a. Configuring Columns (Admin Feature)
There is a menu button in the top right corner of the Risk Console that will expand to show a menu when clicked.
Admin Users will see an option on this menu called “Configure Grid”. Clicking this opens the following pop up that can be used to select which columns to display in the Risk Console.
Admin Users select the columns they wish to display in the Risk Console and click Save. Changes will apply immediately for all system Users.
Note that features such as Risk Velocity and Target Risk will only appear as options if they are included in your organization’s package and have been enabled in the system Admin screens.
b. Available Columns
The following columns are available for display in the Enterprise Risk Console:
1. | Rank | The unique priority of each risk across your organization, as set by the risk manager or authorized User. Rank is not the same as risk score and can be set independently. For example, you may decide that a risk should have a higher rank based on the objectives it impacts, even if there are risks with higher risk scores.
Rank can be edited by clicking on the rank value in the Rank column and entering a new rank number. Rank can also be edited from the Risk Details screen. |
2. | Business Risk | This is the name of the risk. Risk names can be edited in the Risk Details screen. |
3. | Risk # | This is a unique identifier for each risk. Unlike rank, this unique identifier cannot be edited. |
4. | Category | The category for each risk is displayed. If your administrator has enabled sub-categories, then the category and subcategory of each risk will be displayed in the format “Category, Subcategory” e.g. “Operational Risks, Human Resources”. |
5. | Likelihood (Inherent Likelihood) | Likelihood (aka Inherent Likelihood) is the probability that the risk event will occur if the organization does not take any steps to prevent it. This is the likelihood before controls or mitigations are considered. |
6. | Impact (Inherent Impact) | Impact (aka Inherent Impact) is the level of effect that the risk event would have on the organization if it occurs, provided that the organization does not take any steps to manage it. This is the impact before controls or mitigations are considered. |
7. | Inherent Risk | This is the overall risk rating for the risk if the organization does not take any steps to manage it. By default, Inherent Risk is calculated as the product of likelihood x impact, but this scoring may be modified by your administrator. In addition to a numerical score, this column also displays status lights that correspond to the level of Inherent Risk. These colors are set by the administrator and correspond to the quadrant on the heat map that the risk would be plotted.
Some organizations do not evaluate Inherent Risk and instead go straight to evaluating Residual Risk (described below). In this case, the system administrator can disable Inherent Risk in the Admin screens. This will automatically remove references to Inherent Risk in screens throughout the system. |
8. | Control Effectiveness | This is a rating of how effective the existing controls and mitigations for each risk are in reducing the risk level of each risk. The effectiveness of individual mitigations can be assessed through the Mitigation Details screen. This rating represents an overall effectiveness, when all risk management steps have been taken into account. In some cases, the value in cells in this column of the Risk Console may have a yellow highlight behind them. This is an indication that the overall level of Control Effectiveness assessed for the risk does not correspond to the effectiveness rating of each individual control. Risks with this warning should be reviewed, with consideration given to adjusting the risk’s Control Effectiveness rating.
This is described in more detail in the Risk Details screen, Risk scoring section overview. System administrators can determine when this warning should occur, through a configuration option in the Admin screens. |
9. | Residual Likelihood
| Residual Likelihood is the adjusted probability that the risk event will occur, once all existing mitigations have been taken into account. |
10. | Residual Impact | Residual Impact is the level of effect that the risk event would be expected to have on the organization, after all existing mitigations have been taken into account. |
11. | Residual Risk | This is the overall risk rating for the risk after taking into account all of the mitigations and management steps that the organization has already put in place to lower the Inherent Risk. By default, Residual Risk is calculated as the product of Residual Likelihood x Residual Impact, but this scoring may be modified by your administrator. In addition to a numerical score, this column also displays status lights that correspond to the level of Residual Risk. These colors are set by the administrator and correspond to the quadrant on the heat map that the risk would be plotted. |
12. | Velocity | Velocity is the speed with which a risk may develop and impact an organization. For example, a regulatory risk may have a “Low” velocity, if it would take months or years for a regulator to plan and announce changes. In contrast, a cybersecurity risk may come to fruition within a matter of minutes or hours and be considered to have a “Very High” velocity. |
13. | Risk Thresholds | Essential ERM automatically compares the Residual Risk score for each risk to the upper and lower acceptable thresholds that have been set by the organization. Risks are indicated as being “within” acceptable thresholds, “above” acceptable thresholds, or “below” acceptable thresholds. Thresholds are set through the Risk Appetite Console or through the Risk Details Screen. |
14. | Target Likelihood | This is the level of likelihood that the risk manager would like to achieve for each risk. |
15. | Target Impact | This is the level of impact that the risk manager would like to achieve for each risk. |
16. | Target Risk | This represents the overall rating of risk that the risk manager would like to achieve for each risk. By default, Target Risk is calculated as the product of Target Likelihood x Target Impact, but this scoring may be modified by your administrator. In addition to a numerical score, this column also displays status lights that correspond to the level of Target Risk. These colors are set by the administrator and correspond to the quadrant on the heat map that the risk would be plotted. |
17. | Open Actions | This column represents the number of active Action Plans that are associated with each risk. Only Action Plans that are incomplete will be included in this total. Once an Action Plan is completed or canceled, it will no longer be counted in the total. In some cases, the cells in this column will be highlighted with a pink background. This indicates that one or more of the action plans associated with this risk are past their due date. |
18. | Business Areas | Business Areas function like tags for filtering, sorting, and reporting purposes. Business area tags can be attached to risks through the Risk Details screen. |
19. | Strategic Objectives | This column shows the strategic objectives that each risk is associated with. Risks can be linked to objectives in the Risk Details screen and Strategy Console. |
c. Using and Resetting Filters
There are several filters within the Enterprise Risk Console. These include column filters, which can be used in combination to search for and filter the Risks which are displayed in this screen. When used in combination, the screen will display all the Risks that meet the applied conditions.
Most of the filters in Essential ERM will stay applied until the User actively resets them, even as the User navigates between different screens in the system. This allows a User to apply a particular view to continue working in that view throughout their login session. For example, a user may choose to select a view for “Enterprise Risks” only and work in that view mode while excluding all risks.
This console screen also includes a “multi-select” filter that can be used in combination with other filters and that allows users to filter risks by other attributes such as Risk Owner, attached Strategic Categories, and attached Strategic Objectives.
The multi-select filter also includes logical rules for filtering risks. These include the following:
Risk Thresholds Suppressed - this filters the Console to display only risks for which risk appetite thresholds have been suppressed.
Risk Thresholds Overridden - normally, appetite thresholds for residual risk are set at a risk category level, however, a User can override these standard thresholds and set custom thresholds at an individual risk level. This option filters the Console to display only risks for which a custom risk appetite threshold has been applied at a risk level.
Residual Risk Overridden - system administrators can optionally configure rules so that the value of Control Effectiveness selected for a risk will automatically lower Inherent Risk scores and calculate new Residual Risk scores. Users can, however, override this automated calculation to directly set their own values for Residual Likelihood and Residual impact. This option filters the Console to display only the risks for which Users have overridden the automated calculation and set residual values directly.
Parent Risks Only - users may associate and link risks together in a Parent-Child relationship, as described in the Risk Details section of this User Guide. This option filters the Console to display only the risks that have child risks associated with them.
Top Level Risks Only - this option filters the Console to remove all child risks from the screen. As a result, the Console will display only “top level” risks, including parent risks and individual risks that do not have any child risks attached to them.
Control Effectiveness Variance Exceeds Set Value - Users can set the overall Control Effectiveness value for a risk. Users can also set effectiveness values for the individual mitigations attached to the risk, as described in the overview of Mitigation Details screens. Finally, Admins can set a variance level in the admin screens, which represents the degree to which the weighted scores of individual controls can vary from the overall effectiveness score of the risk. Once this variance is exceeded, an alert will display in the Risk Console. These alerts tell the user that the value of control effectiveness for a risk may no longer be valid and should be re-evaluated. This filter option filters the Risk Console to display only risks for which the variance exceeds the value set by the administrator.
d. Sorting Columns
By default, the risks shown in the Enterprise Risk Console will be sorted in order of Rank, from the highest (Rank #1) to the lowest rank.
Users can change the order of risks displayed in the Risk Console by clicking on the title in the column header e.g. “Business Risk”. This will cause the Console to reload, reordering the Console to sort based on the column selected. Clicking the header title multiple times will toggle between low-to-high and high-to-low views.
Columns that can be sorted in this manner include:
Rank
Business Risk
Risk Number
Inherent Risk
Control Effectiveness
Residual Risk
The sorting view applied will persist until the User resets the default view by clicking the Rank column or until the User logs out and logs in again. This allows the User to navigate away from the Risk Console and back again without having to continually apply the view they wish to see.