). Example: financial management, sales management, marketing department, account manager. An external entity represents an organization that exchanges flows with the enterprise, Example: customer, supplier, government office.
Business Processes and Organizational Processes exposed to the risk. For more details, see Processes.
*A business process represents a system that offers products or services to an internal or external client of the company or organization. At the higher levels, a business process represents a structure and a categorization of the business. It can be broken down into other processes. The link with organizational processes will describe the real implementation of the business process in the organization. A business process can also be detailed by a functional view.
*An organizational process describes how to implement all or part of the process required to make a product or handle a flow.
Objectives and Requirements expected related to risk management. For more details, see Objectives and Requirements.
*An objective is a goal that a company or organization wants to achieve, or is the target set by a process or an operation. An objective allows you to highlight the features in a process or operation that require improvement.
*A requirement is a need or expectation explicitly expressed, imposed as a constraint to be met within the context of a project. This project can be a certification project or an organizational project or an information system project.
Applications: for more details, see Applications.
*An application is a set of software tools coherent from a software development viewpoint.
Business Lines: for more details, see Organization Business Lines.
*A business line is a skill or grouping of skills of interest for the enterprise. It corresponds for example to major product segments, to distribution channels or to business activities.
Risk analysis 
The aim of risk analysis is to obtain a good understanding of risks.
Analysis of the risk should take into account:
risk causes
positive or negative risk consequences
The risk analysis phase associates a risk with:
risk types
risk factors
consequences
other risks
To analyze a risk:
1. Select a risk and open its properties.
2. In the Characteristics tab, expand the Analysis section.
A risk is characterized by:
Risk Types: for more details, see Risk types.
*A risk type defines a risk typology standardized within the context of an organization.
Risk Factors: for more details, see Risk factors.
*A risk factor is an element which contributes to the occurrence of a risk or which triggers a risk. Several risks can originate from the same risk factor. Examples: the use of a hazardous chemical product, the complexity of an application, the size of a project, the number of involved parties, the use of a new technology, the lack of quality assurance, the lack of rigor in requirement definition, etc.
Risk Consequences: for more details, see Risk consequences.
*A risk consequence can be positive or negative. It is associated with a type, which enables its characterization, for example: image, environment, employees.
Related Risks
Incidents
*An incident is an event occurrence, internal or external, that has an impact on the organization. It is the basic element for collection of data concerning operational risk.
Risk types
*A risk type defines a risk typology standardized within the context of an organization.
A risk type enables risk characterization. For example, a risk type can be regulatory, legal, technical, etc.
Breakdown of risk types will be specific to activities and will depend on the particular business line or activity. Generic risk types can be broken down to a greater or lesser extent into specific risk type levels.
It is important to have a risk type definition framework that is identifiable, measurable and manageable, and to limit the number of levels to assure usable nomenclature.
Validation of nomenclature should ensure that a risk defined in two different entities or activities will have the same definition and the same sense, therefore ensuring system consistency.
In that the system installed should also meet regulatory requirements, it will also be necessary to define a second nomenclature to meet declaration aspects and to enable exchanges with control authorities.
To create your own risk types:
1. In the Environment desktop, click Risk Universe > Risks > Risk Types.
2. In the pop-up menu of the "Risk Type" folder, select New.
3. Enter the name of the risk type and click OK.
The new risk type appears in the navigator menu tree.
*Similarly, you can create a sub-risk type from a risk type.
Risk factors 
Many risk factors are defined within the framework of international, national or inter-professional regulations, or within the enterprise itself.
*A risk factor is an element which contributes to the occurrence of a risk or which triggers a risk. Several risks can originate from the same risk factor. Examples: the use of a hazardous chemical product, the complexity of an application, the size of a project, the number of involved parties, the use of a new technology, the lack of quality assurance, the lack of rigor in requirement definition, etc.
With each risk, you can associate one or more risk factors, sources of risks that have intrinsic potential to endanger organization operation. For example, dangerous chemical products, competitors, governments, etc.
Risk consequences 
To define consequences associated with a risk:
*In the risk page, Analysis section, Risk Consequences tab, click New.
The consequence creation page appears.
*Since a risk consequence can relate only to a single risk, the Risk field is already entered with the current risk.
In the Risk Consequences section, you can specify the consequence identification Code
The consequence created appears in the list of consequences associated with the risk.
RACI on a risk 
A risk properties page includes an RACI section to define the different persons responsible for risk management. For more details, see RACI.