Risk Analysis
Introduction
Users of OpRiskControl are able to analyse the effect of Actions using the Risk Analysis form.
Note: The Risk event and data used are merely an example of the workings of the form.
After you have specified a Risk Action, you will want to see what effect the Action may have on the Risk rating (assuming the actual Action will be approximately as effective as the estimate of the Action).
This example shows two Actions (indicated by 0 of 2 Actions completed displayed below the fields) using percentage reductions. The section If all actions completed uses the settings for the Consequence and Likelihood reductions set for all the Actions created for the selected Risk. In this example, one of the Actions has the Likelihood reduction set to 40% and the other Action has the Consequences reduction set to 20%.
This form is divided into eight groups of information as follows.
Risk Assessment
Risk assessment is the original assessment of likelihood and consequence when the Risk is recorded. That is the status of the Risk as it appears with any existing controls in place. This is the simplest approach.
Risk Event
This box shows the Risk event you are working with, and the acceptable Risk rating you need to achieve. The Acceptable Rating is set up by the Risk coordinator and is a target rating.
Note For Administrators: Select the Manage tab, select Reference Data and then select Risk Event from the menu.
Effect Of Actions Completed Now
This box shows the effect of completed Actions as a percent reduction in the likelihood or consequence rating. Any Risk transfer is also included in the consequence reduction. In the example shown, a completed insurance policy has reduced the consequence by 65%.
Residual Ratings Now
This box shows the effect of completed Actions on the likelihood, consequence and Risk rating. In the example shown, a completed insurance policy has reduced the consequence from catastrophic to minor thus reducing a high Risk to a residual moderate Risk.
If All Actions Completed
This box shows the effect of all Actions (completed or not) as a percent reduction in the likelihood or consequence rating. Any Risk transfer is also included in the consequence reduction. In the example shown, a completed insurance policy has reduced the consequence by 65% and an outstanding Action related to employee training would reduce the likelihood by 35%.
Residual Ratings After All Actions
This box shows the effect of all Actions (completed or not) on the likelihood, consequence and Risk rating. In the example shown, a completed insurance policy has reduced the consequence from catastrophic to minor, and an outstanding Action related to employee training has reduced the likelihood from possible to unlikely thus reducing a high Risk to a residual low Risk. This still does not reduce the Risk to the desired level (acceptable Risk rating of negligible), and it is a management decision as to what might next be done.
Financial
This box uses the potential loss entered on the Risk form (but can also be updated here), and derives the Retained Risk (monetary value) as follows.
Retained Risk = Potential Loss + Action Costs - Action Benefits
The Action Costs are the sum of all Action and existing control costs where the status is Open, and has a tick in In Cost-Benefit and, if it is an Action (rather than an existing control), it has been completed (that is, it has a Completed Date). Existing controls do not need a Completed Date.
The Action benefits are the sum of all Action and existing control benefits where the record is status Open, and has a tick in In Cost-Benefit and if it is an Action (rather than an existing control), it has been completed (that is, it has a Completed Date). Existing controls do not need a Completed Date.
There are two optional methods of determining Actions benefits and it is configured at the system level by your Risk database administrator (DBA), and they are:
-
Method 1 – Action benefits derived from Consequence Actions only
-
Method 2 – Action benefits derived from Likelihood and Consequence Actions
Status Box
This box displays the date the Risk was reported, the date the Risk was reviewed, the status of the Risk, and date closed if the Risk has been closed.
Risk Status
A new Risk will normally default to Open or Input depending on the profile set by your System Administrator. These codes are not alterable without consultation and possible program changes.
You are able to change the status of the Risk to Closed, Cancelled, Suspended or back again to Open.
Optional: When the Risk needs to be closed, change the status to Risk closed and enter the date closed (see “Date Risk Closed”).
Optional: If the Risk should not have been created in the first place (e.g. a duplicate Risk), change the status to Risk cancelled. The date closed is not changed in this case.
Optional: If the Risk needs to be suspended for any reason (for example, the condition cannot logically exist at a point in time but may do later), change the status to Risk suspended so that it is not actively monitored. The date closed is not changed in this case.
Optional: When the Risk is not Risk open, change the status to Risk open and remove any date closed.
Date Risk Closed
Conditional: Enter the date when the Risk is closed and the Risk status has been changed to Closed.
Scenario Analysis Button
Click the Scenario Analysis button to open the scenario analysis dialog.
This dialog allows you perform scenario analysis on the Risk. After entering values for the various fields, a Weighted value is returned. Click Use Value to automatically put the Weighted value in the Financial Impact field and the Retained Risk field.
Note: The Scenario Analysis button is displayed when Activate Scenario Analysis is selected. Please refer to the OpRiskControl System Administrators’ Guide for more information.