In Risk Management, some Risks give rise to other Risks. Typically these Risks are high-level, an example being the occurrence of WHS incidents which introduces follow-on Risks such as:

• Employee absence,

• Deterioration of Company reputation,

• Financial losses through down-time, Employee recovery, regulatory penalties and so on.

Drova has the facility to identify levels of Risk both above and below a particular Risk.

Note: The Risk Hierarchy feature must be selected in the ‘Risk’ tab of the Drova Configuration Page.

Risk Levels

In Drova, Risk Levels are relative to the current Risk, which is always considered to be a Level 1 Risk.

Risks that sit below the current Risk are considered to be Level 2 Risks, while Risks that sit above the current Risk are Level 0 Risks.

For example, if the current Risk is the ‘WHS Incidents’ Risk from the example above, then:

• The ‘Employee absence’ Risk is a Level 2 Risk,

• the ‘Deterioration of Company reputation’ Risk is a Level 2 Risk, and

• the ‘Financial losses’ Risk is a Level 2 Risk.

If you shift your focus to make ‘Employee absence’ the current Risk, then:

• the ‘Employee absence’ Risk is a Level 1 Risk,

• the ‘WHS Incident’ Risk is a Level 0 Risk (above the current Risk),

• the Deterioration of Company reputation' and ‘Financial losses’ Risks are both Level 1 Risk (being at the same level as the current Risk).

Setting Risk Levels

Within a Risk’s Record Page, you can set other Risks to be either a Level 0 Risk (above the current Risk) or a Level 2 Risk (below the current Risk). Level 0 and Level 2 Risks are managed on separate tabs within a ‘Risk Hierarchy’ tab in the Risk Page.

Viewing Risk Levels beyond Level 2

You can view all Risk Levels within a Risk Hierarchy by running a Risk Hierarchy Report:

1. From the Main Menu, select Reports | Risks | Risks.

2. The ‘Risk Reports’ Page is displayed and the ‘Settings’ popup window appears.

3. In the ‘Settings’ popup window, click the ‘Select Report’ drop-down list and choose ‘Risk Hierarchy’.

   Note: The term ‘Risk Hierarchy’ is configurable and your  Drova GRC system may display a different label.

4. The Risk Hierarchy Report is displayed (see sample below).

In Risk Hierarchy Reports, top-level Risks (i.e. those Risks with no Level 0 Risks) are Level 1 Risks and are shaded.

The sample Report above shows Risks at Level 1 Risk, 1, with two levels of Risk below it. (A number enclosed in a hollow circle identifies Risk Levels 2 and below.)

Some of the Level 2 Risks, 2, have one or more Level 3 Risks 3 below them.

Risk Hierarchy and Risk Score calculation

Where Risk Hierarchy and Risk Scoring are both used, a Risk Score Summary is presented for each lower Risk Level containing two or more Risks.

This includes:

• on the ‘Level 2 Risks’ tab of the current Risk Page, and

• in the Risk Hierarchy Report.

In the sample Risk Hierarchy Report above, note the Risk Score Summary panels 4 and 5:

• Risk Score Summary panel 4 summarises the Level 2 Risks 2.

• Risk Score Summary panel 5 summarises the Level 3 Risks 3.