The Drova GRC Configuration ‘Risk’ tab
Establishing an appropriate Risk Configuration is a crucial part of using Drova GRC to its maximum effect. This process commences with the set-up of Risk parameters on this tab.
Changes made here will be evident when you open a Risk itself.
It is strongly recommended that you revisit your Risk and Compliance policies and measurement strategies prior to completing this tab. Particular attention should be paid to the terminology in use within your business and to whether your Board has set parameters such as a global ‘Risk Appetite’ for Risks.
Drova GRC allows you to modify the headings of Risk fields to match your existing terminology.
Disabling Risk functions
You can disable Risk functions that are not (currently) required under your organisation’s Risk framework. See Configure General Risk Settings.
Risk Categories
Management of Risk is critical to any business. Drova GRC is designed to assist you to both assess the potential impact of the Risk (financially, operationally, etc.) and to facilitate the completion of tasks designed to mitigate and reduce the Risk.
Risks must be classified into particular categories or groups.
Some Risks fall into commonly understood categories (e.g. ‘Financial Risk’, ‘Operational Risk’, etc.). The most frequently used categories include:
Risk Categories | |
Risk Category | Description |
Capital | Financial management Risks including balance sheet and profit and loss statement considerations. |
Conduct | Managing legislative and regulatory requirements and acting in an ethical, responsible and fair manner. |
Credit | Management of credit arrangements including collection of debts owed to the business. |
Environmental | Risks associated with the industry and broader economic climate and specific environmental Risks. |
Governance | Management of the business in terms with requirements and obligations at Board and Senior Management level. |
Insurance | Mitigating exposure to losses through appropriate insurance covers. |
Liquidity | Managing cash flows and capacity to meet commitments as they fall due. |
Market | Management of competitive pressures from other providers and product innovators. |
Operational | Management of the operational tasks required to ensure effective and efficient ongoing control of the business. |
Strategy Business Model | Business planning and strategies to ensure the ongoing success of the enterprise. |
This list is only a guide and you can create as many Risk Categories as required to effectively manage your business Risks.
Risk Sub Categories
Drova GRC allows you to establish two levels of Risk Categories, allowing for multiple Sub Categories under a main category (e.g. ‘Legislation’ as a Sub Category of the ‘Compliance, Legal & Regulatory’ category).
Examples of Risk Categories and Sub Categories
Risk Control Types
Risk Controls can be classified into different types that distinguish where they fit into the Risk cycle. By default, Risk Control Types are classified as Corrective, Detective and Preventative.
Risk Control Types | |
Risk Control Type | Description |
Corrective | Utilised to correct the Risk once it has occurred. |
Detective | Utilised to detect the Risk occurring. |
Preventative | Utilised to prevent the Risk occurring. |
Risk Definitions
Risk Likelihood Definitions
As part of the process of defining Risks, the likelihood of the Risk occurring must be considered. This factor integrates with the consequence rating to provide an indication as to the overall level of Risk to the organisation.
As with defining Consequences, an assessment must be made (to the best of your knowledge) of the possible frequency of the Risk occurring. These definitions are populated into Drova GRC.
Drova GRC provides five (5) Likelihood levels, ranging from remote through to definite.
Levels of Risk Likelihood | |
Limit | Likelihood |
(Remote) | Rare |
Unlikely | |
Possible | |
Likely | |
(Definite) | Almost Certain |
In use, Likelihood levels are selected on the ‘Risk Assessment’ Screen.
‘Likelihood’ levels on the Risk Assessment Page
During the set-up phase, you will need to determine the appropriate titles and definitions for each level of Likelihood. This is done via the ‘Likelihood’ page.
Access the Likelihood page from the Main Menu: select Risk | Likelihood.
What you edit in the Likelihood page affects what the user sees in the Risk Assessment page, as shown below.
‘Likelihood’ components of the Risk Assessment Page
See Edit Risk Likelihood Definitions.
Risk Likelihood Definition Help
You can change the Risk Likelihood Definition Help displayed on the Risk Assessment page when the user clicks the icon.
Risk Likelihood Help
See Edit Risk Likelihood Definition Help.
Risk Consequences Definitions
All Risks carry potential consequences and the assessment of those consequences lies at the heart of Risk Management.
Consequences can range from financial losses through to significant impacts on business operations, loss of life and damage to reputation.
A key step in Risk Management is to firstly determine what Risks your business faces and consider the consequences if the Risk occurred. Risks are then sorted into a priority order with Risk mitigation planning focusing on those Risks that carry the highest level of impact.
Drova GRC includes five (5) default Consequence levels, ranging from (Insignificant) through to (Catastrophic). This terminology can be varied to suit your organisation’s preferred style. Having determined the levels, a broad definition for each is created to provide guidance to staff completing Risk reviews, thus achieving a consistent approach.
There are no standard definitions for Risk consequence; however, here are some common definitions.
Common definitions of Risk Consequence | ||
Limit | Consequence | Definition |
Lowest | (Insignificant) | The impact would be negligible. |
(Minor) | Some impact, but very small. | |
(Moderate) | Some impact, but manageable. | |
(Major) | A serious problem. | |
Highest | (Extreme) | Insurmountable. |
Once the parameters are determined, they are added into the system. This information is then visible for staff completing reviews using the Risk Assessment screen.
‘(Consequences)’ options on the Risk Assessment Page
The titles and the descriptive help text for each (Consequence) Level are managed via the ‘(Consequences)’ page.
The ‘(Consequences)’ page is accessible from the Main Menu by selecting Risk | (Consequences).
The ‘(Consequences)’ Page
Risk Consequences Definition Help
You can change the Risk (Consequence) Definition Help displayed on the Risk Assessment page when the user clicks the icon.
(Consequence) Definition Help
See Edit Risk Consequences Definition Help.
Risk Control Adequacy
Drova GRC allows your organisation to build on its Risk Assessment strategies by including an assessment of the Adequacy (or effectiveness) of the controls that have been implemented.
This is optional but, when implemented, the Rating is incorporated into the Risk Score model to provide a more in-depth assessment of the residual Risk position.
In use, Adequacy Ratings are included on the ‘Risk Assessment’ page.
Adequacy Rating on the ‘Risk Assessment’ Page
The titles displayed for each Adequacy level can be tailored for your organisation via the ‘Adequacy’ page. You can access the Adequacy page from the Main Menu by selecting Risk | Adequacy.
The ‘Adequacy’ Page
Risk Adequacy Definition Help
You can change the Risk Adequacy Definition Help displayed on the Risk Assessment page when the user clicks the icon.
Adequacy Definition Help
See Edit Risk Adequacy Definition Help.
Risk Control Management
Drova GRC allows your organisation to build on its Risk assessment strategies by including an assessment of the management (or frequency of completion) of the controls that have been implemented.
This is optional but, when implemented, four levels of Management rating are incorporated into the Risk Score model to provide a more in-depth assessment of the Residual Risk position. Here are some standard Management titles and definitions.
Common Risk Definitions (Management) | ||
Limit | Consequence | Definition |
(Desired) | Always | The controls are implemented in all instances regardless of other factors which may impact on the Risk or the controls themselves. |
Usually | The controls are implemented in the vast majority of instances regardless of other factors which may impact on the Risk of the controls themselves. | |
Sometimes | The controls are implemented in certain circumstances, but not always, regardless of other factors which may impact on the Risk of the controls themselves. | |
(Undesired) | Rarely | The controls are not implemented often, regardless of other factors which may impact on the Risk of the controls themselves. |
In use, a Management level is selected when compiling a Risk Assessment using the Risk Assessment page.
Management Level titles on the Risk Assessment Page
Management level Titles and Help text are set using the ‘Management’ Page.
The Management page is accessed from the Main Menu by selecting Risk | Management.
The ‘Management’ Page
Risk Management Definition Help
You can change the Risk Management Definition Help displayed on the Risk Assessment page when the user clicks the icon.
Management Definitions Help
See Edit Risk Management Definition Help.
The Risk Matrix
Note:
This section shows customisable title and fields in (brackets). Where you see a title or field value in brackets, be aware that your Drova GRC system may show a different title or value, depending on your system’s configuration.
To provide the basis for assessment of Risks, a Risk Matrix is provided within Drova GRC.
The Risk Matrix is your assessment of the overall impact of a Risk based on the likelihood of an event occurring and the significance or consequence should that event occur. Drova GRC employs the commonly-used 5 x 5 matrix, providing for five (5) ratings each for Likelihood and Consequence.
The default Likelihood ratings range from ‘Rare’ to ‘Almost Certain’, while the default Consequence ratings range from ‘Insignificant’ to ‘Extreme’.
These titles can be modified to suit your organisation (see Edit Risk Likelihood Definitions and Edit Risk Consequences Definitions).
Creation of the Risk Matrix requires an assessment of the various combinations of Risk options and an allocation of the Ratings to each segment. There are no specific definitions for the Risk combinations—you can set these to suit your organisation. However, an example of commonly used titles and definitions is shown in the Risk matrix screen below.
Set up your Risk Matrix from the Main Menu: select Risk | Matrix.
The ‘Risk Matrix’ Page loads.
The ‘Risk Matrix’ Page
You can apply terminology and colour schemes to suit your organisation via the ‘Display Name & Colour Settings’ tab.
You can create five (5) different display name and colour settings to represent the various Risk combinations in the Risk Matrix. See Edit Risk Matrix Display Names and Colours.
The Risk Matrix ‘Display Names & Colour Settings’ tab
Risk Score Calculation
Having created your Risk Matrix, the final step is to allocate a score to each combination of Consequence and Likelihood.
See Risk Score Calculation in the Glossary for more information.
Note:
Depending on your Risk Configuration settings, Risk Scoring options may be disabled and therefore ‘Manage Risk Score Calculation’ may not be available on the ‘Maintenance’ menu.
Risk Score Test Calculation
You can test the Risk Score outcome using the ‘Test Calculation’ feature. See Perform a Risk Score Test Calculation.
Risk Score Bands
See Risk Score Bands in the Glossary. See 3, 4 or 5 Risk Score Bands. See Set the Risk Score Bands.
Risk Status
The Risk Status is a user-defined field on the Risk Assessment page that allows you to provide your own description to the status of a Risk.
‘Status’ field in the Risk Assessment Page
The inclusion of a Risk Status allows you to quickly highlight the trend of the Risk for reporting and discussion purposes.