If the “Portfolio” feature is included in your subscription to Essential ERM and has been enabled by your system administrator, an additional Portfolio filter will be displayed in the Enterprise Risk Console.
Risk Portfolios can be used as a way to organize risks (and other data records including Action Plans, Root Causes, Mitigations, and Consequences) for filtering and reporting and to restrict User access to Risks and associated data.
Your system administrator can create and manage “locked” data portfolios through the Admin screens below.
Once risks and their contents (including attached causes, mitigations, consequences, action plans) have been assigned to a locked portfolio, only Users with access to those portfolios will be able to view and interact with them. For example, when a User logs in, they may only have access to one portfolio called “Finance Department”. Their Console will be simplified, only displaying the risks in their Department. A second User may log in and instead only see risks for “Sales Department” and so on. In this way, locked portfolios can be used to both simplify the view for business users and to restrict access to sensitive or confidential data where required.
There is no limit to the number of portfolios that can be created and portfolios do not need to be limited to company departments. For example, it is common for administrators to create portfolios for sensitive business functions, such as “Sensitive HR Risks” and “Mergers & Acquisitions”.
Portfolios may also be created to track risks for strategic projects. When Users are granted access only to a specific project portfolio, Essential ERM will function as a project risk system for them. When they log in, they will see only their project risks and may not even realize that other Users are using the system to manage other enterprise and operational risks.
Additional important concepts related to locked risk portfolios include:
General Portfolio | The General Portfolio is the default unlocked data portfolio that all Users can access. Any data records left within this portfolio will be accessible by all system users.
If a data record is not actively placed in a locked portfolio, it will be automatically left in the General Portfolio by default. Data records can be placed into locked portfolios when they are created. Portfolios can also be assigned and changed from a record’s individual Detail screen (e.g. see here in the section on the Risk Details screen).
|
User Access | Administrative Users automatically have access to all locked portfolios. If you grant Administrative privileges to a User, they will be able to see all data within the system.
Standard Users can see all data records within the General Portfolio. With regards to locked data records, Standard users can only see records within the portfolios that they have been granted access to by a system administrator. Read Only Users are similar to Standard Users, in that they can only access data records within the General Portfolio and within the locked portfolios that they have been granted access to by an administrator.
|
Default View | When a User logs into the system and arrives at the Enterprise Risk Console, their default will include all of the risks that they have access to. If a User has access to more than one portfolio, they will see the combined results of all their portfolios, plus the contents of the General Portfolio. Users can then use the Portfolio dropdown in Risk Console to filter their view to a single portfolio.
|
Portfolio Maintenance | Because Users may inadvertently leave risks and other data in the General Portfolio, it is a good practice for Admin Users to routinely filter system consoles for the General Portfolio to identify any records that should be moved into a locked portfolio.
|
Locked and Unlocked Data | The following data record types can be placed into locked portfolios:
The following data record types cannot be placed in locked portfolios and are accessible by all system users:
* With regards to Strategic Objectives within Essential ERM, objectives will be left unlocked and visible to all Users within the system. When, however, objectives are linked to risks in the Strategy console, the Strategy console will be filtered to restrict results to the User’s portfolio access rights. This is described further in the Strategy Console section of this User Guide.
Furthermore, if an organization has also purchased the complementary Essential StrategyTM module from Tracker Networks, in addition to Essential ERM, then Essential ERM Users will have the enhanced ability to assign Objectives to locked portfolios.
|
One-to-Many Relationships | Each data record can only be placed into a single locked portfolio. It is not possible for a record to be assigned to more than one portfolio at a time.
If a User wishes to associate a record with more than one group at a time (e.g. multiple departments, divisions, processes, business functions etc.), they can do so using Business Area tags, as described in the Risk Details section of this guide.
|
Portfolios as Filters | Organizations will often decide to leave all (or most) data within the system open to all users. This can support a culture of transparency and allow for idea sharing across departments.
In this scenario, portfolios can still be used as a helpful way to organize and filter risks. Administrators simply have to ensure that they grant Standard and Read Only Users access to all risk portfolios in the portfolio admin screen. All Users will then be able to view all records, but will have one additional filter that they can use in combination with other filters to organize and filter their data.
Administrators may also set up a “hybrid” model, in which most data is shared with all Users, with the exception of selected sensitive portfolios (e.g. data related to Mergers & Acquisitions, sensitive HR issues, an “Enterprise” portfolio for board reporting, etc.).
|
Portfolios and Sub Risks | When combined with sub risk functionality, administrators can create flexible and helpful risk roll up views. For example, an administrator may create a portfolio called “Enterprise Risks” and limit access to selected executives and risk team members. Individual risks within the Enterprise Portfolio may then be linked to sub risks in various departmental portfolios through “parent-child” connections (as described in the Risk Details section of this guide). Authorized Users viewing enterprise risks would be able to see a summary (including weighted scores) of all the departmental risks that feed into i.e. “roll up” into and affect the scoring of the enterprise risk.
|
Portfolio Administration | Instructions on creating portfolios, managing portfolios, and assigning Users to portfolios are provided in the Administration section of this User Guide. This section also includes sample schematics of how portfolios may be structured to create various roll up views.
|