Uk tips rismarisk 4 2

Tips to use RISMArisk Release 4.2

Risma Systems A/S

Lyskær 8

DK-2730 Herlev

Denmark

+45 70 25 47 00

[email protected]

Tips to use - RISMArisk December 2015

Copyright © 2015 Risma Systems A/S – All rights reserved Page 2

Indhold

1. About getting started ............................................................................................ 3

1.1 About administrators’ tasks ............................................................................................ 3

1.2 About risk owners’ tasks ................................................................................................... 6

2 About daily use .......................................................................................................... 6

2.1 About closing a risk ............................................................................................................. 6

2.2 Creating a new period ........................................................................................................ 6

2.3 The use of RISMArisk during meetings and workshops ....................................... 6

2.4 Create risk mitigations in RISMAexecution ............................................................... 7

2.5 Create an ongoing control (requires RISMAcontrols) ........................................... 7

2.6 About Risma Board ............................................................................................................. 7

2.7 About export to word and Excel (Reports) ................................................................ 7



1. About getting started The first Super User has already been given access when the system was installed.

It is recommended to have at least two Administrators to ensure that at least one person has access to the general administration section during periods of vacation or other absence. Only Administrators can for instance provide access to new users or provide new passwords to users who have forgotten their access credentials.

1.1 About administrators’ tasks Administrator must initially perform the following two tasks:

- Create users - Create organizational units.

Hereafter, Administrator or Super User should create the first period and scoring parameter. Please see the user guide “1. Generel Administration (administrator)”, to see how to create users, organisations and risks in the system. The user level must be decided for every user. The user can be a Regular User, a Privileged User, a Super User or Administrator. Regular Users only have access to risk, in which they are responsible for. Privileged Users can enter data on all risks within their organisational unit, and can furthermore create reports about progress on all risks within their organisational units. Super Users have access to all risks and can furthermore create reports about progress on all risks. Administrators have access to all functions in the system and all risks. Administrator is the only type of user, who can create users and organisations. Members of management are typically Super Users. Some managers prefer, however, to be Administrators. It might be a good idea to get a management approval of the user rights.



After creating users and organisations, the last task is to create the first period for risk management. Create the first period for risk management. At the administration section for RISMArisk you find the box named “Periods”. Pres the plus (+) to create a new period. If there is an open period, the open period will be closed when a new period is created. When creating a period, the organisation’s scoring parameters shall be defined. The system has two obligatory parameters: likelihood and financial impact. Furthermore, the system allows to parameters to be defined by the company. This could for example be brand, CSR, safety or similar. Scoring parameters Below the heading Scoring parameter, the number of scores shall be defined. Choose between five or six scores for likelihood and financial impact. Below the number of score percentage, ranges for likelihood should be defined. Click on the dropdown menu to define the percentage ranges. Below should the financial impact be defined. First, the valuta is typed, for example Mio. USD. See the example below where the numbers are typed for the two parameters. Score of likelihood: 6 Score of financial impact: 5

Score Likelihood (%) Impact (”Mio. USD”)

1 <5 <5 2 10 10

3 20 25 4 33 50 5 50 >50 (calculated value) 6 >50 (calculated value)



Below the heading Other parameter 1 and 2, relevant impacts according to the company can be entered. These can be shown in a Risk Matrix like the example above. Create risk types Create risk types by pressing (+) of the other box in the administration of RISMArisk, named Risk Types. The system has five default risk types (Operational, Compliance, Financial, Strategic and Hazard). It is possible to create new risk types by pressing the (+) in the box named Risk types. Risk types is used to group the risk, this feature is very useful when creating reports. It is also possible to look at the risk type as a ”root cause” for a specific risk. The administration for RISMArisk shows how many risks in each category.



1.2 About risk owners’ tasks Risk owners shall make sure that the risk is created and kept updated. For a more specific guide on how to create risks, please see the User Guide section ”3. Overview”. Description, scoring parameters and comments should be kept relatively short - usually no more than five to six lines. The risk must have a primary risk owner, who typically is the overall responsible for the area in which the risk can be framed, while the daily risk owner is to continually monitor the risk, perhaps, ensure mitigation plans and controls connected to the risk. In the box to the right, you can choose between the set of risks, and whether the risks belong on the board level, management level or department level.

2 About daily use Below you see a number of tips on the daily use of the system.

2.1 About closing a risk A risk is closed in the system when the risk is no longer present. Closing a risk means that it will still be visible in reports. A strikeout text will let the reader of the report know that the risk is closed/finalized. When a risk is closed, it will not appear as an active risk in the next period. A risk can be reopened again if it becomes relevant.

2.2 Creating a new period When a new period is created, it is possible to define new scoring parameters. The previously used scoring parameters will be set as default, when setting the new. The new period, with new scoring parameters, will copy all open risks and move them into the new period. This means that if the first interval in the period before were <5 and the first interval in the new period is <10, all risks will be automatically updated to scores in the new equivalent level. When a new period is created, all open risks are moved to the new period while all closed risks are removed from the list. If I want to find a closed risk from an earlier period, it can be done in the report section. Select the previous period and select all closed risks, and all closed risks in the earlier period is shown.

2.3 The use of RISMArisk during meetings and workshops The system can be used as inspiration for discussion during meetings. The filter in the report section allows that one can extract data with special relevance. This



may be a risk discussion, discussion of risks within a particular department, employee interviews, status meeting or a leadership group meeting, where the status of all the risks are reviewed. At these meetings, decisions on further action on a risk can be documented directly in the system at the meeting. How this is done, can be seen in the User Guide section "5. Reports". Another option is to use the risk matrix to determine the likelihood and impact of individual risks, for example, according to a risk-identification workshop. Each risk-circle can namely be dragged around in the matrix, and pressing the "Save Score change" (located under the table), updates the underlying data.

2.4 Create risk mitigations in RISMAexecution

If the risk is assessed to have an unacceptable risk value, you should then create events which reduce the impact or likelihood of the risk occurring. Create one or more mitigation plans in the RISMAexecution module and link these to the specific risk. There will be a link between the actual risk and mitigation plan. The mitigation plan will be listed in the specific risk. If a given mitigation plan reduces the financial impact, it is recommended that this will be specified in an numerical unit, such as "Post-mitigated impact, DKK".

2.5 Create an ongoing control (requires RISMAcontrols) If the company also uses RISMAcontrols, it will be possible to create a control that continuously checks the risk for a particular frequency, and the given risk can then be connected to this control and will be indicated in the risk description section (below Mitigation plans).

2.6 About Risma Board

Risma Board is found in the data entry page of each risk. This function allows the users, who have access to the risk, to have an informal forum for questions or discussions relevant to the risk. The Risma Board is not included in the reports.

2.7 About export to word and Excel (Reports) Export of the risk matrix and the associated risk list may be relevant if a risk report is to be incorporated in monthly reports to the Executive Board or Board reporting.



Export of risk list to Excel Create a list in the report section with Display selected Risk list. The result can be exported to Excel from which you can work on the report and put it into the appropriate format, such as Word or PowerPoint. If necessary, read more about exporting to Excel in the User Guide section "5.5 Export reports to Excel." Eksport of risk matrix to Word The Risk Matrix can be exported to Word in an image with the associated risk list under the picture in a Word table. This makes it easy to copy into PowerPoint or other presentation tools for further dissemination.

Documents

Uk tips rismarisk 4 2