Skip to main content
Mitratech Success Center

Client Support Center

Need help? Click a product group below to select your application and get access to knowledge articles, webinars, training content, and release notes or to contact our support team.

Authorized users - log in to create a ticket, view tickets status and check your success plan details.

 

Risk Actions

Introduction

OpRiskControl users are able to record Actions to reduce the likelihood of or mitigate a Risk.

You can add as many Actions to a Risk as required. When you enter a potential Action, it is not included in the calculation of Residual Risk until you flag the Action as completed. Only the Action name and description are mandatory. However, if you require the system to automatically calculate the Residual Risk, you will need to enter the percent reduction in Likelihood or Consequence or by transfer of Risk. (To reduce Risks by levels rather than a percentage, see “Action Reductions”). When the Action has actually been completed, the completion date should be entered on this form. The effectiveness of the Action is then included in the calculation of Residual Risk.

Action Search

When a Risk is displayed and you click the Action tab, you will see a list of Actions that have been attached to the Risk. If you wish to add an Action, click the New Action button.

image

The Action grid includes the following columns:

  • Action Code – The Action Code used to create the Action.
  • Stage – The Stage is determined automatically, based on the status of the Risk and of the Action:
    • When the Risk has not been accepted and the Risk status is Input, the Action is In Progress.
    • When the Risk status is Open and the Action has a Completed Date or the Action is an existing control, the Action is Completed.
    • When the Risk status is Open and the Action has neither a Due Date nor a Completed Date, the Action is In Progress.
    • When the Risk status is Open and the Action has a Due Date but does not have a Completed Date, the Action is Scheduled.
    • When the Risk status is Closed, Cancelled or Suspended, the Action is Non Active.
  • Action Owner – The user who was assigned as the Action Owner.
  • Due Date – The date selected for the Due Date.
  • Completed Date – The date the Action was completed.
  • Action Status – The current status of the Action (for example: Active, Cancelled, Closed, Completed or Suspended).
  • Test Result – The current entry in the Test Result field.

The following links are available for each Action:

  • History – Displays the Action History for the selected Action.
  • Delete – Deletes the selected Action.

There is an Edit button below the Action grid. Click the Edit button and then click on any field in the Action grid you want to edit. Either a text box or a drop-down list is displayed, allowing you to change the selected field.

note.gif

Note: When editing the Action Grid, the columns may be different from those displayed when viewing the Action grid. All the changes made to the Action grid in Edit mode are saved as you make them.

New Action

While viewing an existing Risk, select the Action tab and click the New Action button.

Ownership And Dates

image

Recorded By

Automatic: The user who records the Action is entered automatically.

Date Recorded

Automatic: The system will enter the date the Action was recorded and it cannot be altered.

Action Owner

Optional: Select the Action owner (user who has overall responsibility for the Action) from the list.

It is highly desirable to allocate an Action owner as soon as possible. It is optional here only to allow time for the Action to be approved, and until approved the ultimate Action owner is not responsible for progressing the Action. An Action owner can be external to your company.

Timeframe

Optional: Select the time frame. Action time frames can be project phases, and they can be included in the Action Status Report and Work Schedule Report. The Work Schedule Report can also be sorted by Timeframe.

Due Date

Optional: Enter the date by which the Action should be completed. Although this field is optional, any Actions with a Due Date will be omitted from Action Due Date reports, and will not have automatically created Alerts.

Action Approved By

Optional: This field has been provided for enhanced workflow management, and is under RBS control so that only those with approval permissions can approve an Action.

Please refer to the OpRiskControl System Administrators’ Guide for more information about RBS.

Date Approved

Optional: This field has been provided for enhanced workflow management, and is under RBS control so that only those with approval permissions can enter the date. If the details of the user who approved the Action are removed, the date is cleared from the record.

Please refer to the OpRiskControl System Administrators’ Guide for more information about RBS.

Responsible Party

Optional: Select the party responsible for this Action (for example, a government agency, another party, or a contractor).

Percent Complete

Optional: Enter the percentage of the Action that has been completed.

Completed Date

Optional: Enter the date on which the Action was completed. Although this field is optional, any Actions without a Completed Date will be included on any Action Due Date reports, and will automatically create Alerts if the due date has passed.

Existing Control

Optional: Select this box if the Action is an existing control. That means:

  • It will not need a Completed Date to be effective.
  • It will not need a Completed Date to be included in determining the Residual Risk rating.
  • It will not appear on the Actions Due page (found by selecting the Alerts tab and then selecting Actions Due.)
  • It will not be included in automatic alerts via the Notification Manager.
note.gif

Note: Existing Controls will not affect the Residual Risk Rating if “Override Residual" is selected for the Risk.

Preferred Action

Optional: This field is for documentation purposes only. It is not involved in any automated calculation.

Frequency

Optional: Select the frequency if the Action is to be a recurring control – for example, an annual inspection. It is a number of days the process Activate Recurring Actions uses to put recurring controls back on the 'to do' list, to make them Due again. The system will then put the recurring control back on the to-do list a number of days (as specified in system settings with the option Recurring Action Reset (Day)) before they are due to be completed again.

OpRiskControl normally stores Actions that occur once. However, the system supports recurring Actions, which are most likely ongoing controls rather then Actions. The system must be able to reset the Due Date, clear out the Completed Date, and not lose track of what has been done before. The reset must not compromise Actions due and overdue alerts, but it will distort Dashboard Action counts in that recurring Actions will be subtracted from Completed and added to Approved. Users need to be aware that recurring Actions get put back in the queue and counted as such.

The Job Scheduler updates Recurring Actions daily.

Effect Of Recurring Actions On Residual Risk Rating

Recurring Action

When a recurring Action has been completed (when the Completed Date is entered) but the next Due Date has not yet been set (because the Recurring Action Reset (Days) has not been reached) the Residual Risk Rating is lowered because the Action is Complete.

When some time has passed and the recurring Action’s next Due Date is set to a future date, it is then considered to be ineffective and the Risk’s Residual Rating will no longer be reduced by the expected effectiveness of the Action.

Existing Control

When an Action has the Existing Control option selected, it will not need a Completed Date to be included in determining the Residual Risk rating. Existing Controls always affect the Residual Risk.

note.gif

Note: Existing Controls will not affect the Residual Risk Rating if “Override Residual" is selected for the Risk

Configuring A Recurring Action

This example describes how to set up a 30 day recurring Action.

note.gif

Note: This example assumes the Administrator has set the Recurring Action Reset (Day) to -30.

  1. Select the Risk for which you want to create a recurring Action. Select the Action tab and click the New Action button.

image

  1. Enter the Action Code (Monitor and Review, in this example) and the remaining fields required to define the Action.
  2. The Frequency field is on the left, in the section Action Management. In this example, select Monthly. This setting determines the Action’s next Due Date.
  3. When the Action has been completed, set the Completed Date for the Action. This date is automatically entered in the Last Completed field.
  4. When Recurring Actions are next updated (either automatically by the Job Scheduler or manually by selecting the option Activate recurring actions for risks filtered above on the System Management page) the Action is made eligible for being marked as Complete again. That is, the Completed Date is cleared and the Action’s Due Date is updated to 30 days from now (in this example).

Last Completed

Automatic: This field is automatically populated with the date of the last Completed Date so that when recurring Actions or controls are put back on the list of jobs to be done (according to the Frequency and when the Completed Date is cleaned out), there is a Last Completed date for tracking purposes. Completed Actions are also logged to the History page. Note that recurring Actions (or controls) are put back on the list to be completed when Activate Recurring Actions is run.

Effectiveness

image

If By Level is selected, then when you go to the Action form it will have (L) rather than (%) tags next to the reduction, as shown above.

You can reduce a level by a whole number or part thereof (e.g. 0.5). If you don’t have enough Actions to add up to one (1.0) in either the likelihood or the consequence (including transfer) columns, then the Risk will not be reduced.

Estimate Of This Action’s Individual Effect

OpRiskControl automatically recalculates the Action effectiveness. Normally, an Action either reduces the likelihood or reduces the consequences of an event.

On each Risk it is specified that controls and Actions reduce the Risk By Level or By Percentage. That means automated calculation of residual Risk is performed differently by level (e.g. 1 or 2 levels) or by percentage (e.g. 25% or 50%).

For percentage reductions, use whole values from 1 to 100.

For level reductions, use values from 0.1 to N, where N is the number of likelihood or consequence levels minus one. Therefore in a normal 5x5 Risk matrix use values 0.1 to 4.0.

You can reduce a level by a whole number or part thereof (e.g. 0.5). If you don’t have enough Actions to add up to one (1.0) in either the likelihood or the consequence (including transfer) columns, then the Risk will not be reduced.

Reduce Likelihood

Optional: Enter the percent (or level) by which you think the Action will reduce the likelihood. This can be revised later when further analysis has been completed.

Consequences

Optional: Enter the percent (or level) by which you think the Action will reduce the consequences. This can be revised later when further analysis has been completed.

Transfer Risk

Optional: Enter the percent (or level) by which you think the Action will transfer the Risk (normally via insurance). This can be revised later when firm quotations are received.

Note that the system does not check the total percent of one Action or a set of Actions. It is possible to end up with more than 100% reduction, which is not logical. Nor does the system check the logic of Actions. For instance, if an Action reduces the likelihood by 100%, then there would be no need to also transfer Risk by way of insurance.

Effect Of All Actions

This section is displayed only when the parent Risk is set the use Level reduction. See “Control Effectiveness” on how to change between Level and Percentage.

Target Likelihood

This is the overall Target Likelihood considering all Actions, not just the Action currently displayed.

Target Consequence

This is the overall Target Consequence considering all Actions, not just the Action currently displayed.

Target Risk

The Target Risk is the Target level of Risk after all Actions have been completed, and is derived from the Target Likelihood and Target Consequences.

Subjective Assessment Of This Action’s Effectiveness

Control Design And Control Implementation

The Control Design and Control Implementation fields are visible when Activate Control Effectiveness Matrix is selected in the System Settings; otherwise only Control Effectiveness is displayed.

When ratings are assigned to the Design and Implementation of the Action, these ratings are used to calculate the Effectiveness of the Action (see “Control Effectiveness", below).

Control Effectiveness

Optional: The Control Effectiveness field is for documentation purposes only and does not get involved in the automated calculation of the residual Risk rating.

If Activate Control Effectiveness Matrix is selected in the System Settings, this field will not be editable because it is derived from the Control Design and Control Implementation (see “Control Design And Control Implementation" above).

If Activate Control Effectiveness Matrix is cleared in the System Settings, this field is entered manually, as the Control Design and Control Implementation fields are unavailable. Select a value from the drop-down list.

(This is the specific effectiveness of the currently displayed Action. At the Risk level, you are able to declare if all controls taken together are effective – see “Overall Control Effectiveness”).

When the Control Effectiveness is changed, the reason for the change can be recorded in the field Effectiveness Change Rationale.

Effectiveness Change Rationale

Optional: The Effectiveness Change Rationale field cannot be edited unless the Control Effectiveness is changed (see “Control Effectiveness", above).

image

If required, enter the reason for changing the Control Effectiveness in the Effectiveness Change Rationale text box. Click Save to save the changes to the Control Effectiveness and the Effectiveness Change Rationale field.

Effectiveness Change History

Read Only: The previous entry for the Effectiveness Change Rationale field is written to the

Effectiveness Change History field, so that all entries are recorded and can be reviewed.

When no Rationale is entered, the entry No Effectiveness Change Rationale was entered is automatically added to the Effectiveness Change History field when a change is next made.

image

This Action’s Financial Effect

In Cost-benefit

Optional: Normally all open Actions are included in the retained loss calculation. If this is not checked, it is not involved in any automated retained loss calculation.

Action Cost

Optional: Enter the estimated Action cost. This can be revised later when firm quotations are received.

Potential Benefit

Automatic: If a potential loss has been entered at the Risk level, the potential benefit is calculated regardless of whether the Action has been completed. It will be determined by considering the amount by which the Action has reduced the Risk. A 25% reduction on a potential loss of $1 million would give a benefit or $250K. Depending on a system configuration, a benefit may or may not be calculated for likelihood reductions.

Description

image

Action Status

Mandatory: The status will default to Open but can be set to Closed, Cancelled or Suspended.

Status can be used as you wish, but the system will only consider Open Actions as being effective in reducing Risk.

A Suspended Action is one that is not currently active. For example, when your CCTV system has failed and needs to be fixed, or your insurance company has declined to renew your insurance and you are uninsured for fire and burglary, the Action Status could be set to Suspended.

A Closed Action is one that may have worked in the past but is not considered effective or at least not cost-effective. If you want to keep the Action for later reference, Close the Action. If the Action is not required for future reference, Delete it.

A cancelled Action is one you were thinking of using but changed your mind (perhaps due to cost or complexity). If you want to keep the Action for later reference, cancel the Action. If the Action is not required for future reference, Delete it.

Control over what is shown on the screen and in reports is managed from the Action List preferences.

Action Status is a user selectable item while Stage is determined programmatically. Status and Stage are selectable items (select the Preferences tab and then select Action List). An Action must be Open to be effective.

Action ID

The Action ID is automatically generated, the system uses the database unique ID for the Action record but does not guarantee sequential allocation of unique IDs.

Action Code

Required: Select an Action Code from the drop-down list. If a suitable code does not exist, then select Other from the list and create your own.

note.gif

Note: When editing the Action Code field, you will be editing the Action Code for the selected Action only (by typing it in the Action Code field). This edited Action Code will not be available when creating new Actions.

Action Details

Required: The Action detail is defaulted from the available Action types, but you can alter or overtype this specific instance of the Action without affecting the available Action types.

Status Details

Optional: The status detail is entered. This relates to the current situation relating to progress in implementing the control or Action. This field is specifically used in the Risk Assessment Report, but can be selected in other reports.

Categories

Optional: Click on the ellipsis button to open the Category Selector. The list of configured Categories is opened.

image

To make the Action inherit the Categories of the parent Risk, select the option Inherit Categories from associated Risk and then close the Category Selector window.

To set Categories for the Action, clear the option Inherit Categories from associated Risk, select the Categories you want to add to the Action and then close the Category Selector window.

note.gif

Note: By default, when an Action is created for a Risk which already has Categories configured, the Action inherits the parent Risk’s Categories.

Test Result

Optional: The Test Result field can be used to record how effective the control has been at mitigating the Risk. When a user tests the effectiveness of an action, the test results can be recorded here. Each new entry overwrites the previous entry. Each entry is written to the Test Result History field (see below).

Test Result History

Read Only: The Test Result History field is automatically updated when the Test Result field is changed. The new entry for Test Result is added to the Test Result History field with a date stamp.

Action Document

Optional: Enter the name (including file path) of any Action document which relates to this specific Action. You can Browse for the document to capture the path and name, and Open the document using the buttons provided. If the Action code was set up with an Action document, this field will inherit that document name.

Action Hyperlink

Optional: Enter the hyperlink (web link) of any information if the information relates to this specific Action. If the Action code was set up with an Action hyperlink, this field will inherit that URL.

KCI

See Key Indicators for details regarding the KCI page.

Custom Fields

image

If you have activated Allow Custom Text Fields in your My Form Settings (at the bottom of the View Risk page) you will see the above page.

All of these fields can be renamed using the Global Translator.

Lookup

image

If you have activated Allow Custom Lookups in your My Form Settings (at the bottom of the View Risk page) you will see the above page.

All of these fields can be renamed using the Translation facility. These six user defined lookup fields are used in situations where the business needs to select from a list of codes rather than enter free-text information.

note.gif Note For Administrators: See Manage Lookups in the OpRiskControl System Administrators’ Guide for more information on creating Lookups.
  • Was this article helpful?