Risk management addresses a wide range of activities covering identification and assessment of potential threats within a company. ARIS offers capabilities supporting you at various levels of your GRC (Governance, Risk, and Compliance) maturity.
For most companies, risk documentation (including description, typification, and classification) and definition of responsibilities is the first step towards their journey in combining BPA (Business Process Analysis) and GRC.
The next steps include:
- mapping into the risk and compliance context (regulations, norms, risk categories), as well as
- mapping of risks into the business context (processes, IT (Information Technology) systems, organizational structures, data), and finally
- assigning and documenting mitigating measures (controls, policies, others like insurances).
In many cases, knowledge that there are risks and clarity about their dependencies is good, but not good enough. You should decide whether you want to accept the risk or to take some action to handle it.
A first indicator, how relevant the risks are, can be derived by assessing potential damage (impact) and occurrence frequency (probability). In more mature scenarios, other criteria can also be relevant, e.g., detectability.
Qualitative and quantitative assessments
Two main approaches are common: qualitative and quantitative evaluation.
In qualitative assessments, a value out of a predefined set is selected. The names of these values can be different for damage (e.g., insignificant, low, …, catastrophic) and frequency (e.g., very low, …, very high).
In quantitative assessments, you enter an amount of money and a probability as numbers. You can use these values to rank your risks and calculate a combined indicator by multiplying amount and probability.
Depending on your risk appetite (the level you are willing to accept for a risk), you can decide for which risks you have to define measures to mitigate them.
Risk assessment regarding mitigating measures
If you have implemented measures that aim to reduce the frequency or the potential damage of a risk, you can include the effects in an additional assessment for the same risk. Of course, mitigating measures should lower either the potential damage or the occurrence frequency (or both).
Three-point estimates
Three-point estimates are a popular approach used also in risk assessments. In this procedure, you do not only estimate average (or likely) values for frequencies and potential damage, but also minimal (best case) and maximal (worst case). Of course, you will get more detailed information as input to make decisions. You should try not to overengineer your system and be sure that this is worth the additional effort.
Assessments in multiple dimensions
The very same risks may have effects in various directions. Often, companies start with a general assessment. Later, as this might not be sophistic enough for the specific stakeholders, discrete assessments in multiple dimensions are the appropriate way. Examples of such impact types are financial, ecological, or reputational impacts.
A simple approach
In a quite simple scenario, the result of a qualitative risk assessment can be maintained as attributes at the risk object. This can be done in ARIS Portal by a user with appropriate access rights via modeling or contribution.
Risks (including assessment results Impact and Probability) are already available in ARIS Basic Edition and can be maintained in the modeling component.
With ARIS Advanced and ARIS Enterprise, you will be able to enhance the simple approach. If desired, you can append values considering mitigation. ARIS is also prepared to support quantitative assessment (including three-point estimates). You will find the attributes on the risk object in ARIS, collected in an attribute group called “Governance, Risk, and Compliance (GRC)” in specific sub-groups (e.g. “Risk Assessment”).
All these results can be used in reports and dashboards. But a big disadvantage of this approach is that changing the attributes means overwriting them. And using e.g., the versioning capability does not offer simple access to historical data.
Prove of assessments over time
For many companies (and use cases), it makes sense to store not only the actual assessments results, but to enable access to historical data. This facilitates you to prove that your assessments activities are performed in a structured way following a defined schedule. Evaluation of assessments and results over a longer period can be relevant to find out if you are improving or not.
And furthermore, the people who execute the assessment will not change the master data in the BPA system, but only that content, they are responsible for. That simplifies the governance mechanisms you might (and should) have in place in your BPA system.
Workflows facilitates professional management
ARIS Risk and Compliance offers a workflow supported solution using the risk object but enhancing it with rules, how often and by whom a risk assessment is to be executed (and how). This will help you to manage that risk assessment process. Including a reviewer role will enable you to follow a four-eye approach. Informing the participants in the risk assessment process, remaindering and, if necessary, escalation mechanisms support you to ensure that the tasks are proceeded. As manager, you have clear insight into how the system is running and how the results evolve over time. All needed information can be maintained in ARIS, using additional models and objects. The assessment process itself is then separated from these “master data”.
The more mature you are, the more sophisticated approaches may become relevant in your company. Starting with the well-known simple qualitative approach with or without considering mitigating measures enables you seamlessly develop your risk management system. With our ARIS Extension for Risk and Compliance you can add your own-defined dimensions (impact types) covering your own scales. Each value created for extend and frequency can have assigned a number used as weighting. By multiplying these weightings, a risk score is calculated that helps you to rank your risks. This will help you to find out which risks should be addressed with highest priority. If you have decided to follow a quantitative approach, the expected loss will be calculated out of the amount and the frequency entered.
All the above-mentioned aspects can be brought into your system via configuration in the system itself and enable you to adapt the system to your very needs. Threshold used to automatically inform management or other relevant people are defined on your requirements.
If you are implementing a holistic GRC system, additional input to execute your risk assessment will be made available in the system. It is possible to collect and document losses and access and use this information within the risk assessment. Furthermore, executed control tests might help you to evaluate the impact of mitigating measures. And finally, surveys can also be used to deliver information used in the context of risk assessment.
As you can see, ARIS can support you on your way to implement a risk management system. Depending on where you are on your way to GRC maturity, we have the tools fitting to your needs and flexible enough to support you on your next steps.
Photo by Mark Fletcher-Brown on Unsplash