Overview of the Risk Object

A risk defines circumstances that could materially affect a business process. You may not only define a risk, but also analyze, evaluate, and treat it.

• Analysis uses likelihood, impact, and analysis models to determine "inherent risk," or the level of risk existing before any mitigation is in place.

• Evaluation uses context and significance models to consider the risk itself. This operation produces a recommendation to accept, monitor, or treat the risk; returns an overall risk rating; and judges the relative importance of the risk.

• Treatment involves the creation of plans that relate controls to the risk, track treatment costs, and perform "residual" analysis. This form of analysis reuses the likelihood, impact, and analysis models to determine how effectively the related controls address the risk. A plan may be "in-use," meaning it's intended to have immediate effect. Or a plan may be "target," meaning it's intended to produce results in the future. Although related risks are associated with a treatment plan, you can select them as you define the plan or as you define the risk itself.

You may also define events (any occurrence that can impact a risk you've defined) and consequences of those events.

To work with risks, select Risk Management > Risks. Then select a tab:

• Worklists displays your risk-related worklist assignments.

• Risks opens a page listing the risks you're authorized for. In that list, click the name of a risk to open its record. An individual risk record includes tabs to view its definition; its analysis, evaluation, and treatment results; assessments of it; issues raised against it; and related advanced controls.

• Assessments opens a page listing risk assessments for you to complete, review, or approve.

• Events and Consequences open pages for you to create and edit those items.

• Models opens pages for you to create and edit likelihood, impact, analysis, context, and significance models.