1. Using Financial Reporting Compliance
  2. Evaluate a Risk

Evaluate a Risk

Evaluate a risk to determine whether to accept, monitor, or treat it, based on standard (model-defined) criteria. Evaluation also rates the significance of the risk in comparison with other risks.

Prerequisites

If you intend both to analyze and evaluate a risk, it's recommended that you perform analysis first. Inherent and residual analysis results are displayed, and may be taken into account, during evaluation.

Select the risk you want to evaluate: In the Risks search page, click the name of the risk. A record of that risk opens.

Ensure that a context model is selected for the risk. If so, the Definition tab of the risk record displays the name of the model. If not, edit the risk to select a context model.

Review Past Evaluations

You and other users may evaluate a risk any number of times. If any past evaluations exist, you can review their results as background for a new evaluation.

  1. Click the Evaluation tab.
  2. The Evaluations panel displays a row for each past evaluation.
    • Each row displays summary information about its evaluation, including the overall risk rating, significance, and state. To view greater detail about an evaluation, click in its row and then expand a Details field that appears beneath the list of past evaluations.
    • Within a row, click an evaluation date to open a View Evaluation page. It displays complete details. (In that page, click Cancel to return to the Evaluation tab.)

Perform a New Evaluation

To perform a new evaluation:

  1. Click the Evaluation tab (if it's not already selected).
  2. Select the Create Evaluation icon. A Create Evaluation page opens.
  3. In the Risk Information panel, review any information that may exist about inherent or residual analysis of the risk. You may evaluate the risk differently, for example, depending on whether these analyses reveal that the risk is well or poorly mitigated by existing controls.
  4. Enter values in the Evaluation Details panel. These include:
    • Evaluation notes, which may, for example, explain why the evaluation is being conducted.
    • A due date. You may be setting up an evaluation to be completed later. (At that point, you may enter a separate target completion date if it will differ from the due date.)
  5. If descriptive flexfield segments have been defined for risk evaluations, these appear as fields in an Additional Information panel. Provide values for these fields.
  6. The Risk Criteria panel displays a row for each criterion established by the context model. You must select a value in each row. The context model provides a corresponding tolerance (recommendation to accept, monitor, or treat) and rating for each criterion.
  7. Return to the Evaluation Details panel to view result values determined by your risk-criteria settings. They include:
    • A Risk Rating, an overall value that's the average of the ratings for the individual risk criteria.
    • An Evaluation Result. Of the tolerance values selected for all criteria, this is the one that requires the most active response.
    • A Risk Significance, which rates the importance of the risk in comparison with others. A significance model (which is designated by the context model) uses the risk rating to determine this value.
  8. In the Evaluation Details panel, optionally select the Catastrophic check box. This overrides the criteria values you selected, setting the risk rating to 100 (its maximum value), the evaluation result to Treat, and the risk significance to High. If you clear the Catastrophic check box, your criteria values are restored.
  9. Select Save and Close to return to the Evaluation tab. There, the row for the evaluation you performed displays the Risk Rating and Significance. These are the maximum possible values if you selected the Catastrophic check box; if not, these are the values determined by your risk-criteria settings. The row for the evaluation also displays the state of the evaluation and its description.

Complete the Evaluation

Although you can create and complete an evaluation all at once, the expectation is that you may edit it after having initially saved it, to make adjustments in response to new findings about the risk. So the evaluation is saved at first in an In Edit state. By the time the due date (or target completion date) arrives, however, you're expected to move the evaluation to a Completed state, after which edits are no longer possible.

To make edits, or to complete the evaluation:

  1. Click the Evaluation tab (if it's not already selected).
  2. In the Evaluations panel, select the row representing the evaluation, then select the Edit Evaluation icon.
  3. In an Edit Evaluation page, do either of the following:
    • Perform edits: Select or clear the Catastrophic check box; modify your selections for the risk-criteria values; update the evaluation notes, due date, or target completion date; or make changes to Additional Information fields.
    • Complete the evaluation: Select Actions > Mark Complete.
  4. Select Save and Close. If you've performed edits, the evaluation remains in the In Edit state. If you've completed the evaluation, its row in the Evaluations panel is updated to show Completed in the State column.