What is the Purpose of Abriska® 31000?
Closely aligned with the risk management process from ISO 31000, Abriska® 31000 was designed to provide organisations with an intuitive tool for assessing and managing all types of risk from different functions and departments.
Its purpose is to ensures that risk management is an integral part of management and governance, is embedded into the culture and practices, and is tailored to the needs of an organisation.
What Type of Organisation is Abriska® 31000 Particularly Suited to?
Abriska® 31000 is the perfect cost-effective tool for any organisation which wishes to identify, assess and manage all its risks consistently and coherently.
The flexibility of Abriska® allows it to be used in any size and type of organisation, although it is ideally suited to those looking to embark on or mature its ERM programme utilising a simple-to-use ERM tool with a methodology based on internationally recognised best practice.
Your organisation may be, for example, currently using spreadsheets and encountering issues such as single points of failure, access control and lack of accountability and audit history.
What Are Abriska’s Key Features?
- Establishing a common risk framework across the organisation e.g. consistent risk categories tailored to the business.
- Assessing likelihood and impact of each risk.
- Identifying the following types of risk:
- Absolute risk – worst-case scenario excluding existing controls
- Controlled risk– current risk including existing controls
- Residual risk – projected risk once further controls have been implemented.
- Enabling detailed reports and graphical dashboards to be presented to senior management.
- Helping organisations to manage and resolve risks effectively through detailed risk action outputs.
- Facilitating central management of risk and ownership.
- Providing notifications and reminders to ensure risk registers are kept up to date.
What Are Abriska’s Benefits?
Aligned with international best practice, Abriska® 31000 provides a highly cost-effective solution for managing all forms of enterprise risk. By managing all your risks in one place and following the same risk management process, Abriska® 31000 provides consistent and universally understood outputs.
As such, risks can be classified the same, irrespective of which department/function they originate from and so one can compare, for example, a ‘red’ financial risk with a ‘red’ operational or privacy risk.
With its clear, informative graphical and report outputs, Abriska® 31000 enables senior management to gain a coherent view of where the major organisational risks lie. Abriska’s audit trail also provides an objective record of how risks have changed over time.
How Does It Work?
Abriska® 31000 provides the framework to initially assess the potential impact of a risk and understand what damage it could do to your organisation. By identifying what controls you have in place to prevent such risks from materialising, you can then determine the likelihood of the risk occurring.
The likelihood and impact are then plotted against your risk appetite and the risk is thereon monitored and managed via the risk register. Risks are assigned to risk owners who can create actions for users to complete and help to reduce the impact and/or likelihood for each risk.
Reports can be run at any time, showing a live view of all risks and their actions. Aligned with ISO 31000, Abriska® 31000 is very flexible and can be configured to support your risk framework.
How Does It Assess Risks?
The first step of risk identification is to record what the risk is, who is responsible for it, the type of risk and how it was identified. These are recorded within a departmental or divisional risk register, and from here the risk journey begins.
Information can be added about the risk such as related risks or specific tags e.g. project, product. Different levels of access can be provided within Abriska® such as departmental risk champions or individual risk/action owners.
How Does It Analyse and Evaluate Risks?
A risk is typically given an impact score ranging from 1 (insignificant) to 5 (catastrophic) based on how serious the impact would be. This would be assessed against the 3 risk types; absolute, controlled and residual. The same process is then followed for the likelihood of that risk being scored from 1 (rare) to 5 (almost certain) across the same 3 risk types.
Each risk is then plotted against the organisation’s risk appetite and allocated a score. Depending on an organisation’s risk acceptance criteria, some risks may be accepted at this stage if they do not pose a great enough risk. Risks can be related through to controls to understand common areas of weakness.
How Does It Treat and Monitor Risks?
Risk actions are then used to reduce the impact and/or likelihood for each risk. These are managed by the risk owner who can assign actions to users for completion, with dates when they need to be completed by. Action owners can log in to see the work they have been assigned and record updates of their progress and completion of each action.
Once these actions have been completed, the risk owner can reassess the risk to update any improvements following the actions. Central administrators can monitor risks and provide updates to relevant governance processes.
What is Enterprise Risk Management?
In attempting to meet its business objectives, every organisation faces internal and external factors and influences which create uncertainty.
The effect this uncertainty has on an organisation’s objectives can be termed ‘risk’.
Enterprise risk management encompasses those activities which allow us to better identify, analyse and evaluate risks, and manage them proactively, in order to minimise any possible damage and maximise any opportunities.
It is important to note the last point, as risk often has negative connotations, yet there can be positive outcomes.
The other thing to note is that whilst the term enterprise is often perceived in different ways, it really is a universal term that relates to every organisation, irrespective of size (e.g. SME or multinational) or market sector (e.g. public or private).
Enterprise risk management is a continuous process and needs to be managed throughout the year in order to help protect your organisation from an array of everyday threats.
One key requirement is that you need to ensure risks are managed logically and systematically. This is where ISO 31000, the International Standard for Risk Management can help by providing principles and generic guidelines.
What is ISO 31000?
While all organisations consciously or unconsciously manage risks to some degree, ISO 31000 establishes a number of principles which your organisation can follow in order to make risk management more effective.
This International Standard is based on developing, implementing and continuously improving a risk management framework which is totally integrated into an organisation’s corporate governance, management system, values and culture.
By adopting an ISO 31000 approach across your enterprise, you can ensure risk is managed efficiently, effectively and consistently.
The versatility of ISO 31000 means that its principles and guidelines can be used to manage any form of enterprise risk in a systematic and transparent manner, and within any scope and context.
As such, the starting point with any risk management process is to establish the context, e.g. capturing objectives, stakeholders, risk criteria.
The fundamental risk management process is depicted in the figure.
What is Enterprise Risk Management Software?
Enterprise risk management software can support your organisation by helping you to identify, analyse and evaluate risks across your business in a uniform, predetermined approach.
The end result is that the process for assessing and managing all risks is identical and risks can be treated based on your organisation’s risk appetite.
More about Abriska
More about Risk Management
Risk Management Training
Our office is open 08:00 – 17:30 Monday to Friday.