HOPEX V4 Doc EN

HOPEX IRM > HOPEX Enterprise Risk Management > Treating Risks > Actions to Treat Risks

Actions to Treat Risks

Setting up action plans

Management draws up a set of actions matching risk levels with risk tolerance level and risk appetite for the organization.

For each risk, the selected scenario is described in detail, with the various risk factors and the controls implemented to counter them highlighted. Also specified are controls installed to warn of risks, as well as the corrective procedures to be implemented if the risks occur.

In the case of transfer to partners or assurance, we can specify contracts to be agreed with them, as well as the predicted impact on organization processes.

Implementation of prevention controls to reduce risk frequency and impact can be a solution for risk reduction.

Specifying treatment actions

To indicate the controls and action plans enabling risk prevention:

In the Treatment page of the risk properties, expand the Controls and Action Plans section.

• The Action Plans tab contains the list of action plans installed: for example for creation or improvement of a control, management of a crisis linked to occurrence of an incident, or revision of a process with a view to its improvement.

An action plan comprises a series of actions, its objective being to reduce risks and events that have a negative impact on company activities.

• The Controls tab lists controls planned for risk reduction.

A control is a set of rules and means enabling the assurance that a legal, regulatory, internal or strategic requirement is respected.

Setting up action plans

An action plan can be set up for creation and improvement of a control, management of a crisis related to occurrence of an event, or modification of a process with a view to its improvement.

The action plan can be created:

• in isolated then attached to different objects (risks, processes, controls, entities..)

• directly from one of these objects.

A workflow is automatically created at creation of the action plan.

For more information on action plan workflows, see Action Plan Workflows.

Control policy monitoring

Risk identification and analysis highlighted a certain number of risks against which it is important to be protected. It is necessary to define the control activities that will prevent these risks and reduce their potential consequences.

These controls must be formally defined in order to meet regulatory requirements such as the Sarbanes-Oxley Act or Basel II agreements in the banking world.

In HOPEX Enterprise Risk Management, there are different object types linked to controls:

• Object types enabling the indication of the framework within which the control is implemented:

• control system

• control type

• requirement

• associated risk

• Object types enabling the indication of control implementation means:

• organizational processes

• applications

• Object types enabling the indication of control implementation responsibilities.

For more details on controls, see "Managing Controls", page 13.