Risk methodologies & Gross Risk

flyingkermit
Kilo Explorer

yesterday

Hi Everyone 

 

Could i ask for some guidance? We/are a consumer of IRM, and are looking at ways to utilise in the context of our organisations existing risk management practices... The preference, to minimise business change and accelerate scaled use/leverage, is to adopt a IRM risk methodology to 'fit' our practices, rather than the other way around. 

 

To that end; we follow the common approach of in these phases:

 

Assessment 

  • Gross Risk (The risk without any risk treatment applied.)
  • Target Risk (The risk remaining after the risk treatment has been applied.)
  • Control Objective assignment (risk treatments/requirements to reduce the likelihood and/or impact of a risk)
  •  

Attestation

  • Planned/required control objective implementation, including attributes associated with state (in place/partially in place/not in place) and other attributes, including ownership (enterprise/system specific)

 

Assurance

  • Control effectiveness (effective/partially effective/not effective)
  • Current Risk (measured actual risk, given the control states and effectiveness determined through Audit)

 

The SNOW question is; 

 

Is it viable to configure the 'risk methodology' (or methodologies) and workflows to reflect this business process? 

or

is the language (workflows) of Inherent Risk, Residual Risk, and Target Risk 'baked in' to SNOW, making that a more foundational change for us? 

 

Would be grateful for insights/pointers and viewpoints on our thinking here. 

0 Helpfuls
  • 8 Views
0 REPLIES 0