Assessing risks directly
Direct assessment provides, at a given date, assessment of a risk on an entity of the organization.
Direct Assessment Context
In direct assessment, the values of the characteristics can be specified in two ways:
• in the properties of each risk
• globally, using a multiple assessment table
Direct assessment is carried out for all context objects available in the Scope section of the risk properties window:
• Organizational processes
• Business processes
• Entities
• etc.
Direct Risk Assessment Templates
The HOPEX IRM solutions provide risk assessment templates in the context of the following objects:
• an org-unit
• a business process
• an organizational process
• an application
• a business line
Assessed characteristics
An assessed characteristic defines what the assessment seeks to assess. It can be associated with a MetaClass, and more specifically with one of its MetaAttributes, for example: Risk MetaClass, MetaAttribute: Criticality.Example of assessed characteristics:
• Impact
• Likelihood
• Control Level
Control level characterizes efficiency level of control elements deployed (controls) to assess the risk.• Net risk
The net risk indicates the risk to which the organization remains exposed after management has processed the risk.Assessed objects
The objects assessed are risks.
The list of risks to be assessed comprises all risks connected to the entity (assessment object) and to its sub-entities
Respondents
Respondents are persons defined as Risk Assessor for the entity.
Questionnaire
An assessment questionnaire is a list of questions relating to a particular object and addressed to users.The questionnaire relates to characteristics to be assessed for all risks determined as objects of assessment:
• Impact
• Likelihood
• Control Level
Control level characterizes efficiency level of control elements deployed (controls) to assess the risk.Creating a Direct Assessment on a Risk
You can create new assessments to assess a risk on all objects of the organization to which it is connected.
This is an "expert view" assessment.
To create a direct assessment on a risk:
1. Select the risk and open its properties.
2. Select the Assessment tab.
3. Click the Perform Assessment button.
The Perform Assessment button is available if the risk has been contextualized accordingly.4. If several contexts are available for the risk, select the context(s) for which you want to assess the risk and click Next.
5. Specify characteristics values:
• Impact: the impact of the risk when it occurs.
• Likelihood: the probability that the risk will occur.
• Control Level
Control level characterizes efficiency level of control elements deployed (controls) to assess the risk.6. Specify the Measure Date if necessary.
7. Click OK.
An assessment is created.
Assessing Multiple Risks Simultaneously
Through the multiple assessment table you can specify the same value for several assessment nodes of different risks.
To assess several risks simultaneously:
1. From the navigation menu click Assessment > Direct Assessment > Risk Multiple Assessment Table.
2. In the window that appears, click the Launch Multiple Assessment button.
3. In the Context Element field, select the object type which makes up the risk assessment context.
• org-unit
• application
• business line
• business processes
• organizational processes
The Assessment Template corresponding to the selected type context is indicated.
4. Click Next.
5. In the displayed tree, select the objects that define the assessment context.
A risk is assessed in the context of elements of the branch from the risk up to the root.
In the above example, if you selected the "Accounting" process, all risks and context objects located at a lower level are selected, as well as all parent context objects up to the tree root.
If you deselect a node of a branch, only the child elements of this branch are deselected.6. Click OK.
7. For each assessed object select the appropriate assessed characteristic values:
• Impact: characterizes impact of the risk when it occurs.
• Likelihood: characterizes probability that the risk will occur.
• Control Level: this characteristic gives an overall assessment of risk control level.
All assessed objects for which you have given answers become green.8. When you have answered all the questions, click OK.
Validation automatically creates an assessment in the Assessment page of the control properties. For more details, see Displaying Risk Assessment Results.