Risk Management Process
Associated with the all the products in the HOPEX suite, HOPEX Risk Mapper is used to model the environment, assess the risks to mitigate them and last but not least, to control them with an efficient control policy.
The process recommended by HOPEX therefore comprises the following steps:
Modeling the environment
Risks must be managed in the external and internal environments of the organization, its strategic objectives and the specific objectives of the risk management activity.
• The external environment defines the external environment in which the organization operates as well as its relationships with this environment.
For more details, see "External Environment", page 18.• The internal environment describes the organization. This ensures that risk management acknowledges the major objectives and constraints of the organization.
For more details, see "Internal Environment", page 14.• The risk management context is essentially linked to the objectives that the enterprise pursues through its risk management process.
For more details, see "Risk Management Context", page 24.Identifying, analyzing and assessing risks
It is necessary to identify the risks concerned, then analyze and assess them to get the elements required for their treatment.
Identifies risks
It is necessary to determine where, when, why and how events might prevent, degrade, delay or improve the achievement of the organization's objectives.
Internal and external events affecting the achievement of entity objectives must be described with the distinction made between risks and opportunities. The opportunities can then be used to form management strategy or in objective-setting processes.
More specifically, several risk identification methods can be proposed depending on the context:
• Method based on organization objectives achievement
• Method based on lists of risk types, risk factors or controls applied to an appearance context
• Method based on historical data (databases of incidents, claims, faults, etc.)
For more details, see "Identifies risks", page 32.Analyzing Risks
This consists of completing the identification of each risk by precisely indicating what could occur, where, when, why, and how this could have arisen. This analysis could reveal new risks that were not directly identified in the previous step. The effectiveness of existing controls that could prevent this risk are also assessed.
For more details, see "Risk Analysis", page 38.Assessing Risks
After having identified and analyzed the risks faced by the enterprise, the next step is to estimate their importance so as to highlight the most important risks to be remediated.
Risks are assessed taking into account:
• their occurrence frequency,
• their impact
For more details, see "Assessing Risks", page 41.Remediating Risks
Risk assessment is therefore an essential step in obtaining a list of risks requiring remediation, indicating their priority.
The acceptable level for each risk is defined based on previous evaluations.
For more details, see "Risk Treatment", page 44.Remediating risks involves:
• identification of the various options possible
• assessment of these options
• preparation and implementation of remediation plans:
Risk Control Monitoring and Policy
Policies and procedures are established and implemented to help ensure that risk responses are effectively carried out.
Monitoring is accomplished through ongoing management activities or independent assessments, or both.
The topics covered in this guide are:
Information and communication
Relevant information is identified, collected, and communicated in a form and timeframe that enable collaborators to carry out their responsibilities. Effective communication should also occur in a broader sense, flowing downwards, across, and upwards in the entity.
Communication and consultation are important considerations at each step of the risk management process. They should involve dialog with stakeholders with efforts focused on consultation rather than a one-way flow of information from the decision-maker to other stakeholders.
For more information on the functionalities offered by HOPEX, see HOPEX Common Features, which describes the tools specific to HOPEX solutions.