The configurations for the risk and control analyses and revalidation of plans based on the template are established. To do that, the following options are available:
Add treated/potential/target evaluation: Check this option so that, at the time of the risk evaluation, it is possible to carry out the treated/potential/target risk evaluation. This evaluation is one that takes into account only the risks of the risk plan. The name of the evaluation will vary according to the parameterizations made on the Configuration tab of the default view profile.
Add residual/net/controlled/current evaluation: Check this option so that, at the time of the risk evaluation, it is possible to carry out the residual/net/controlled/current risk evaluation. This evaluation is one that takes into account the controls and treatments of the risk plans. The name of the evaluation will vary according to the parameterizations made on the Configuration tab of the default view profile. This option will not be displayed if the previously selected evaluation method is of the "Matrix (self-assessment)" type.
Residual/net/controlled/current risk calculation: This field will only be enabled if the Add residual/net/controlled/current evaluation option is checked in the type that classifies the template. Select one of the following options to set how the residual/net/controlled/current risk of plans of this type will be calculated:
▪Manual: Select this option for the calculation of the residual risk to be calculated manually, that is, during the risk evaluation, the system will display the fields to enter the evaluation score. ▪% of control effectiveness: This option will only be displayed if the plan type is configured with a risk evaluation method of the Matrix, Quantitative or Quantitative matrix type. In this type of calculation, the residual risk evaluation result will be obtained through the multiplication of the actual risk by the effectiveness percentage of the risk controls. When the risk has only one control, the control effectiveness percentage will be the value of the control evaluation itself; however, when the risk has two or more controls, the effectiveness will be obtained through a calculation of the intersection of the values (percentage) of the control evaluations, which is given by: Control effectiveness = 100 - { [ (100 - control_01 ) / 100] * [ (100 - control_02 ) / 100] * ... * [ (100 - control_N ) / 100] * 100 }. The residual risk evaluation result for each method is obtained as follows: oQuantitative: The result of the residual risk evaluation will be obtained by multiplying the result of the actual risk evaluation with the control effectiveness, which is obtained by means of a percentage calculation that takes into account the results of all controls of that risk. Residual risk = Actual risk * (% of control effectiveness). oMatrix and Quantitative matrix: The result of the residual risk evaluation will be obtained by multiplying the result of the actual risk evaluation with the control effectiveness of the control groups defined for each axis of the matrix (detective and preventive controls). Therefore, it is necessary to define which controls will be used in each axis of the matrix by selecting one of the options: "Detective controls minimize the X axis and preventive controls minimize the Y axis" or "Detective controls minimize the Y axis and preventive controls minimize the X axis". For each axis of the matrix, the system will multiply the actual risk evaluation result by the effectiveness percentage of the controls. Residual risk = [ Actual risk * ( % of control effectiveness ) ] x [ Actual risk * ( % of control effectiveness ) ].
The risk classification determines whether the control effectiveness is used to minimize or maximize the value of the residual risk. For example: When risk is classified as "Opportunity", the controls act to increase exposure to the original risk. In this way, the effectiveness increases the value of the residual risk, since it is desired that the risk is manifested.
|
▪Control effectiveness subtract: This option will only be displayed if the plan type is configured with a risk evaluation method of the Matrix, Quantitative or Quantitative matrix type. In this type of calculation, the residual risk evaluation result will be obtained through the subtraction of the actual risk by the effectiveness of the risk controls. The control effectiveness is obtained through the arithmetic sum of the values of the control evaluations. The result of the calculation for each method is obtained as follows: oQuantitative: The residual risk evaluation result will be obtained through the subtraction of the evaluation result of the actual risk by the risk control effectiveness. Residual risk = Actual risk - (Control effectiveness). oMatrix and Quantitative matrix: The control effectiveness will be obtained through the subtraction of the actual risk evaluation result by the sum of the results of the evaluations of the control groups defined for each axis of the matrix (detective and preventive controls). Therefore, it is necessary to define which controls will be used in each axis of the matrix by selecting one of the options: "Detective controls minimize the X axis and preventive controls minimize the Y axis" or "Detective controls minimize the Y axis and preventive controls minimize the X axis". For each axis of the matrix, the system will subtract the actual risk evaluation result by the sum of the results of the control evaluations. Residual risk = [ Actual risk ( Control effectiveness ) ] x [ Actual risk - (Control effectiveness ) ]. ▪Customize: This option will only be displayed if a customized formula has been configured. In this type of calculation, the evaluation result will be obtained through the customized formulas recorded in the General parameters. Thus, it is necessary to define which formulas will be used in the X axis and Y axis of the matrix.
Set responsible for all risk analyses of the plan: Check this option to set a single party responsible for all risk analyses of plans based on this template. The following fields will be enabled:
▪Responsible: Select the user responsible for the risk analyses. Use the other buttons next to the field to add a new user and define it as responsible, fill in the field with the data of the logged user and clear it. ▪Responsible team: Select the team responsible for the risk analyses. Use the other buttons next to the field to add a new team and set it as the responsible team and clear the field.
Set responsible for all control analyses of the plan: Check this option to set a party in charge for all control analyses of plans based on this template. To do that, in the fields that will be enabled define the responsible user and/or the responsible team for the control analyses. A detailed description of the fields has been made previously.
Use identification mask for risk analysis Check this option so that the risk analysis ID #s of the plans based on the template are obtained by means of an identification mask. To do that, the following fields are available:
▪Identification mask: Select the desired identification mask. Note that only identification masks whose object is "Risk analysis" will be available for selection. ▪Enable ID # change: Check this option to allow the generated ID # to be edited manually when creating a risk analysis. If this option is not checked, the generated ID # may not be edited.
Use identification mask for control analysis: Check this option so that the control analysis ID #s of the plans based on the template are obtained by means of an identification mask. To do that, in the fields that will be enabled, select the desired identification mask and define whether the ID # will be enabled to be edited. Notice that only identification masks whose object is "Control analysis" will be available for selection. A detailed description of the fields has been made previously.
Analysis evaluation approval route: This option will only be displayed if in the type that classifies the template, the "Allow risk and control to be evaluated only in the draft step" option is not checked or if the evaluation method associated with the type is not "Matrix (Self-assessment)". Check this option to have the risk and control analyses of the plans based on the template go by approval. To do that, in the Responsibility route field, select the desired responsibility route. Use the other buttons next to the field to add a new responsibility route, edit the data of the selected route, and clear the field.
Revalidation: This field is only available if in the type that classifies the template has been configured so that the validity of the plans based on the template is managed. The following options are available:
▪Validity: This field will be completed by the system with the default time set in the validity setting associated with the plan type. If in the validity setting is defined that the default time is Fixed, this field may not be edited. If it is set to be Variable and the default time field has not been filled, enter the amount of time in days, months, or years, or the date by which the plan will be considered valid. If the field has already been filled in, the user can edit the value. ▪Revalidation: This field is completed by the system after the plan has been revalidated. Click on the button to display the revalidation data displayed. ▪Validity date: This field is filled by the system after the plan has been approved, or after it has been revalidated, with the date until which it is valid, that is, on this date, the Expired plan task will be generated so that the revision/revalidation of the plan is performed again.
|