HOPEX Aquila Doc FR

HOPEX UAF > Security Viewpoint > Security - Motivation > Defining Risks

Defining Risks

A risk is a hazard of greater or lesser probability to which an organization is exposed.

To control risks, it is necessary to identify and qualify the risks encountered in the execution of a process.

When risks have been analyzed and assessed, management determines how each of these risks should be treated.

A risk type defines a risk typology standardized within the context of an organization.

Accessing the list of risks

To access the list of risks:

1. From the navigation menu, select Security > Motivation.

2. Click the Risks tab.

All risks are displayed with the associated Risk Type.

For more details, see Risk types.

A risk type defines a risk typology standardized within the context of an organization.

Risk characteristics

The Characteristics property page provides:

• the risk Name and identification Code

• the risk Owner

• the risk Identification Mode

The risk could have been identified from:

• an "incident database"

• a "workshop"

• a "survey"

• an "audit"

• the risk Description

The risk Status cannot be modified since it is managed by the workflow associated with the risk.

The Responsibilities section of the Characteristics page of a risk is used to define the different persons responsible for risk management. For more details, see Responsibilities (RACI).

The Scope section of the Characteristics page of a risk is dedicated to the contextualisation of the risk represented by:

• Processes for Personnel Functions exposed to the risk. See Personnel Functions.

A Personnel Function is a set of operations performed by org-units within a company or organization, to produce a result. It is depicted as a sequence of operations, controlled by events and conditions. In the BPMN notation, the Personnel Function represents a sub-Personnel Function from the organizational point of view.

• Operations for Personnel Function actions exposed to the risk. See Personnel Functions.

A Personnel Function Action is an elementary step in process executed by an org-unit. It cannot be broken down. An operation can be industrial (manufacturing a component), logistical (receiving a delivery), or can involve information processing (entering an order).

• Entities for Organizations concerned by the risk. See: Organizations.

An organization represents a person or a group of persons that intervenes in the enterprise Personnel Functions or information system. An organization can be internal or external to the enterprise. An internal organization is an organizational element of the enterprise structure such as a department, a service, or a workstation. An internal organization is defined based on how detailed you require your view of the enterprise to be (cf org-unit-type). Example: financial management, sales management, marketing department, account manager. An external organization is an organization that exchanges flows with the enterprise. Example: Customer, Supplier, Government Office.

• Applications. See Describing an Application with HOPEX UAF.

An Application is a software component that can be deployed and provides users with a set of functionalities.

• Technologies: See Describing Software Technologies.

A Software Technology is a basic component necessary for operation of business applications. Software technologies include all basic software such as: application server, electronic mail server, software components for presentation, data entry, storage, business information sharing, operating systems, middleware, navigators, etc.

The Analysis section of the Characteristics page of a risk presents the results of the risk analysis that takes into account: the risk causes and the positive or negative risk consequences.

With HOPEX UAF, the risk analysis phase results are:

• Risk Types: for more details, see Risk types.

A risk type defines a risk typology standardized within the context of an organization.

• Related Risks.

Risk types

A Risk Type enables risk characterization. For example, a risk type can be regulatory, legal, technical, etc.

A risk type defines a risk typology standardized within the context of an organization.

To access the list of risks:

1. From the navigation menu, select Security > Hierarchy.

2. Expend the Risk Type folder.

The tree of Risk Types is dispalyed.

To create your own risk type:

1. From the navigation menu, select Security > Hierarchy.

2. Expend the Risk Type folder.

3. Click New > Risk Type button.

4. Enter the name of the risk type and click OK.

The new risk type appears in the navigator menu tree.

Similarly, you can create a sub-risk type from a risk type.