The following flowchart outlines the Drova Risk Management process.

Note: The Risk Management features are highly configurable—you can use as much or as little of the Risk Management features set as your organisation needs. As such, this section discusses Risk Management features that may not be enabled on your Drova GRC system.

1. Identify and analyse Risk

Individuals appropriately trained and experienced in Risk Analysis should identify and analyse the Risks for your organisation.

If your organisation is moving from another Risk Management System to Drova, a lot of this work has probably already been done and it’s just a matter of getting the information into Drova.

Tip: Consider a plan to transfer existing Risks into Drova as they become due for Review, or as an associated Task (e.g. a Risk Treatment) becomes due. This will avoid you having to try and get everything added in one go—a daunting exercise if you have a lot of recorded Risks and associated Treatment Tasks.

2. Assess Risk and record

For each identified Risk, a suitably-qualified individual or group must assess the Risk. In Drova, the assessment is based on a default of Likelihood versus Consequences. However, you can alter the Risk calculation formula to include Adequacy and Management factors.

The assessment is also based on:

• Inherent Risk (the impact of the Risk before controls and treatments are applied) and

• Residual Risk (the reduced impact following application of controls and treatments).

The assessment results are recorded on the Risk’s editing page (the ‘Risk Page’).

3. Calculating the Risk Score

Once the assessment results (e.g. ‘Likelihood’ and ‘Consequences’ ratings for Inherent and Residual Risk) are input to the Risk Page, Drova calculates the Risk Score based on a customisable Risk Matrix.

Every time the Risk is reviewed, Drova calculates a new Risk Score. Over time, a Risk Score History is compiled. This can be very useful for assessing the effectiveness (or otherwise) of any applied Risk Treatments and other controls.

4. Create Treatment Plan and allocate Tasks

Qualified individuals determine the Risk Treatment Plan and associated Tasks that need to be carried out to mitigate or eliminate the Risk.

A Task schedule is also worked out at this stage.

The Treatment Plan, associated Tasks and Task Schedule are recorded in Drova on the Risk page.

5. Set Risk Review Schedule for Risk Owners

The level of Risk will vary over time as a result of changing circumstances and the effectiveness of the Treatment Plan and other controls in place.

Because of these factors, Risks must be periodically reviewed and, if necessary, the Risk Rating adjusted to reflect current conditions.

A qualified person or group must determine how often a Risk should be reviewed. This schedule is then input to Drova via the Risk page.

6. Drova generates Tasks and sends email Reminders

On the appropriate date (determined by the Schedule and Reminder settings in each Risk’s Page settings), Drova generates Treatment Tasks (and Risk Review Tasks when required) and emails the person recorded in the Risk Record as responsible for Actioning the Task (the ‘Actioned By’ Position).

The generated Tasks are displayed in each ‘Actioned By’ Position’s ‘My Tasks’ page.

7. Individual records completion of Treatment Tasks

Once an ‘Actioned By’ Position completes a Treatment Task, the person records task completion via the ‘My Tasks’ Page.

If a Task is not completed within the specified time, an alert email is sent to the person nominated as the ‘Escalate To’ Position for the Task. This ensures that incomplete Tasks are followed up straight away and not forgotten.

8. Risk Owner reviews and re-assesses Risk

Once a Risk Owner has reviewed the Risk and updated the Risk Rating, a new Risk Score is automatically calculated. Over time, a Risk Score History is built and this can assist with future Risk Assessments.

As with Treatment Tasks, if a Risk Review isn’t completed on time, an alert email is sent to the person nominated as the ‘Escalate To’ Position for the Risk Review Task.

7&8. Task not completed—Task is escalated to Position’s Manager

If a Risk Review or Risk Treatment Task is not completed on time, or won’t be completed at all for some reason, then Drova provides a way to ensure that this is managed.

You can set a Position to be the ‘Escalate To’ Position for each Task. If the Task is not completed by the due date, a notification email is sent:

• Every day beyond the due date, to the the ‘Actioned By’ Position, till the Task is done.

• Once to the ‘Escalate To’ Position, so they can act on this information as required.

This ensures that your Risk Review or Treatment Tasks are not missed.

Note: The escalation process does not move tasks from the Actioned By Position to the Escalation Position. The responsibility to complete the task remains with the Actioned By Position. The escalation process allows the Escalation Position to know when tasks are not completed by the due date so that they may choose to act.

9. Build comprehensive Risk reports and historical data

Drova retains data recorded for each Risk Treatment Task and Risk Review. The ability to include attachments, links to other Records and resources makes Drova a valuable tool for building an accurate and detailed history of your organisation’s Risk Management performance.

The more Risk Management data collected, the more information your organisation has to improve Risk Management and maintain operational safety and performance at peak levels.