|
To add a new plan type, click on the  button on the main screen toolbar. To edit a record, select it in the list of records and click on the  button.
On the screen that will be opened, enter an ID # and a name for the record:
After that, save the record. At this point, the following tabs will be available to be configured:
General
|
Upper level type
|
Select the plan type that, in the main screen hierarchy, is one level above the record in question. This field will be filled out by the system if, on the main screen hierarchy, a plan type is selected.
|
Use mask for the ID #
|
Check this option so that when creating plans of this type, the automatic identification resource is used. Fill in the following fields:
▪Identification mask: Select the desired identification mask. Notice that only identification masks whose object is "Plan" will be available for selection. ▪Enable generated ID # change: Check this option to allow the generated ID # to be edited manually when creating a plan in this type. If this option is not checked, the generated ID # may not be edited. |
Description
|
Use this field to enter relevant descriptions referring to the elements of this type.
|
Decision tree
|
Select the decision tree that will be used in the risk analyses associated with the plans of this type.
|
Revalidation
|
Check this option to manage the expiration deadline of the plans of this type. In the Validity configuration field, select the validity that will be applied to the plans.
|
|
Use this tab to perform the configurations regarding the risk and control evaluations of the plans of this type. When creating a plan type, the fields in this section can be filled according to the settings made in the general parameters. The following fields are available:
Risk evaluation
|
Evaluation method
|
Select the evaluation method that will be used in the associated risk analyses in the plans of this type.
|
Evaluation interval
|
Enter the number of days, months or years during which the risk analyses of plans of this type will be carried out. For example: every 3 days, every 2 months, every year, among others.
|
Execution deadline
|
Enter the number of days that the person responsible will have to perform the risk analysis as soon as the Risk evaluation task is generated. This field will not be displayed if the previously selected evaluation method is of "Matrix (self-assessment)" type.
|
Automatic risk calculation for the plan using
|
This field is only available for plans with the SE Risk and SE Process scopes. Select one of the following options to define the calculation that will be used to assign the risk evaluation score to plans of this type:
▪Risk evaluation average: The risk plan will receive the average of the risk evaluations. For example, if an activity has one or more risks, this activity will receive the average of the evaluations of its risks and, consequently, the process, which will be one level above the activity, will receive the average of the evaluations of its risks and of the activities that are one level below it. ▪Risk with highest evaluation: The risk plan will receive the highest value result from risk evaluations. For example, if an activity has one or more risks, the activity will receive the highest value obtained in the evaluations of its risks and, consequently, the process, which will be one level above the activity, will receive the highest value obtained between the evaluations of its risks and of the activities that are one level below it. ▪Risk with lowest evaluation: The risk plan will receive the lowest value from risk evaluations. For example, if an activity has one or more risks, it will receive the lowest value obtained in the evaluations of its risks and, consequently, the process, which will be one level above the activity, will receive the lowest value obtained between the evaluations of its risks and of the activities that are one level below it. |
Add treated / potential / target evaluation
|
Check this option for it to be possible to perform the potential/treated/target evaluation of the risk during the risk evaluation. This evaluation is one that takes into account only the risks of the risk plan. The name of the evaluation will vary according to the parameterizations made on the Configuration tab of the default view profile.
|
Add residual / net / controlled / current evaluation
|
Select this option for it to be possible to perform the residual/net/controlled/current evaluation of the risk during the risk evaluation. This evaluation is one that takes into account the controls and treatments of the risk plans. The name of the evaluation will vary according to the parameterizations made on the Configuration tab of the default view profile. This option will not be displayed if the previously selected evaluation method is of the "Matrix (self-assessment)" type.
|
Residual / net / controlled / current risk calculation
|
This field will only be enabled if the Add residual/net/controlled/current evaluation option is checked. Select one of the following options to set how the residual/net/controlled/current risk of plans of this type will be calculated:
▪Manual: Select this option for the calculation of the residual risk to be calculated manually, that is, during the risk evaluation, the system will display the fields to enter the evaluation score. ▪% of control effectiveness: This option will only be displayed if the plan type is configured with a risk evaluation method of the Matrix, Quantitative or Quantitative matrix type. In this type of calculation, the residual risk evaluation result will be obtained through the multiplication of the actual risk by the effectiveness percentage of the risk controls. When the risk has only one control, the control effectiveness percentage will be the value of the control evaluation itself; however, when the risk has two or more controls, the effectiveness will be obtained through a calculation of the intersection of the values (percentage) of the control evaluations, which is given by: Control effectiveness = 100 - { [ (100 - control_01 ) / 100] * [ (100 - control_02 ) / 100] * ... * [ (100 - control_N ) / 100] * 100 }. The residual risk evaluation result for each method is obtained as follows: oQuantitative: The result of the residual risk evaluation will be obtained by multiplying the result of the actual risk evaluation with the control effectiveness, which is obtained by means of a percentage calculation that takes into account the results of all controls of that risk. Residual risk = Actual risk * (% of control effectiveness). oMatrix and Quantitative matrix: The result of the residual risk evaluation will be obtained by multiplying the result of the actual risk evaluation with the control effectiveness of the control groups defined for each axis of the matrix (detective and preventive controls). Therefore, it is necessary to define which controls will be used in each axis of the matrix by selecting one of the options: "Detective controls minimize the X axis and preventive controls minimize the Y axis" or "Detective controls minimize the Y axis and preventive controls minimize the X axis". For each axis of the matrix, the system will multiply the actual risk evaluation result by the effectiveness percentage of the controls. Residual risk = [ Actual risk * ( % of control effectiveness ) ] x [ Actual risk * ( % of control effectiveness ) ].
The risk classification determines whether the control effectiveness is used to minimize or maximize the value of the residual risk. For example: When risk is classified as "Opportunity", the controls act to increase exposure to the original risk. In this way, the effectiveness increases the value of the residual risk, since it is desired that the risk is manifested.
|
▪Control effectiveness subtract: This option will only be displayed if the plan type is configured with a risk evaluation method of the Matrix, Quantitative or Quantitative matrix type. In this type of calculation, the residual risk evaluation result will be obtained through the subtraction of the actual risk by the effectiveness of the risk controls. The control effectiveness is obtained through the arithmetic sum of the values of the control evaluations. The result of the calculation for each method is obtained as follows: oQuantitative: The residual risk evaluation result will be obtained through the subtraction of the evaluation result of the actual risk by the risk control effectiveness. Residual risk = Actual risk - (Control effectiveness). oMatrix and Quantitative matrix: The control effectiveness will be obtained through the subtraction of the actual risk evaluation result by the sum of the results of the evaluations of the control groups defined for each axis of the matrix (detective and preventive controls). Therefore, it is necessary to define which controls will be used in each axis of the matrix by selecting one of the options: "Detective controls minimize the X axis and preventive controls minimize the Y axis" or "Detective controls minimize the Y axis and preventive controls minimize the X axis". For each axis of the matrix, the system will subtract the actual risk evaluation result by the sum of the results of the control evaluations. Residual risk = [ Actual risk ( Control effectiveness ) ] x [ Actual risk - (Control effectiveness ) ]. ▪Customize: This option will only be displayed if a customized formula has been configured in the general parameters. In this type of calculation, the evaluation result will be obtained through the customized formulas recorded in the General parameters. Thus, it is necessary to define which formulas will be used in the X axis and Y axis of the matrix. |
Use specific evaluation method for residual / net / controlled / current risk
|
This field will only be displayed when the plan type is configured with an evaluation method of the Matrix or Quantitative type and the residual/net/controlled/current risk calculation is of the "% of control effectiveness" or "Control effectiveness subtract" type. The system will only make available for selection evaluation methods of the "Simple listing" type. Select the evaluation method that will be used to display the result of the residual risk evaluations of the plans of this type. That is, the residual risk result will be displayed with the colors and values of the simple listing instead of the criteria the of the evaluation method configured in the plan.
|
|
Use this tab to define attributes to complement the information of the plans of this type. On the side toolbar, the following buttons are also available:
|
Click on this button to associate an attribute that was previously created in the system with the element type. Refer to the Adding attributes section for further details on how to perform this operation.
|
|
Click on this button to save the association of attributes with the type.
|
|
Click on this button to disassociate the attribute selected in the list of records from the type.
|
If the attribute configurations are edited (e.g.: an attribute checked as required becomes non-required or vice versa), they will be replicated to the revenues of this type when their data is edited.
|
|
On the Revision tab, it is possible to configure specific revisions for the plans of this type, enabling different configurations from those applied in the general parameters. The configurations applied in the type revision will overwrite those defined in the general parameters. See how to configure revisions of the plans of this type in the Revision section.
|
Use this tab to configure the security of the plans of this type. To do that, at the top of this tab, select one of the following options:
▪Public: Select this option for any user to have access to the plans of this type. ▪Restricted: Select this option to restrict the access to the plans of this type. At this point, the sidebar buttons will be enabled. Click on the button and fill out the fields on the screen that will be opened:
i.
|
In the Access type field, select one of the following options to set the access type that will compose the security list:
▪Team: It will be composed of the members of a team previously created in SE Risk. ▪Department: It will be composed of users from a selected department. ▪Department/Position: It will be composed of users from a specific department of the company, who have a specific position. ▪Position: It will be composed of users who hold specific position in the company. ▪User: It will be composed of a specific user. ▪All: It will be composed of all users who have access to the SE Risk component.
|
ii.
|
In the Controls field, it is possible to select the actions that may or may not be performed in the plans of this type. To do so, select the controls that will be granted to access the type selected previously:
▪Add: Adds plans to the type. ▪Edit: Changes the plan data of this type. ▪Delete: Deletes the plans of this type. ▪Security data: Edits the security data of the plans of this type. The users who do not have this permission granted, or not enabled, may edit other plan data, but the Security tab will be blocked. ▪List: Allows viewing the plans of this type in the system view. ▪View: Allows viewing the data screen of the plans of this type.
Use the buttons located next to the field to expand and view the list of controls, mark all available controls, and clear the markups you have made.
|
|
iii.
|
Select in the Permission field, if the controls checked previously will be granted or denied for access type.
|
iv.
|
According to selected access type, Filters will be enabled to be filled out. Use them to facilitate the search of users who will form the security list.
|
v.
|
After that, click on the  button on the toolbar of the selection screen. Depending on the access type selected and the values entered in the filters, the result will be displayed in the list of records, located at the bottom of the screen. Select the ones that will compose the security list and save the record. Hold the SHIFT or CTRL keys down or check next to each item to select more than one record at a time.
|
|
On the Type security, it is possible to configure the security of the plan type. For that, at the top of this tab, select one of the following options:
▪Public: Select this option for any user of the SE Risk to have access to the type. ▪Restricted: Select this option for only specific users of the SE Risk to have access to the type in question. At this point, the sidebar buttons will be enabled. Click on the button and fill out the fields on the screen that will be opened:
i.
|
In the Access type field, set whether the access type that will compose the security list is: a team, a department, a department + position, a position, a user, or all users of SE Risk.
|
ii.
|
In the Controls field, it is possible to select the actions that may, or may not, be performed in the plan type. To do so, select the controls that will be granted to access the type selected previously:
▪Add: Adds new types to levels below the plan type. ▪Edit: Changes the data of the type. ▪Delete: Deletes the type. ▪Security data: Edits the security data of the type. Users who have this control denied, or not enabled, may edit the other data of the plan type; however, this tab will be blocked. ▪List: Allows viewing the type on the system screens that display the plan type hierarchy. The users who have this control denied, or not enabled, will not view the plan type in the type hierarchy ▪View: Views the data screen of the type. |
iii.
|
Select in the Permission field, if the controls checked previously will be granted or denied for access type.
|
iv.
|
According to selected access type, Filters will be enabled to be filled out. Use them to facilitate the search of users who will form the security list.
|
v.
|
Then, click on the button on the toolbar of the selection screen. The result will be displayed in the list of records, located in the lower part of the screen. Select those that will make up the security list and save the record. Use the SHIFT or CTRL keys on the keyboard or check next to each item to select more than one record at a time.
|
|
After configuring the necessary fields, save the record.
|
