The following flowchart outlines the Ansarada GRC Risk Management process.
Note: The Ansarada GRC Risk Management features are highly configurable—you can use as much or as little of the Risk Management features set as your organisation needs. As such, this section discusses Risk Management features of Ansarada GRC that may not be enabled on your Ansarada GRC system.
1. Identify and analyse Risk
Individuals appropriately trained and experienced in Risk Analysis should identify and analyse the Risks for your organisation.
If your organisation is moving from another Risk Management System to Ansarada GRC, a lot of this work has probably already been done and it’s just a matter of getting the information into Ansarada GRC.
Tip: Consider a plan to transfer existing Risks into Ansarada GRC as they become due for Review, or as an associated Task (e.g. a Risk Treatment) becomes due. This will avoid you having to try and get everything into Ansarada GRC in one go—a daunting exercise if you have a lot of recorded Risks and associated Treatment Tasks.
2. Assess Risk and record in Ansarada GRC
For each identified Risk, a suitably-qualified individual or group must assess the Risk. In Ansarada GRC, the assessment is based on a default of Likelihood versus Consequences. However, you can alter the Risk calculation formula to include Adequacy and Management factors.
The assessment is also based on:
Inherent Risk (the impact of the Risk before controls and treatments are applied) and
Residual Risk (the reduced impact following application of controls and treatments).
The assessment results are recorded on the Risk’s editing page (the ‘Risk Page’) within Ansarada GRC.
3. Ansarada GRC calculates Risk Score
Once the assessment results (e.g. ‘Likelihood’ and ‘Consequences’ ratings for Inherent and Residual Risk) are input to the Risk Page, Ansarada GRC calculates the Risk Score based on a customisable 5 x 5 Risk Matrix.
Every time the Risk is reviewed, Ansarada GRC calculates a new Risk Score. Over time, a Risk Score History is compiled. This can be very useful for assessing the effectiveness (or otherwise) of any applied Risk Treatments and other controls.
4. Create Treatment Plan and allocate Tasks
Qualified individuals determine the Risk Treatment Plan and associated Tasks that need to be carried out to mitigate or eliminate the Risk.
A Task schedule is also worked out at this stage.
The Treatment Plan, associated Tasks and Task Schedule are recorded in Ansarada GRC on the Risk Page.
5. Set Risk Review Schedule for Risk Owners
The level of Risk will vary over time as a result of changing circumstances and the effectiveness of the Treatment Plan and other controls in place.
Because of these factors, Risks must be periodically reviewed and, if necessary, the Risk Rating adjusted to reflect current conditions.
A qualified person or group must determine how often a Risk should be reviewed. this schedule is then input to Ansarada GRC via the Risk Page.
6. Ansarada GRC generates Tasks and sends email Reminders
On the appropriate date (determined by the Schedule and Reminder settings in each Risk’s Page settings), Ansarada GRC generates Treatment Tasks (and Risk Review Tasks when required) and emails the person recorded in the Risk Record as responsible for Actioning the Task (the ‘Actioned By’ Position).
The generated Tasks are displayed in each ‘Actioned By’ Position’s ‘My Tasks’ page.
7. Individual records completion of Treatment Tasks
Once an ‘Actioned By’ Position completes a Treatment Task, the person records task completion in Ansarada GRC via the ‘My Tasks’ Page.
If a Task is not completed within the specified time, Ansarada GRC sends an alert email to the person nominated as the ‘Escalate To’ Position for the Task. This ensures that incomplete Tasks are followed up straight away and not forgotten.
8. Risk Owner reviews and re-assesses Risk
Once a Risk Owner has reviewed the Risk and updated the Risk Rating in Ansarada GRC, a new Risk Score is automatically calculated. Over time, a Risk Score History is built and this can assist with future Risk Assessments.
As with Treatment Tasks, if a Risk Review isn’t completed on time, Ansarada GRC sends an alert email to the person nominated as the ‘Escalate To’ Position for the Risk Review Task.
7&8. Task not completed—Task is escalated to Position’s Manager
If a Risk Review or Risk Treatment Task is not completed on time, or won’t be completed at all for some reason, then Ansarada GRC provides a way to ensure that this is managed.
You can set a Position to be the ‘Escalate To’ Position for each Task. If the Task is not completed by the due date, Ansarada GRC sends a notification email:
Every day beyond the due date, to the the ‘Actioned By’ Position, till the Task is done.
Once to the ‘Escalate To’ Position, so they can act on this information as required.
This ensures that your Risk Review or Treatment Tasks are not missed.
Note: The escalation process does not move tasks from the Actioned By Position to the Escalation Position. The responsibility to complete the task remains with the Actioned By Position. The escalation process allows the Escalation Position to know when tasks are not completed by the due date so that they may choose to act.
9. Build comprehensive Risk reports and historical data
Ansarada GRC retains data recorded for each Risk Treatment Task and Risk Review. The ability to include attachments, links to other Records and resources makes Ansarada GRC a valuable tool for building an accurate and detailed history of your organisation’s Risk Management performance.
The more Risk Management data Ansarada GRC collects, the more information your organisation has to improve Risk Management and maintain operational safety and performance at peak levels.