Identifying Risks
Identify and record the key components required to document Risks
Introduction
As explained in the introduction of this course, there are three types of Risks:
- Asset Risks
- Third Party Risks
- Business Risks
They all need an "Input" that helps you describe what the Risk is all about. It depends on which type of Risk you are creating and what "Inputs" you need. The diagram below shows the relationships. For example, an "Asset Risk" requires at least one "Asset". The "Asset" will also need at least one "Business Unit".
Risks have four treatment options (combination of them, etc): Policies, Internal Controls, Exceptions and Projects. For example: If an "Asset Risk" describes how "Laptops and be lost or stolen" your treatment might be two mitigating "Internal Controls" under the name "Laptop Encrpytion" and "Central Authentication". You might also link a "Project" called "New central data loss prevention solution".
In this episode, we are concerned with the identification of Risks, not with their treatment. We will explain in detail what items you need and one method on how those can be obtained.
Note: there are an infinite number of methods on how to identify Risks, we are simply here trying to provide one simple method that will ensure you collect those "Inputs" you need.
Prerequisites
Make sure you complete the Supporting Modules / Asset Management course before you continue with this guide.
Dependencies
As shown in the diagram above, depending on what type of Risk you want to create what inputs you need:
| Risk Type | Business Units | Process | Assets | Third Parties | Liabilities |
|---|---|---|---|---|---|
| Asset Risk | At least one | Not required | At least one | Not required | Optional |
| Third-Party Risk | At least one | Not required | At least one | At least one | Optional |
| Business Risk | At least one | Optional | Not required | Not Required | Not required |
- For example an Asset Risk titled "Laptops can be lost or stolen" could have as inputs two "Assets" called "Laptops" and "Phones" and those two assets will have as a parent BU "IT".
- For example a Third Party Risk titled "Offices Equipment Stolen by Cleaning night shift" could have as input a Third Party called "Cleaning Company", an asset called "Office Equipment" and the BU that owns that asset would be called "Facilities".
- For example a Business Risk titled "Staffing Issues prevent IT Ops from running" could have as input a Business Unit called "HR" and a process called "Recruiting"
The examples above are generic and are meant to help the reader understand that Risks can be described in three ways.
Identification Method
Your goal is to collect those inputs and out of that identify Risks that will go into eramba. Your goal is also to make sure that all those objects (Assets, Third Parties, Risks, etc.) have clear owners. You will use "Groups" as owners, hopefully, you followed our implementation guides and you already have them in your system. In this episode, we will present you with a simple method that helps you collect all the information you need to input risks in eramba.
The method described here is very simple and is proven to have worked everywhere. There are many ways to do this, this is just one way.
- Define the scope of your Risk practice. It can be one department, two, all, Etc. If your scope is not the entire organization, always remember the strength of a chain is determined by its weakest link. In our example, the scope will be the entire organization.
- Break down the organization into "manageable" pieces with clear owners. In our example, we will break down the organization into HR, IT, Finance and Sales. You should have owners (one or more) and you should also have one group in eramba for each one of those BUs. You might have additional groups not mapped to any BU.
- Set a meeting with each one of those "Owners" and let them know you are building a Risk register that will hopefully help them to make their Risks visible to the board and get some funding to deal with them.
At this stage what we need is to understand from these owners what they do and what risks they face. They are the experts in their area and therefore is wise to listen to them. We simply help them think about those risks using a set of questions. The following lists the questions you need to make and example answers from the Business Unit "Finance":
- What do you guys do here? We do invoices, pay invoices, review expenses, calculate taxes and administer budgets. They will most likely spend half an hour about it, our job is to keep it simple. These will be your "Processes".
- With what? We use Laptops, Email, Sharepoint, Banking Applications and Invoices. As you can see this is not an inventory. Review our Asset Management course "Typical Questions" if you expected one. These will be your "Assets".
- With whom? Tax Consultants. These will be your "Third Parties".
- Under what regulations? SOX and various commercial contractual agreements. These will be your "Liabilities".
In its simplest form, you will get a table, somewhat like the one below. This will help you input all the stuff you need to eramba, but first, you need Risks.
You can now go through this list of objects and brainstorm with the Finance BU Owner what problems could exist. Typically they already know what Risk they face, and ignoring them could be a costly mistake. Imagine they became a reality? "I told you". We recommend that at this stage you collect a few risks and describe them with a very good "title".
Like newspapers, you will need to get creative to make it striking! A typical Risk typically title includes:
- Threat (Unauthorized Access)
- Vulnerability (lack of provisioning)
- Asset, Third Party or Business Unit (Banking in this case)
- Ideally an adjective, such as "Massive"
Repeating this method through all your departments will get you all the inputs you need to start recording Risks in eramba.
Questionnaires
No matter if you go through the interviews above in person or over email, phone or Zoom you will be asking questions and expect answers.
eramba has an Online Assessment module that allows you to upload questionnaires and send them online to anyone (people inside or outside your organisation such as Third Parties). We recommend you look at the Supporting Modules / Online Assessment module to know more.
Existing Risk Registers
If your organization already has a list of Risks then your focus perhaps should be around trying to import them to eramba. While we focus on the creation of Risk in the next episodes you should prepare your spreadsheets in a way that they provide the inputs eramba needs.
So as long as you have those inputs you will just have to match your spreadsheets to those fields eramba needs, and this is for the most part a copy/paste exercise.
Playlist
- Episode 1Introduction to Risk Management6 mins left
- Episode 2Problem vs. Solution Principle5 mins left
- Episode 3Typical Risk Questions7 mins left
- Episode 4Risk Calculation Methods4 mins left
- Episode 5Configuring the Risk Module2 mins left
- Episode 6Risk Management Related Modules1 min left
- Episode 7Identifying Risks6 mins left
- Episode 8Identifying Risk Solutions4 mins left
- Episode 9Creating a Risk4 mins left
- Episode 10Threats & Vulnerabilities1 min left
- Episode 11Reviewing Risks7 mins left