Risk evaluation

Axes of consequence

Once a risk has been registered, it must be evaluated. A risk is first evaluated according to probability, then according to selected types of consequences:

  • HSE

  • Environment

  • Quality/process

  • Information security

  • Personal data

  • Preparedness/emergencies.

NEW evaluation / RE evaluation

Once a risk has been defined, it can be evaluated in several places in the organization by NEW evaluating several times and selecting different departments in the org.list each time. The same risks are evaluated on different processes, or different departments / locations, or the same risk on different Assets (e.g. software).

Outcome

When the same risk is evaluated against different areas of the business, we call it different outcomes. In other words, one and the same risk is evaluated with several NEW evaluations with different outcomes.

NB! For each new outcome of a risk, a NEW evaluation must therefore be made. The outcome is tagged during evaluation under the heading "Connection". The outcome must then be unique compared to other outcomes. For each outcome, only RE evaluation shall be carried out later without making any changes to the Connection fields. So - if you are to make an evaluation of an outcome that has already been evaluated, you must RE evaluate this risk (not a NEW evaluation) as this picture illustrates:

 

A NEW evaluation uses the plus icon and RE evaluation uses the "repeat" icon. When doing RE evaluations, you will build up a history of this outcome for probability and consequence and be able to see graphs of the development of the risk outcome. In addition, you will be able to see all measures that have been implemented over time and what effect these have had.

An outcome can therefore be based on different organizations as shown in the image above, but also different processes, suppliers, context, assets and several other data types in the system.

If you receive an e-mail with a reminder that you must "reassess" or "reevaluate" a risk, this means that you RE evaluate the outcome in question and build up the history for this particular outcome.

Risk reduction / realize opportunities in case of residual risk

If you do NOT accept a residual risk during evaluation, you must (the system requires) reduce the risk / take advantage of the opportunity in one (or both) of these two ways:

  • Actions are created to reduce risks and realize opportunities.

  • Refer to security measures/barriers that are in place to prevent the risk.

When working with risk evaluation

  • When a risk is evaluated for the first time (NEW evaluation), the system generates a separate risk evaluation that will inherit the selected tagged organizational elements and processes from its "mother", the risk itself. This action makes the work easier, but you should still check if the tagging is correct so that the outcome is correct. You can of course change them. Choose the correct probability and value for each relevant consequence axis. You must fill in at least one consequence axis.

  • You can choose whether you want to evaluate "Opportunities". This will make the positive scale 1-5 visible during evaluation.

  • You can also choose to set a "Desired situation". It activates a new matrix exactly like the current evaluation, but allows the user to enter a desired/target value. Over time, work must be done to close this gap.

  • For each consequence axis selection, you have to decide whether you can accept residual risk or not. If one is not checked, you must choose a solution with action at the end of the form - that is, what do you do with the rest of the risk/opportunity. To reduce risk and exploit opportunities, add measures and/or controls.

Evaluation of risks

See flowchart in a separate article on how to carry out evaluations in various places in the system.

Section 1 - meta information

Title

  • The system copies the title from the risk itself - can be changed if desired

Description

  • If desired, the evaluation can be described here in more detail: why, change, situation, project, is it a periodical evaluation, etc.

Next evaluation

  • The system automatically sets the next evaluation to one year in the future. Can be changed during evaluation.

Owner

  • The person who owns the risk is automatically entered here - can be changed.

Deputies

  • Here, those who are proxies in the risk itself are copied in - can be edited

Participants

  • Here, the participants from the risk itself are copied in - can be edited

Section 2 - Associated with

Here, when creating a NEW evaluation, you can choose to copy relevant data tagged to the risk itself. All can be changed if necessary. It is recommended NOT to change any attachments during RE evaluation because then the "outcome" will change. In these cases, it is often best to create a NEW evaluation with a different combination for the outcome in question. Feel free to use Title/Description to clarify whether there are different outcomes for the same risk.

Vulnerabilities

  • This field is a plain text field used to describe vulnerability(s) - often in connection with information security risks

Project

  • Project is copied from the risk itself and is locked for change

Section 3 - choice

In this section you make choices that have these explanations

Significant

There can be various reasons for ticking off that an evaluation is significant. It could be, for example, that the risk:

  • is triggered by a legal requirement

  • is triggered by a high-level policy

  • for one reason or another is business-critical in terms of, for example, production, delivery of raw materials, implementation of projects, etc

Evaluations that are significant can be filtered out in the Analysis Dashboard.

Evaluate opportunities

  • By ticking this off, you will also see the positive consequence axis for those who have this and you can make a positive choice. In the standard setup, this applies, among other things, to:

    • quality

    • environment

    • health and safety

    • information security

  • it is possible to use the Risk matrix builder under the "System tools" menu to define which consequence categories should have this option.

Set target

  • This choice makes an additional matrix set visible for each axis of consequence and for probability so that you can define a desired situation for the risk evaluation, or "target risk" as some also call it. This makes it easier to see when you can accept residual risk.

Environmental aspect evaluation

  • If this evaluation concerns an environmental aspect (not environmental risk), this is selected. If the risk is ticked, the evaluation will automatically inherit the selection.

  • This means that these can be separated in the Analysis tool.

  • Remember then that Probability then has the meaning "Amount".

Residual risk

When you have achieved the desired risk picture, you choose to accept residual risk. The system will then show the relevant risk axis in all overviews as green, else it will it be red, which clearly communicates to the end user that this risk/possibility must be worked on further. If in the evaluation you check that residual risk is accepted, you must fill in a comment and explain.

 

Overview of the evaluations

  • Use the Home page in the risk module to quickly view my or my unit's risk/ratings.

  • In the process map, the assessments will be made visible.

  • Analysis Dashboard provides an overview of the entire organisation's risk assessments, you can view/filter all the organisation's risk assessments per:

    • Company, department, process, type, group.

    • A given snapshot at the desired time.

    • Can filter and display only project risks.

    • Click on the number in a matrix to display details of the risks in the table to the right.

    • Switch to ID to find your risk assessment more easily.

  • Graph of the risk assessments over time - see if the risk picture has changed over time, see the impact of implemented measures.

Grouping – and visibility in process maps

Based on a risk evaluation, the mapped risks will be sorted, various consequences are shown in process maps

Videos explaining risk-evaluations:

Evaluate and re-evaluate risks: https://youtu.be/q74WNRhfo7E

Re-evaluation from Analysis dashboard: https://youtu.be/FLSyByz5mgo

Risk evaluation Environmental aspect: https://youtu.be/JzALJVGE5tw