International Standard ISO 31000:2009 Risk Management - Principles and Guidelines defines Risk as:
“…the effect of uncertainty on objectives.”
Organisations reduce this uncertainty through the effective management of Risk.
Understanding Risk Management
If you’re going to be involved in Risk Management using TriLine GRC, we strongly recommend that you familiarise yourself with International Standard ISO 31000:2009 Risk Management - Principles and Guidelines.
Implementation - Risk Introduction
High Level Risk Process
High Level Risk Process
Key Features
Key Features
Benefits
Benefits
Objectives
Objectives
The TriLine GRC Risk Management Process
Note:
TriLine GRC Risk Management features are highly configurable—you can use as much or as little of the Risk Management feature set as your organisation needs.
As such, this section discusses Risk Management features of TriLine GRC that may not be enabled on your TriLine GRC system.
The following flowchart outlines the TriLine GRC Risk Management process.
Individuals appropriately trained and experienced in Risk Analysis should identify and analyse the Risks for your organisation.
If your organisation is moving from another Risk Management System to TriLine GRC, a lot of this work has probably already been done and it’s just a matter of getting the information into TriLine GRC.
Tip:
Consider a plan to transfer existing Risks into TriLine GRC as they become due for Review, or as an associated Task (e.g. a Risk Treatment) becomes due. This will avoid you having to try and get everything into TriLine GRC in one go—a daunting exercise if you have a lot of recorded Risks and associated Treatment Tasks.
For each identified Risk, a suitably-qualified individual or group must assess the Risk. In TriLine GRC, the assessment is based on a default of Likelihood versus Consequences. However, you can alter the Risk calculation formula to include Adequacy and Management factors.
The assessment is also based on:
Inherent Risk (the impact of the Risk before controls and treatments are applied) and
Residual Risk (the reduced impact following application of controls and treatments).
The assessment results are recorded on the Risk’s editing page (the ‘Risk Page’) within TriLine GRC.
Once the assessment results (e.g. ‘Likelihood’ and ‘Consequences’ ratings for Inherent and Residual Risk) are input to the Risk Page, TriLine GRC calculates the Risk Score based on a customisable 5 x 5 Risk Matrix.
Every time the Risk is reviewed, TriLine GRC calculates a new Risk Score. Over time, a Risk Score History is compiled. This can be very useful for assessing the effectiveness (or otherwise) of any applied Risk Treatments and other controls.
On the appropriate date (determined by the Schedule and Reminder settings in each Risk’s Page settings), TriLine GRC generates Treatment Tasks (and Risk Review Tasks when required) and emails the person recorded in the Risk Record as responsible for Actioning the Task (the ‘Actioned By’ Position).
The generated Tasks are displayed in each ‘Actioned By’ Position’s ‘My Tasks’ page.
Once an ‘Actioned By’ Position completes a Treatment Task, the person records task completion in TriLine GRC via the ‘My Tasks’ Page.
If a Task is not completed within the specified time, TriLine GRC sends an alert email to the person nominated as the ‘Escalate To’ Position for the Task. This ensures that incomplete Tasks are followed up straight away and not forgotten.
One a Risk Owner has reviewed the Risk and updated the Risk Rating in TriLine GRC, a new Risk Score is automatically calculated. Over time, a Risk Score History is built and this can assist with future Risk Assessments.
As with Treatment Tasks, if a Risk Review isn’t completed on time, TriLine GRC sends an alert email to the person nominated as the ‘Escalate To’ Position for the Risk Review Task.
Task not completed—Task is escalated to Position’s Manager
If a Risk Review or Risk Treatment Task is not completed on time, or won’t be completed at all for some reason, then TriLine GRC provides a way to ensure that this is managed.
You can set a Position to be the ‘Escalate To’ Position for each Task. If the Task is not completed by the due date, TriLine GRC sends a notification email:
Every day beyond the due date, to the the ‘Actioned By’ Position, till the Task is done.
Once to the ‘Escalate To’ Position, so they can act on this information as required.
This ensures that your Risk Review or Treatment Tasks are not missed.
Note: The escalation process does not move tasks from the Actioned By Position to the Escalation Position. The responsibility to complete the task remains with the Actioned By Position. The escalation process allows the Escalation Position to know when tasks are not completed by the due date so that they may choose to act.
Build comprehensive Risk reports and historical data
TriLine GRC retains data recorded for each Risk Treatment Task and Risk Review. The ability to include attachments, links to other Records and resources makes TriLine GRC a valuable tool for building an accurate and detailed history of your organisation’s Risk Management performance.
The more Risk Management data TriLine GRC collects, the more information your organisation has to improve Risk Management and maintain operational safety and performance at peak levels.
Risk Hierarchy
In Risk Management, some Risks give rise to other Risks. Typically these Risks are high-level, an example being the occurrence of WHS incidents which introduces follow-on Risks such as:
Employee absence,
Deterioration of Company reputation,
Financial losses through down-time, Employee recovery, regulatory penalties and so on.
TriLine GRC has the facility to identify levels of Risk both above and below a particular Risk.
Note:
The Risk Hierarchy feature must be selected in the ‘Risk’ tab of the TriLine GRC Configuration Page.
Risk Levels in TriLine GRC
In TriLine GRC, Risk Levels are relative to the current Risk, which is always considered to be a Level 1 Risk.
Risks that sit below the current Risk are considered to be Level 2 Risks, while Risks that sit above the current Risk are Level 0 Risks.
For example, if the current Risk is the ‘WHS Incidents’ Risk from the example above, then:
The ‘Employee absence’ Risk is a Level 2 Risk,
the ‘Deterioration of Company reputation’ Risk is a Level 2 Risk, and
the ‘Financial losses’ Risk is a Level 2 Risk.
If you shift your focus to make ‘Employee absence’ the current Risk, then:
the ‘Employee absence’ Risk is a Level 1 Risk,
the ‘WHS Incident’ Risk is a Level 0 Risk (above the current Risk),
the Deterioration of Company reputation' and ‘Financial losses’ Risks are both Level 1 Risk (being at the same level as the current Risk).
Setting Risk Levels
Within a Risk’s Record Page, you can set other Risks to be either a Level 0 Risk (above the current Risk) or a Level 2 Risk (below the current Risk). Level 0 and Level 2 Risks are managed on separate tabs within a ‘Risk Hierarchy’ tab in the Risk Page.
You can view all Risk Levels within a Risk Hierarchy by running a Risk Hierarchy Report:
From the Main Menu, select Reports | Risks | Risks.
The ‘Risk Reports’ Page is displayed and the ‘Settings’ popup window appears.
In the ‘Settings’ popup window, click the ‘Select Report’ drop-down list and choose ‘Risk Hierarchy’.
Note: The term ‘Risk Hierarchy’ is configurable and your TriLine GRC system may display a different label.
The Risk Hierarchy Report is displayed (see sample below).
Sample from the Risk Hierarchy Report
In Risk Hierarchy Reports, top-level Risks (i.e. those Risks with no Level 0 Risks) are Level 1 Risks and are shaded.
The sample Report above shows Risks at Level 1 Risk, 1, with two levels of Risk below it. (A number enclosed in a hollow circle identifies Risk Levels 2 and below.)
Some of the Level 2 Risks, 2, have one or more Level 3 Risks 3 below them.
Risk Hierarchy and Risk Score calculation
Where Risk Hierarchy and Risk Scoring are both used in a TriLine GRC system, a Risk Score Summary is presented for each lower Risk Level containing two or more Risks. This includes:
on the ‘Level 2 Risks’ tab of the current Risk Page, and
in the Risk Hierarchy Report.
In the sample Risk Hierarchy Report above, note the Risk Score Summary panels 4 and 5:
