Basics of risks management and integrated control systems

Terms of risks management

Risk Identification: Risk identification includes everything that leads you to recording a risk for assessment and further control. You have the following options:

  • Process New Risk: This allows you to record the risk in one step. Then, it appears immediately in the risk catalogue and is highlighted as a still Not approved risk. For a new risk, the name of the risk and the Risk Owner must be specified so that a risk assessment is possible. All other input fields depend on the settings of your system.

  • Process Registration Of Risks: If you want new risks to be confirmed by those responsible before they appear in the risk catalogue, multi-level recording and approval is available. The new risk must be approved by the Risk Owner in first place, and later by the Risk Category Responsible (another overriding role, e.g. a central risk manager). Both roles can also reject the risk or send it back to the previous process if the information is incomplete or incorrect.

  • Transfer of risks from diagrams in BIC Process Design: When diagrams are published in BIC Process Design, risks can be transferred automatically by using the Publish feature.

Risk Control: Risk management includes all activities to reduce the probability and impact of the risks. Considering these fields, the software automatically calculates the Risk Rating.

  • If a risk is accepted, activities only follow when the risk has actually occurred.

  • When a risk is transferred, another organization (e.g. an insurance company) takes over the impact. This results in, at least, one activity to agree on a contract to take over the Risk Impact. The Action Management process is available for planning and tracking this activity.

  • If avoided, the risk effects on your own company should be avoided entirely (not only reduced). Since business activities involve risks, the corresponding business activities must be abandoned to avoid them.

  • If there is a reduction, you have to plan and implement activities that have a favorable effect on the probability or on the impact. The Action Management process is available for a one-time activity. In general, however, regular activities are necessary for permanent reduction and controls are available for this.

Risk Assessment: It includes the assessment of the risk Probability and Impact, as well as the decision of which response should be taken (acceptance, transfer, avoidance, mitigation) by the Risk Owner. A higher-level role can be included to check the risk assessment, e.g. a central risk manager, as a Risk Category Responsible.

Test of Completeness: The Risk Owner should regularly review whether the risk is fully managed through appropriate activities. If you want to reduce a risk, the Risk Owner should assess whether the likelihood of occurrence and the extent of the risk are sufficiently reduced by the assigned controls, or whether there are gaps that have not yet been completely covered by controls or actions.

Action Management: If risks do occur, activities to limit and regulate the impact become necessary. The Action Management process is available for planning and tracking this type of activities.

Hint

It is possible to manage who is allowed to start a specific type of process. See Processes administration.

Terms of integrated control systems

Control Identification: Control identification includes everything that means that you need to record a control to mitigate a certain risk. You have the following options:

  • Process New Control: This allows you to record the control in one step. Then, it appears immediately in the control catalogue and is highlighted as a still Not approved control. For a new control, the name of the control, the assigned risk and the Control Owner must be specified so that an inspection is possible. All other input fields depend on the settings of your system.

  • Process Registration Of Controls: If you want new controls to be confirmed by those responsible before they appear in the control catalogue, multi-level recording and approval is available. The control must be approved by the Control Owner in first place, and later by the Risk Owner of the assigned risk. Both roles can also reject the control or send it back to the previous process if the information is incomplete or incorrect.

  • Transfer of controls from diagrams in BIC Process Design: When diagrams are published in BIC Process Design, controls that are already assigned to risks can be transferred automatically by using the Publish feature.

Test of Design: The Control Owner must regularly check whether the control activity and execution intervals are suitable to adequately reduce the risk. If the Control Owner does not consider the control to be appropriate, the Action Management process is started in order to plan and track the activities to restore adequacy.

Test of Effectiveness of Controls: The Control Tester must regularly check whether the control is actually and effectively carried out. If the Control Tester does not consider the control to be appropriate, the Action Management process is started in order to plan and track the activities to restore effectiveness.

Performance of Controls: You can document the performance of the activity described as a control in the system with the process Performance of Controls. The process is started regularly for controls with defined execution intervals. For controls without an execution interval, you can start the process in the control catalogue. The process is always assigned to the person who is entered as the Execution of Control. If deviations are discovered during the control process, the Action management process is started in order to plan and track the reaction to those deviations.

Action Management: The control system consists of planning and monitoring the processing of all processes. Planning is carried out by setting dates and execution intervals for all processes. The software takes over the start of the processes, as well as the monitoring of the deadlines for these processes, so you can fully focus on further developing the control system and correcting deviations.

Hint

It is possible to manage who is allowed to start a specific type of process. See Processes administration.