Tackle the (Operational) Risks –⁠
How to Build a Process-Oriented Risk Management System

Enterprise-wide risk management plays a key role in the integrated GRC system, as the specifications of risk managers also define the basis for the other GRC functions, such as corporate security management or compliance management. Essentially, risk management ensures the handling of internal and external risks of all kinds. In addition, it is also important for raising awareness of existing risks across all departments, because risk management can only achieve its full effect in close collaboration with operating units and along the 2nd line of Defence.

Based on the Three Lines of Defence model, the tasks of risk management can be divided into the following 3 areas:

• Governance
• Strategy
• Operational implementation by the department

Figure 1: Subdivision of tasks and competencies within a management system

The governance area of the risk management system has to define the objective and purpose of risk management, as well as its scope or area of application on the basis of “affected risk categories” and “affected business processes”. Ideally, the scope is defined on the basis of the process map. This can be used to determine which processes are to be subjected to a risk analysis as a matter of priority. Other tasks include the consideration of standards and laws as well as the definition of the interfaces between risk management and other GRC functions in the sense of the integrated GRC.

The tasks of strategic risk management include strategic planning, provision of the necessary organizational and technical structure, ongoing support for the specialist departments (e.g. through training, provision of documentation or coaching), ongoing monitoring of the implementation, evaluation and improvement, including the regular reporting and ad-hoc analyses.

Strategic planning encompasses all technical and organizational specifications with which the implementation in the company takes place. It includes the structuring of the risk landscape using risk groups as well as the determination of an assessment method and the risk tolerance limits. These parameters result in the framework of the internal risk portfolio, which can be evaluated in ADOGRC.

Figure 2: Structuring of the risk portfolio with risk groups

Figure 3: Risk portfolio with risk tolerance limits

In terms of the integrated and process-oriented approach, the definition of the process map as the primary basis for risk analysis is an important part of the strategic planning. The 4-eyes principle supports quality assurance in the risk management process. This assessment workflow is efficiently supported with ADOGRC, via e-mail notifications as well as revision-compliant historiography and versioning.

Figure 4: Risk assessment workflow in the 4-eyes principle

Monitoring the risk management is an essential task of the 2nd Line of Defence. The focus here is on monitoring the assessment workflows, observing the development of risks and ensuring the quality of the data inventory, which can be visualized in ADONIS using Gantt charts.

Figure 5: Monitoring of risk assessments using a Gantt chart

Any tolerance violations are reported by the workflow to the supervisor, who can then intervene in the ongoing assessment in a supportive manner. In order to be able to monitor risk developments appropriately, ADOGRC provides a clear summary of the developments in a risk dashboard.

Figure 6: Risk dashboard including the historical development

Internal audits result in a better implementation of the requirements in specialist departments. Management reviews ensure the appropriateness and effectiveness of the system measured against the organizational requirements for risk management. Both topics can lead to measures whose degree of implementation is tracked in the ADONIS workflow and displayed in the Gantt view.

Figure 7: Quick overview of the improvement measures

Regular reporting as well as ad-hoc evaluations of the company’s risk situation are carried out with the help of graphical analyses or the risk control matrix. These are used to illustrate the integration of the various elements of the process landscape (process map), risk management and ICS.

Abbildung 8: Risk control matrix with information about processes, risks and controls

In practice, individual evaluations are also frequently required with regards to the risk summaries or risk aggregations. These can be visualized with ADOGRC in various ways, such as using a Gantt or Sunburn chart.

Figure 9: Risk aggregation at different levels of the risk portfolio

The operational units –⁠ the specialist departments –⁠ have the task of implementing the specifications of strategic risk management within the department, or division. In terms of process orientation, the process owner also assumes the role of the risk owner. His or her task is to analyse the risks of the operational processes and evaluate them on an ongoing basis as specified in the workflow. The processes in the process map, to which the (operational) risks are assigned, serve as the basis for this.

Figure 10: Risk analysis based on the process map

The connection between process and risk, and further with the ICS, can be displayed in ADONIS in a matrix representation as a heat map.

Figure 11: Heat map of the risks of a process map

ADOGRC offers personalized workstations that show the risk manager the risks that still need to be assessed for the fulfillment of the ongoing, annual risk assessment. This makes it easier for the operational units to fulfill ongoing risk management tasks.

Figure 12: Personalized workstation for the process and risk owner

For an individual risk, all the necessary information that the risk manager needs to regularly assess can be displayed in the dashboard form. This includes the risk development, the connection to processes (and other assets) and controls as well as frequently used functions for the quick and easy creation of analyses and reports.

Figure 13: Dashboard for risk assessment including context to processes and controls

Due to the continuous and integrated use of ADOGRC by the risk manager, a uniform data pool is created, which serves the strategic risk management for reports or analyses, but above all for the optimization of the risk position of the company.

The uniform and structured set-up of risk management allows the tasks to be clearly defined along the 3 Lines of Defence. The consistent use of ADOGRC at the strategic and operational level enables the risk manager, as well as those responsible for the management system, to perform their tasks efficiently. By using the process map as a basis, the risks gain the necessary operational reference –⁠ with relevance for the internal control system –⁠ on the one hand, and risk responsibility gets clearly assigned to the process owner on the other.