Risk assessments are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents the assessments from being used across business silos and makes verification by audit or compliance review impossible.
Common standards and assumptions makes information collected across the organization objective, quantifiable and comparable, enabling better analysis, issue resolution and issue escalation when necessary. LogicManager is populated with a risk assessment template framework with best practices, which is also configurable for your organization.
- Uniform numerical scale – LogicManager’s scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, and is split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets.
- Objective evaluation criteria – Often, one person’s 9 is another person’s 7. LogicManager provides a clear definition on what each of the 5 buckets are in unambiguous terms. There are multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise. All standards can be compared, including laws, regulations and corporate policies and procedures, with current practices.
- Calibrated assessment criteria – A variety of risk assessment criteria is used within LogicManager and all are on a 1-10 scale and calibrated, meaning that the description of a 7, even if described differently in different assessment criteria has the same meaning of severity. This allows the aggregation of risk assessments to provide a holistic view of risk.
- Universal business elements– Risk assessments in LogicManager are broken down into basic elements like business processes and resources, which are standardized across business silos, or business units. By resources, we mean people and vendors and the physical assets, software applications, services and data repositories used in the organization. Assessing vendor characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new product introductions, etc. By breaking down complex interconnected information into resources as basic building blocks, LogicManager’s risk Taxonomy framework provides a structure for information and ownership. This enables everyone to understand, contribute, and accept responsibility for change management.
- Link risk assessment templates – LogicManager’s Taxonomy technology links elements together, meaning by a simple drag-and-drop, you can connect vendors to the products and services they provide to the business processes that rely upon them. Link each financial element to the business processes that contribute to them. Link all of the internally developed applications and data repositories to the business processes that rely upon them to perform their responsibilities. Linking these elements together provides a holistic picture. For example, a vendor can have multiple products and services of different quality and risk. Assessing the products and services individually and linking those risk assessments to the vendor profile provides a much clearer picture on the combination of products services and vendors used by a processes owner.
- Common resource library – LogicManager’s Taxonomy provides a common resource library. Using information from one common place makes it possible to dramatically reduce rework, especially collecting and managing information, for both you and the process owners you work with. The library also helps you know who else is connected to the same information. The key is to figure out how all of these resources are related to each other and what combination of these resources are most important to critical areas of your business.
- Consolidate resource data collection – LogicManager allows you to create customizable data fields for each of these resource elements so you can gather information across silos and identify areas where controls and tests can be consolidated. Different areas across the organization are collecting the same information for resources, they just don’t know it. For example, accounts payable, contract management, vendor management, business continuity, and IT all collect overlapping information about your vendors. By understanding what information is being collected by these areas for each resource, you can easily rationalize and consolidate risk assessments and data fields.
- Holistic, accurate ERM reports – You can analyze, report, and make decisions taking into consideration every relationship related to the resource. LogicManager enables organizations to get an Overall Risk Score for each resource, which pulls subject matter expertise across the organization to come up with one aggregated number for that resource. All the complexity related to a resource, like a vendor, is simplified, but supported by a detailed trail of the objective risk assessments for all other things related to the resource, such as the business process, financial elements, physical assets, applications, data, and people.
- Tasks & workflow – In LogicManager, for each resource element, you can send out emailed task notifications for scoring risk assessments or review, attach documents such as contracts, start approval workflows, collect customized data fields, see scores historically and much more.
When the relationships between the resources and the business processes that use them become explicit, organization can determine business impact. The stronger the understanding of business impact, the more effective the governance activity will be. The connection to a business process provides a direct connection to the subject matter expert for the activity that uses the resource and knows the criticality of that resource to their activity.
The result is a single overall summary score for each business process that combines the individual scores for each resources and financial item associated with that process and the process score itself. With this information, you can prioritize and focus your ERM efforts.
Download our best practice risk assessment template today, populated with risk assessment best practices for organizations in the early stages of the ERM process.