Assess Risks

Risk owners and their delegates are responsible for assessing risks and ensuring that they are properly mitigated by attaching controls, key risk indicators (KRIs), and issues. Once users in the group have completed their tasks, the risks are then sent to the Risk Team for review. 

All assigned risks appear on the My Tasks page. Assigned risks on the My Tasks page.

These steps can also be completed by the risk team from the Risk Assessment section of the Assess & Treat tab. However it is recommended that the risk owner is the one to assess risks.

To assess risks:

  1. Log into a user account that's been added to the Risk Owner & Delegate user group to display the My Tasks page. 

  2. Click a risk to display the Assess Risk form. 
    The Assess Risk form.
  3. In the Inherent Risk Assessment section:
    1. In the Inherent Risk tab, select the appropriate ratings from the Inherent Impact and Inherent Likelihood fields to generate an inherent risk score.

    2. Optional: Click the Contributing Factors tab to review any contributing factors attached to this risk. To add an existing contributing factor click Add Existing Contributing Factor, type its name in the search bar, and select it. To create a new factor  from scratch, click + Create New and fill in the required fields.

    3. Optional: Click the Historical Trending tab to view a chart showing how the inherent risk score has changed over time.The Inherent Risk Assessment section.

  4. In the Document Controls and Determine Control Effectiveness section:
    1. Add a control to the risk, by clicking Add Existing Controls in the Document Controls and Determine Control Effectiveness section. Begin typing in the search bar to search for existing controls. Click Add next to each appropriate control to add it to the risk. 
      If there are no controls appropriate to this risk, you can submit a new risk yourself, but the Risk Team must approve it. 
    2. Click any controls in this section to display the Control Assessment dialog.
    3. Begin typing in the Control Owner and Control Delegate fields and click to select an appropriate user.
    4. Fill in the remaining fields as required. See the Assess a Control article for more information on filling in the rest of the form.The Control Assessment dialog.
    5. Select a control effectiveness from the Control Effectiveness select list in the Document Controls and Determine Control Effectiveness section.
      The Document Controls and Determine Control Effectiveness section.
  5. In the Residual Risk section: 
    1. In the Residual Risk tab, select the appropriate ratings from the Residual Impact and Residual Likelihood fields to generate a residual risk score.

    2. Optional: Click the Related Incidents tab to review any incident types attached to this risk. An existing incident type can be added by typing its name in the search bar and selecting it. The Related Incidents tab.

    3. Optional: Click the Key Risk Indicators tab to review any KRIs attached to this risk. An existing KRI can be added by clicking Add Existing Key Risk Indicators, or a new one can be created from scratch by clicking Create New. See the Create & Monitor KRIs article for more information.

      While this may vary depending on the organization, it is recommended that the risk team create KRIs and assign them to indicator owners. However, the risk owner is capable of doing this as well.
    4. Optional: Click the Loss Events tab to review any loss events attached to this risk. An existing loss event can be added by clicking Add Existing Loss Events or a new one can be created from scratch by clicking Create New. See the Submit a Loss Event article for more information.

    5. Optional: Click the Historical Trending tab to view a chart showing how the inherent risk score has changed over time.The Residual Risk section.

  6. In the Risk Treatment section:
    1. Select one of the below treatment options in the Risk Response Plan dropdown.

      • Tolerate - Accept: The risk owner accepts the risk as is and no further action is taken

      • Treat - Reduce: Corrective action must be performed on this risk in order to mitigate its impact on the organization.

      • Transfer - Share: Corrective action must be performed on the risk, but it must be transferred to or shared with another individual and/or group within the organization.

      • Terminate - Avoid: This risk can be avoided and should be removed from the library.

      • Not Applicable: This risk is not applicable to the organization.

    2. Enter a description of the treatment in the Comments on Disposition field. The Risk Treatment section.

      The Document Issues and Corrective Actions section will not appear if the user chose Tolerate - Accept or Not Applicable. If either of these options were selected, skip to step 9.


  7. In the Document Issues and Corrective Actions section, an existing contributing issue can be added by clicking Add Existing Issue, typing its name in the search bar, and selecting it. To create a new issue from scratch, click + Create New and fill in the required fields. See the Review an Issue and Review a Corrective Action articles for more detailed information on filling out these forms.
    The Document Issues and Corrective Actions section.
  8. Optional: Expand the Related Assessments section to view the assessments related to the risk. The Related Assessments section.
  9. Optional: Add comments, as needed.
  10. Click one of the following buttons: 
    • View Risk Profile: Opens a report that shows a high-level summary of the risk, including its scores, its trending data, and the controls, issues, and KRI's attached to the risk. 
    • Escalate Risk: Sends the risk back to the risk team for further review. This button will only appear for the Treat - Reduce and Transfer - Share treatment options.
    • Submit For Review: Completes the risk assessment and sends it to the risk team for review.