The following flowchart outlines the TriLine GRC Risk Management process.
Note: The TriLine GRC Risk Management features are highly configurable—you can use as much or as little of the Risk Management features set as your organisation needs. As such, this section discusses Risk Management features of TriLine GRC that may not be enabled on your TriLine GRC system.
1. Identify and analyse Risk
Individuals appropriately trained and experienced in Risk Analysis should identify and analyse the Risks for your organisation.
If your organisation is moving from another Risk Management System to TriLine GRC, a lot of this work has probably already been done and it’s just a matter of getting the information into TriLine GRC.
Tip: Consider a plan to transfer existing Risks into TriLine GRC as they become due for Review, or as an associated Task (e.g. a Risk Treatment) becomes due. This will avoid you having to try and get everything into TriLine GRC in one go—a daunting exercise if you have a lot of recorded Risks and associated Treatment Tasks.
2. Assess Risk and record in TriLine GRC
For each identified Risk, a suitably-qualified individual or group must assess the Risk. In TriLine GRC, the assessment is based on a default of Likelihood versus Consequences. However, you can alter the Risk calculation formula to include Adequacy and Management factors.
The assessment is also based on:
Inherent Risk (the impact of the Risk before controls and treatments are applied) and
Residual Risk (the reduced impact following application of controls and treatments).
The assessment results are recorded on the Risk’s editing page (the ‘Risk Page’) within TriLine GRC.
3. TriLine GRC calculates Risk Score
Once the assessment results (e.g. ‘Likelihood’ and ‘Consequences’ ratings for Inherent and Residual Risk) are input to the Risk Page, TriLine GRC calculates the Risk Score based on a customisable 5 x 5 Risk Matrix.
Every time the Risk is reviewed, TriLine GRC calculates a new Risk Score. Over time, a Risk Score History is compiled. This can be very useful for assessing the effectiveness (or otherwise) of any applied Risk Treatments and other controls.
4. Create Treatment Plan and allocate Tasks
Qualified individuals determine the Risk Treatment Plan and associated Tasks that need to be carried out to mitigate or eliminate the Risk.
A Task schedule is also worked out at this stage.
The Treatment Plan, associated Tasks and Task Schedule are recorded in TriLine GRC on the Risk Page.
5. Set Risk Review Schedule for Risk Owners
The level of Risk will vary over time as a result of changing circumstances and the effectiveness of the Treatment Plan and other controls in place.
Because of these factors, Risks must be periodically reviewed and, if necessary, the Risk Rating adjusted to reflect current conditions.
A qualified person or group must determine how often a Risk should be reviewed. this schedule is then input to TriLine GRC via the Risk Page.
6. TriLine GRC generates Tasks and sends email Reminders
On the appropriate date (determined by the Schedule and Reminder settings in each Risk’s Page settings), TriLine GRC generates Treatment Tasks (and Risk Review Tasks when required) and emails the person recorded in the Risk Record as responsible for Actioning the Task (the ‘Actioned By’ Position).
The generated Tasks are displayed in each ‘Actioned By’ Position’s ‘My Tasks’ page.
7. Individual records completion of Treatment Tasks
Once an ‘Actioned By’ Position completes a Treatment Task, the person records task completion in TriLine GRC via the ‘My Tasks’ Page.
If a Task is not completed within the specified time, TriLine GRC sends an alert email to the person nominated as the ‘Escalate To’ Position for the Task. This ensures that incomplete Tasks are followed up straight away and not forgotten.
8. Risk Owner reviews and re-assesses Risk
Once a Risk Owner has reviewed the Risk and updated the Risk Rating in TriLine GRC, a new Risk Score is automatically calculated. Over time, a Risk Score History is built and this can assist with future Risk Assessments.
As with Treatment Tasks, if a Risk Review isn’t completed on time, TriLine GRC sends an alert email to the person nominated as the ‘Escalate To’ Position for the Risk Review Task.
7&8. Task not completed—Task is escalated to Position’s Manager
If a Risk Review or Risk Treatment Task is not completed on time, or won’t be completed at all for some reason, then TriLine GRC provides a way to ensure that this is managed.
You can set a Position to be the ‘Escalate To’ Position for each Task. If the Task is not completed by the due date, TriLine GRC sends a notification email:
Every day beyond the due date, to the the ‘Actioned By’ Position, till the Task is done.
Once to the ‘Escalate To’ Position, so they can act on this information as required.
This ensures that your Risk Review or Treatment Tasks are not missed.
Note: The escalation process does not move tasks from the Actioned By Position to the Escalation Position. The responsibility to complete the task remains with the Actioned By Position. The escalation process allows the Escalation Position to know when tasks are not completed by the due date so that they may choose to act.
9. Build comprehensive Risk reports and historical data
TriLine GRC retains data recorded for each Risk Treatment Task and Risk Review. The ability to include attachments, links to other Records and resources makes TriLine GRC a valuable tool for building an accurate and detailed history of your organisation’s Risk Management performance.
The more Risk Management data TriLine GRC collects, the more information your organisation has to improve Risk Management and maintain operational safety and performance at peak levels.