Risk Management Process
Associated with HOPEX Business Process Analysis, HOPEX Risk Mapper is used to assess the risks, to mitigate them and finally to control them thanks to an effective control policy.
The recommended risk management process is therefore composed of the following steps:
Modeling the environment
Risks must be managed in the external and internal environments of the organization, its strategic objectives and the specific objectives of the risk management activity.
• The external environment defines the external environment in which the organization operates as well as its relationships with this environment.
For more details, see External Environment.• The internal environment describes the organization. This ensures that risk management acknowledges the major objectives and constraints of the organization.
For more details, see Internal Environment.• The risk management context is essentially linked to the objectives that the enterprise pursues through its risk management process.
For more details, see Risk Management Context.Identifying, analyzing and assessing risks
It is necessary to identify the risks concerned, then analyze and assess them to get the elements required for their treatment.
Identifies risks
It is necessary to determine where, when, why and how events might prevent, degrade, delay or improve the achievement of the organization's objectives.
Internal and external events affecting the achievement of entity objectives must be described with the distinction made between risks and opportunities. The opportunities can then be used to form management strategy or in objective-setting processes.
More specifically, several risk identification methods can be proposed depending on the context:
• Method based on organization objectives achievement
• Method based on lists of risk types, risk factors or controls applied to an appearance context
• Method based on historical data (databases of incidents, claims, faults, etc.)
For more details, see Identifies risks.Analyzing Risks
This consists of completing the identification of each risk by precisely indicating what could occur, where, when, why, and how this could have arisen. This analysis could reveal new risks that were not directly identified in the previous step. The effectiveness of existing controls that could prevent this risk are also assessed.
For more details, see Risk Analysis.Assessing Risks
After having identified and analyzed the risks faced by the enterprise, the next step is to estimate their importance so as to highlight the most important risks to be remediated.
Risks are assessed taking into account:
• their occurrence frequency,
• their impact
For more details, see Assessing Risks.Remediating Risks
Risk assessment is therefore an essential step in obtaining a list of risks requiring remediation, indicating their priority.
The acceptable level for each risk is defined based on previous evaluations.
For more details, see Risk Treatment.Remediating risks involves:
• identification of the various options possible
• assessment of these options
• preparation and implementation of remediation plans:
• Controls
Risk Control Monitoring and Policy
Policies and procedures are established and implemented to help ensure that risk responses are effectively carried out.
Monitoring is accomplished through ongoing management activities or independent assessments, or both.
Information and communication
Relevant information is identified, collected, and communicated in a form and timeframe that enable collaborators to carry out their responsibilities. Effective communication should also occur in a broader sense, flowing downwards, across, and upwards in the entity.
Communication and consultation are important considerations at each step of the risk management process. They should involve dialog with stakeholders with efforts focused on consultation rather than a one-way flow of information from the decision-maker to other stakeholders.