If this is a new Entity there will be no risks entered; to enter a risk click on "Add New" and a blank Risk screen will appear:
The components of the risk screen are as follows (Mandatory fields are highlighted in grey):
Risk No. - This number is system-generated; it starts at ten and goes up in increments of 10; this is to allow the user to group related risks in sequential order at a later time, should this be necessary.
Risk Subject - This field is intended to record a brief description of the risk; it is this field that appears in all of the CAREweb™ printed output and therefore the description needs to be meaningful in its own right.
Description - This field and is intended to provide a fuller description of the risk set out in the short description. Treat this as a word processing field, give as full a description of the risk as you can.
Entity Objective – Here you can capture details of which, if any, of the Entity’s Objectives is under threat due to this particular risk. These Objectives were captured at the Entity screen level (Explained above). Click on the downward pointing arrow and the Entity’s objectives will be displayed, highlight the one you want and click on it. This field is optional. If this field is used, it is mandatory to assign a potential impact to it; that is, it is necessary to assess the impact this risk may have on the objective. Use the dropdown list to pick between High, Medium or Low (or whatever categorisation you set up at the Installation stage).
Basel Risk Category - as stated earlier CAREweb™ is designed to cater for Operational Risk Management under the Basel Accord by allowing Operational Risks identified as part of the wider Risk Management process to be linked to specific risks and Risk categories identified in the Basel Accord. This is done by using the dropdown box and selecting a risk category from the list presented:
Basle Event Type - once you have selected a Basel risk category for the risk, clicking on the down arrow in this heading will allow you to select a type of risk within that category:
These Basel Event Types are taken from the data set up in the Reference section
Basel risk - once a category and a type have been established for the Basel risk, you can assign a particular individual risk description to it by using the drop-down menu; again, this drop-down has been populated from the data set up at the Basel Risk Listing - Reference level
Risk Category- once you have defined the risk categories in the reference section, you will be able to select the relevant category in which the risk relates to.
Risk Sub-Category- Sub-Categories related to the category and predefined in the reference section
Asset (or whatever you have personalized it to in the Parameters section (see above) - This is mandatory and is where the user details the particular attribute under threat if the risk occurs. The available attributes have already been set up in the “Asset Types” screen (see above). By clicking on the down arrow, the available asset types are displayed and the appropriate one can be selected.
Impact and Probability - The drop-down menus allow the user to detail the impact on the Entity should the risk occur and the probability of the risk occurring. Quantification follows the parameters set up at the Installation stage, in this model they are:
•High
•Medium
•Low
The values for these have already been determined in the Entity screen (for Risks whose impact can be measured in monetary terms).
The probability entered here needs to be determined at the outset of the Risk Profiling exercise. In the Parameters section we looked at the Event Frequency Per Annum fields which are also related to this concept; if it has been decided to use a 3-grade system of High, Medium and Low, as we have here, it is thought that if a risk materialises once or twice a year that is considered Medium, any more than this is High, any less is Low. Whilst the Impact Values are established for each Entity, it is more usual for the Probability ranges to be determined across the organisation, hence their appearance in the Parameters screen. However, the probability assigned assumes the occurrence of the risk in case controls are not present. Hyperlink needed
Tip: if you wish to insert a blank risk line in your matrix or printed output, or you have started to capture a risk in a workshop environment but need to move on before finishing it, the edits in the system would normally insist on all mandatory fields being completed. To get around this put a full stop in both the long and short description fields, and highlight any of the Impact/Probability options. This allows you to move on and you can then come back to this screen to make changes at a later date if required. Is this needed? |
Environment Fields (Working; Actual) - These are not available for input; they are determined by the system through the “Risk & Control Evaluation” Process that will be explained later; they detail the current control environment in place over the specific risk being profiled.
Score Fields (Target, Working, Actual, Gross and Predicted): These are not available for input, they are determined by the system through a process to be explained later in the “Risk Matrix” Section; they detail the current risk scores for the specific risk being profiled.
Financial - as well as catering for the requirements of the Basel Capital Accord, the system can also report against the Internal Controls over Financial Reporting requirements. Each risk is considered against these requirements and if it is felt that, should the risk occur, there would be a breach to the Internal Control over Financial Reporting requirements then you should place a tick in this box. In addition, by marking a risk as “Financial” the system will automatically categorise the controls mitigating this risk as Financial Controls and a dedicated report of these controls can be generated from the system.
Weakness - This is not available for input; it is determined by the system through a process to be explained later in the “Risk & Control Evaluation” Section.
Regulatory Risk - This is not available for input; it is determined by the system if the risk is linked to Regulation Hierarchy (explained in the compliance monitoring section of this manual).
A completed Risk screen looks like this:
In this example, the workshop has moved on and risks have been matched with their available controls and a control environment score (working or actual) has emerged, in this case “B”.
Note: If you notice some of the tabs at the bottom are highlighted in Green, this indicates that there are records in the tab.