What is the Purpose of Abriska 31000?
Closely aligned with the risk management process from ISO 31000, Abriska 31000 was designed to provide organisations with an intuitive tool for assessing and managing all types of risk from different functions and departments.
Its purpose is to ensures that risk management is an integral part of management and governance, is embedded into the culture and practices, and is tailored to the needs of an organisation.
What Type of Organisation is Abriska 31000 Particularly Suited to?
Abriska 31000 is the perfect cost-effective tool for any organisation which wishes to identify, assess and manage all its risks consistently and coherently.
The flexibility of Abriska allows it to be used in any size and type of organisation, although it is ideally suited to those looking to embark on or mature its Enterprise Risk Management programme utilising a simple-to-use ERM tool with a methodology based on internationally recognised best practice.
Your organisation may be, for example, currently using spreadsheets and encountering issues such as single points of failure, access control and lack of accountability and audit history.
What are its Key Features?
- Establishing a common risk framework across the organisation e.g. consistent risk categories tailored to the business.
- Assessing likelihood and impact of each risk.
- Identifying the following types of risk:
– Absolute risk – worst-case scenario excluding existing controls
– Controlled risk – current risk including existing controls
– Residual risk – projected risk once further controls have been implemented.
- Enabling detailed reports and graphical dashboards to be presented to senior management.
- Helping organisations to manage and resolve risks effectively through detailed risk action outputs.
- Facilitating central management of risk and ownership.
- Providing notifications and reminders to ensure risk registers are kept up to date.
What Are Abriska’s Benefits??
- Proven and Robust – Aligned with international best practice, Abriska 31000 provides a highly cost-effective solution for managing all forms of enterprise risk. By managing all your risks in one place and following the same risk management process, Abriska 31000 provides consistent and universally understood outputs.
- Flexibility – Ease of use of Abriska 31000 allows non-risk specialists to identify and manage risks across your organisation.
- Consistent and Repeatable – Risks can be classified the same, irrespective of which department/function they originate from and so one can compare, for example, a ‘red’ financial risk with a ‘red’ operational or privacy risk. Risk treatment decisions can, therefore, be made with greater confidence.
- Accountability and Responsibility – With its clear, informative graphical and report outputs, Abriska 31000 enables senior management to gain a coherent view of where the major organisational risks lie. Abriska’ s audit trail also provides an objective record of how risks have changed over time.
How Does It Work?
Abriska 31000 provides the framework to initially assess the potential impact of a risk and understand what damage it could do to your organisation.
By identifying what controls you have in place to prevent such risks from materialising, you can then determine the likelihood of the risk occurring.
The likelihood and impact are then plotted against your risk appetite and the risk is thereon monitored and managed via the risk register. Risks are assigned to risk owners who can create actions for users to complete and help to reduce the impact and/or likelihood for each risk.
Reports can be run at any time, showing a live view of all risks and their actions. Aligned with ISO 31000, Abriska 31000 is very flexible and can be configured to support your risk framework.
How Does It Assess Risks?
The first step of risk identification is to record what the risk is, who is responsible for it, the type of risk and how it was identified. These are recorded within a departmental or divisional risk register, and from here the risk journey begins.
Information can be added about the risk such as related risks or specific tags e.g. project, product. Different levels of access can be provided within Abriska such as departmental risk champions or individual risk/action owners.
How Does It Analyse and Evaluate Risks?
A risk is typically given an impact score ranging from 1 (insignificant) to 5 (catastrophic) based on how serious the impact would be. This would be assessed against the 3 risk types; absolute, controlled and residual.
The same process is then followed for the likelihood of that risk being scored from 1 (rare) to 5 (almost certain) across the same 3 risk types.
Each risk is then plotted against the organisation’s risk appetite and allocated a score. Depending on an organisation’s risk acceptance criteria, some risks may be accepted at this stage if they do not pose a great enough risk.
Risks can be related through to controls to understand common areas of weakness.
How Does It Treat and Monitor Risks?
Risk actions are then used to reduce the impact and/or likelihood for each risk. These are managed by the risk owner who can assign actions to users for completion, with dates when they need to be completed by.
Action owners can log in to see the work they have been assigned and record updates of their progress and completion of each action.
Once these actions have been completed, the risk owner can reassess the risk to update any improvements following the actions. Central administrators can monitor risks and provide updates to relevant governance processes.