EnterpriseRisk Management - User's Guide · isk ype = perational . User’s Guide - Identifying...

Enterprise Risk Management - User's Guide

Prepared By: Make IT Inc. 2054 2nd Avenue Whitehorse, YT Y1A 1A8

Contract Number: Project CSSP-CP-2013-1024 Contract Scientific Authority: Shaye Friesen, DRDC Centre for Security Science

The scientific or technical validity of this Contract Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of Department of National Defence of Canada.

Contract Report DRDC-RDDC-2015-C128 May 2015

IMPORTANT INFORMATIVE STATEMENTS

CSSP-CP-2013-1024 National ERM in the Public Sector was supported by the Canadian Safety and Security Program which is led by Defence Research and Development Canada’s Centre for Security Science, in partnership with Public Safety Canada. The project was led by the Yukon Government in partnership with the Governments of British Columbia, Manitoba, Saskatchewan, New Brunswick, Newfoundland/Labrador, Nunavut, and the North West Territories.

Canadian Safety and Security Program is a federally-funded program to strengthen Canada’s ability to anticipate, prevent/mitigate, prepare for, respond to, and recover from natural disasters, serious accidents, crime and terrorism through the convergence of science and technology with policy, operations and intelligence.

© Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2015

© Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2015

Enterprise Risk Management

User’s Guide

Prepared For:

Yukon Government

Make IT Inc.

2054 2nd Ave. Whitehorse, YT Y1A 1A8

Tel: (867) 668-4091

Fax: (867) 668-4092 Email: [email protected]

User’s Guide - Introduction 2

Contents

Introduction ...................................................................................................................................................... 4

Overview of the Risk Assessment Process .......................................................................................................... 4

Creating Assessments ........................................................................................................................................ 6

Creating assessments ..................................................................................................................................... 6

Adding assessment team members ................................................................................................................ 7

Setting the context ........................................................................................................................................ 7

Adding goals .............................................................................................................................................. 8

Adding objectives ....................................................................................................................................... 8

Adding impact category context information.............................................................................................. 9

Viewing the organization’s capabilities ..................................................................................................... 10

Adding links to supporting information .................................................................................................... 10

Editing assessments ..................................................................................................................................... 11

Viewing the Assessment Summary report .................................................................................................... 11

Viewing the Assessment Context report ....................................................................................................... 11

Viewing the Risk Summaries report .............................................................................................................. 12

Archiving assessments ................................................................................................................................. 12

Identifying Risks ............................................................................................................................................... 12

Strategic and Operational assessments – SWOT analyses ............................................................................. 13

Disaster assessments – identifying threats and hazards ............................................................................... 13

Adding risk statements ................................................................................................................................ 14

Prioritizing risks............................................................................................................................................ 16

Developing scenarios ................................................................................................................................... 17

Creating a scenario by copying an existing scenario .................................................................................. 18

Analyzing Risks ................................................................................................................................................ 18

Scheduling workshops.................................................................................................................................. 19

Leading a scenario scoring workshop ........................................................................................................... 20

Documenting a scenario scoring workshop .................................................................................................. 21

Scoring scenarios manually .......................................................................................................................... 24

Participating in a workshop .......................................................................................................................... 24

Risk Evaluation................................................................................................................................................. 25

Reviewing and Updating Risks .......................................................................................................................... 25


Managing Mitigations ...................................................................................................................................... 28

Creating mitigations ..................................................................................................................................... 29

Managing mitigations .................................................................................................................................. 29

Viewing Risks and Mitigations where you are a Stakeholder ............................................................................ 31

My Recent Notifications ................................................................................................................................... 31

Receiving notifications by e-mail .................................................................................................................. 31

Capabilities ...................................................................................................................................................... 32

Capabilities .............................................................................................................................................. 32

Activities .................................................................................................................................................. 32

Measures ................................................................................................................................................. 33

Tasks ........................................................................................................................................................ 33

Maturity Ratings ...................................................................................................................................... 33

Managing a Capabilities Inventory ............................................................................................................... 33

Completing Capability Questionnaires.......................................................................................................... 35

Updating Capabilities ................................................................................................................................... 35

Reports ............................................................................................................................................................ 36

Capability Assessment.................................................................................................................................. 36

Organizational Risk Summary ....................................................................................................................... 36

Disaster Scenario and Strategic/Operational Scenario .................................................................................. 37

User Accounts and Permissions........................................................................................................................ 38

Adding user accounts ................................................................................................................................... 38

Categories ....................................................................................................................................................... 41

Geography Structure ....................................................................................................................................... 42

Organizational Structure .................................................................................................................................. 42

More Resources ............................................................................................................................................... 43


Introduction

The Enterprise Risk Management (ERM) system assists your organization in managing its risks by identifying,

assessing and monitoring them in accordance with ISO 31000 standards. ERM supports the All Hazards Risk

Assessment (AHRA) methodology and processes developed by Public Safety Canada in partnership with

Defence Research and Development Canada - Centre for Security Science, and was adopted to meet the risk

management requirements of provincial and territorial government institutions in Canada.

This User Guide describes how to use ERM to identify and analyse risk events, how to prioritize risks and

develop treatment strategies, and how to use ERM’s flexible reporting options to analyze your organization’s

risks.

Watch introductory tutorials on ERM and the AHRA methodology

Overview of the Risk Assessment Process

A risk to an organization is an event or circumstance that could prevent it from achieving its objectives. ERM

groups risks into three types: strategic, operational and disaster.

Strategic risks are assessed at upper levels in the organization’s hierarchy. For example, a government

department or ministry may assess risks that prevent it from achieving its strategic objectives.

Operational risks are assessed at lower levels in the organization’s hierarchy, such as at the branch or unit

level. The assessment focuses on identifying risks that affect the organization’s ability to achieve its

operational objectives.

Disaster risks may be assessed at any organizational level.

Risk assessment is broken down into five steps:

Setting the context involves describing the organization’s goals and objectives, and the characteristics of

the environment in which it operates.

Identifying risks is the process of finding, recognizing and recording risks. It may involve a SWOT analysis,

or an analysis of threats and hazards the organization faces.

Analyzing risks requires assessing the severity of a risk event and the likelihood that the event and its

impacts will occur.

Evaluating and prioritizing risks involves comparing the results of the risk analysis with the organization’s

risk tolerance criteria to determine whether action should be taken to mitigate the risks.

https://yt.enterpriserisks.com/apex/f?p=1101:8000


User’s Guide - Overview of the Risk Assessment Process 5

Treating prioritized risks means identifying and recommending treatment strategies and options.

Because strategies, priorities and resources often change over time, your organization should also monitor

its risks to ensure that they continue to provide an accurate and complete picture of the threats to the

organization’s objectives. Similarly, the organization should develop a cycle for monitoring the effectiveness

of its risk treatment plans, and updating them when needed.

The five steps of the AHRA risk management methodology as described by Public Safety Canada. (All Hazards Risk Assessment

Methodology Guidelines 2012-2013; p5).

User’s Guide - Creating Assessments 6

Creating Assessments

When your risk office is engaged to assess the risks for an organization, you will need to record basic

information about the task you are setting out to do. For example, you must record the scope of the

assessment - will you be assessing all risks for the organization or risks for a particular branch or unit? What

type of risks – strategic, operational or disaster – will you be assessing? You will also need to record who

requested the analysis.

To track this information in ERM, your first step is to create an assessment. An assessment organizes the

information related to a particular risk analysis, including the operating context of the organization, the risks

that were identified, the results of the analysis, and the strategies created to treat the risks. Each time the

risk office is engaged to assess an organization’s risks, you’ll create a new assessment.

Creating an assessment and gathering the required information is typically done by the Risk Officer,

Operational Manager or whoever is leading the risk analysis process.

Watch a tutorial on creating assessments

Creating assessments

1. Click Assessments on the toolbar.

2. Click Add Assessment .

3. Select the organization the assessment will be carried out for.

4. Select the type of risks you will be assessing. The options available depend on the risk types enabled for the organization.

5. Enter a title for the assessment. For example, if the purpose of the analysis is to identify public health-related risks for a municipality, indicate that in the title.

6. Enter a description of the assessment. The description should summarize the scope of the assessment.

7. Enter the name of the person who requested the assessment.

8. Click Create to save the assessment, or click Cancel.



User’s Guide - Creating Assessments 11

Editing assessments

Once you have created an assessment, you will need to return to it to update details, to analyze and

evaluate the identified risks, to print reports, and so on.

Watch a tutorial on using the Assessments list

1. Click Assessments on the toolbar to display a list of assessments the security settings on your user

account provides access to.

2. Click an assessment to open it, and use the tabs on the left to display the assessment details, workshop

schedules, scenarios and risks.

Viewing the Assessment Summary report

The Assessment Summary report summarizes the results of the scenario scoring sessions, and is a useful

report to send to the requester of the assessment. It includes the assessment dates and description, names

of the team members, and summarizes risks with the associated objectives.

1. Select an assessment. Click Details, then click Assessment Summary .

Viewing the Assessment Context report

The Assessment Context report displays the context information recorded on the Impact Category page.

This report is automatically included as a PDF attachment in the “Welcome” e-mail sent to scenario scoring

participants when they are invited to a workshop, but you can reprint it at any time.

1. Select an assessment. Click Context, then click Assessment Context .

If there are many assessments in the list, you can sort and filter the list to make it easier to find what you

are looking for:

To sort the list, click a column header, and then click the arrows to sort alphabetically in ascending or descending order.

To filter the list, click a column header. Type the text to filter by, or click a value. For example, to display only Operational assessments, click the Risk Type column header, then click Operational.

To clear the filter, clear the checkbox beside the text “Risk Type = ‘Operational’”.



User’s Guide - Identifying Risks 12

Viewing the Risk Summaries report

The Risk Summaries report displays the scenario scoring summary, existing controls and mitigations for all

risks identified throughout the selected assessment.

1. Select an assessment. Click Details, then click Risk Summaries .

Archiving assessments

Archiving completed assessments helps keep your list of assessments manageable. Archived assessments

don’t display on the Assessments list. Strategic and operational assessments must be archived before you

can start a new assessment of that type for the same organization. Because multiple disaster-related risk

assessments for an organization may be in progress at a given time, ERM enables you to manually archive

them.

Archive a strategic or operational assessment. When you create a new strategic or operational

assessment for an organization, ERM checks whether an active assessment of that type already exists. If one

exists, you will be asked to archive the current assessment. Select Yes if you are starting a new assessment.

All of the information from the archived assessment will be copied to the new assessment, including goals,

objectives, SWOT analyses, risk statements, workshops and scenarios. Select No to continue the current

assessment rather than creating a new one.

Archive a disaster assessment. Select the assessment, then click the Edit button beside Assessment

Details. Click Archive, and click Yes to proceed. Archived assessments can’t be “unarchived”.

Identifying Risks

Risk identification is the process of finding and recording the risks an organization faces, given the context in

which it operates. The objective of this process is to identify risks to be considered for analysis and

treatment. This process is typically performed by the Risk Officer or Operational Manager, in collaboration

with subject matter experts on the threats and hazards faced by the organization.

The following definitions may be useful:

SWOT analysis: a planning method used to evaluate the strengths, weaknesses, opportunities and threats

affecting an organization’s ability to achieve its objectives.

Hazard: a potentially damaging event, phenomenon or activity that may cause injury or loss of life, property damage, social and economic disruption or environmental degradation.


Exposure pathway: the method, or route, by which a hazard may affect an organization.

Threat: a hazard and an exposure pathway.

Risk statement: a hazard or threat and its major impact.

Risk category: used for grouping and reporting on risks. Different risk categories are assessed differently.

For example, risks due to malicious threats, such as intentional acts, are assessed different than risks due to natural threats such as severe weather events.

If you are assessing strategic or operational risks, your first step should be to work with the organization's

staff to perform a SWOT analysis. If you are assessing disaster risks, assist the organization's staff to analyze

the threats and hazards the organization faces. Follow the steps below to record the results of the analysis

in ERM, and then continue by examining the strengths, weaknesses, opportunities, threats and hazards to

identify risk statements.

Watch a tutorial on identifying risks

Strategic and Operational assessments – SWOT analyses

1. Select the assessment, and click the Identification tab on the left.

2. Click the Add icon beside Strengths, Weaknesses, Opportunities or Threats.

3. Enter a description.

4. Select the category of risks the strength, weakness, opportunity or threat relates to.

5. Click Create, or click Create Another to save and add another strength, weakness, opportunity or

threat. Click Cancel to discard your changes.

Disaster assessments – identifying threats and hazards


2. Click the Add icon beside Threat or Hazard.

3. Enter a description.

4. Select the category of risks the threat or hazard relates to.

5. Select the time frame in which the impacts of the threat or hazard are expected to occur.

6. If you are recording a threat, describe the exposure pathway.

7. Click Create to save your changes, or click Create Another to save and add another threat or hazard.

Click Cancel to discard your changes.




Adding risk statements

The risks an organization faces are a consequence of its particular strengths, weaknesses, opportunities,

threats and hazards. After completing a SWOT analysis (if you are assessing strategic or operational risks) or

reviewing the organization’s threats and hazards (if you are assessing disaster risks), your next step is to

create risks statements.

Try to write your risk statements in the following format:

If (event) occurs, the consequences could result in (negative impact)

Writing risk statements in this format ensures that you capture both the event itself, and the potential

impact of the event if it is left unmanaged.

For example, if you are doing a disaster assessment to analyze the impacts of a hurricane making landfall in

the Halifax area, your risk statement might be “If a category 3 or higher hurricane makes landfall within 200

km of the downtown area, high winds could result in widespread power outages”.


2. Click Risk Statements.

3. For strategic and operational assessments, the strengths, weaknesses, opportunities and threats will be

listed. For disaster assessments, threats and hazards will be listed. To add a risk statement click Add.

4. Enter a risk statement.

5. Select the category associated with the risk statement.

6. Select the objectives the risk affects. You can select as many objectives as needed.

7. Select a risk owner. The risk owner is the person who accepts responsibility for managing the risk.

8. Under Existing Controls, indicate the control measures currently in place to manage the risk, and the

effectiveness of the controls. If multiple control measures are in place, click Add to append another line.

9. Scoring Method specifies how the risk severity is calculated based on scenario severity. (Scenarios are

specific examples of how a risk may materialize. They are discussed in the next section.) Select Highest if the scenario with the highest score should be automatically used to score the risk. Select Manual to

choose the scenario to be used to score the risk.

10. The risk Security Level setting determines who can view the risk and related information. The options

displayed depend on the organization associated with the assessment. For example, assume the risk

To update a strength, weakness, opportunity, threat or hazard, click on it to display it. Make your

changes and click Save.

To delete an item, edit it and then click Delete.

Click the gray Strengths, Weaknesses, Opportunities, Threats or Hazards bar to expand and

collapse each region, or click Expand All/Collapse All.


assessment is for the Public Libraries branch, one of several branches within the Community

Development division, which is one of several divisions within the Community Services department of the Yukon government. The table below shows the options displayed in the Security Level list, and the

results of choosing each.

Option Risk and related mitigations can be viewed by

Open Anyone with access to ERM

Public Libraries People whose organization is the Public Libraries branch, Community

Development division, Community Services department or Yukon.

People in other branches within Community Development cannot see the risk,

and people in other departments and divisions cannot see the risk.

Community Development People whose organization is the Community Development division or any

branch below it, the Community Services department or Yukon.

People in other departments and divisions cannot see the risk.

Community Services People whose organization is the Community Services department or any

organizational level below it, or Yukon.

People in other divisions cannot see the risk.

Yukon People whose organization is Yukon or any organizational level below it.

Ministerial Access People whose user account specifically grants access to Ministerial Advice

Access risks.

Some user roles have access to all risks in the organization. For example, the System Administrator role

overrides the security level setting on a risk. Read more about user account security settings.

11. Click Create to save the risk statement, or click Create Another to save and add another risk statement.

Click Cancel to discard your changes.


Once the prioritized risks have been set to In Scope, you are ready to continue by developing scenarios for

analysis and scoring.

Developing scenarios

Scenarios are specific examples of how risk events may materialize. They contain sufficient detail to enable

subject matter experts to determine the impacts of the event occurring, and the likelihood of the event and

its impacts occurring. Each risk event may have multiple scenarios. Each scenario is analyzed and scored

individually.

For example, if you are conducting a disaster assessment to analyze the impacts of a hurricane making

landfall, you may decide to analyze a scenario in which the hurricane makes landfall on a weekday and

another scenario in which it makes landfall on a weekend, because the impacts of high wind speeds, power

outages, flooding and blocked roadways depend on whether the event occurred on a weekday or a

weekend.

As another example, if subject matter experts were asked to rate the severity of the risk event “A lightning

strike in a remote area of the province may result in a large wildfire”, they would ask for detailed information

influencing the outcome, such as the season during which the wildfire occurs, the specific location of the fire

- near a town or in an unpopulated area, and the meteorological conditions leading up to the event. By

developing separate scenarios for these varying conditions, each can be assessed accurately.

This step should be done by the Risk Officer and Operational Manager in collaboration with subject matter

experts.

Watch a tutorial on developing scenarios


2. Click Scenarios.

3. Click the Add icon beside the risk statement to add a scenario for.

When using scenarios to define variations on risk events, ensure that sufficient detail is captured so that

assumptions and unknowns are limited, and so that the scenarios are as relevant to the organization’s

context as possible. Sound decision-making requires information and conclusions based on analysis of

specific, plausible and relevant scenarios.

To obtain assistance from the requester of the assessment or other participants when defining

scenarios, use the Scenario Template report to create a Word document for each scenario with spaces

to fill in the details of the event. To create the report, click the Identification – Risk Prioritization tab,

select the risks to develop scenarios for, then click Selected Scenario Templates. Once the documents

have been filled out, copy and paste the information back into ERM.



User’s Guide - Analyzing Risks 19

ERM enables you to schedule working groups for the purpose of collaborating on risk analyses. Once you

have started an assessment and developed the scenarios to be assessed, you can add them to workshops.

Each workshop has a documenter, one or more participants, and optionally, a facilitator. After adding

scenarios to a workshop, you can send e-mail notifications to the participants notifying them of the

schedule, workshop location and details on the scenarios to be assessed. You can also proceed directly with

scoring the scenarios drafted in the previous step, rather than scheduling workshops.

Scheduling workshops

1. Select the assessment, and click the Schedule tab on the left.

2. Click Add Workshop.

3. Enter a title for the workshop. The title will display on e-mail notifications sent to participants.

4. If you are scheduling a workshop for a future date, select Scheduled Workshop. Or, select Meet Now if the meeting attendees are in the room and ready to proceed with the scenario analysis.

5. For a scheduled workshop, enter the start and end dates. The start and end dates display on e-mail

notifications sent to participants.

6. Enter the location of the workshop.

7. Select the scenarios to be analysed during the workshop.

8. For a scheduled workshop, click the Scheduled Times tab and choose the day and start and end times

the analysis of each scenario is planned for. Defining day and time slots for each scenario will help workshop participants plan their attendance. For example, not all participants may be required for each

scenario. Scenarios aren’t assigned to time slots in “Meet Now” workshops.

9. Click Create to save the workshop, or click Create Another to save and add another workshop. Click

Cancel to discard your changes.

Add participants to the workshop. Click the Participation tab, then click Add beside Participants to invite

people to the workshop. Select Existing User to add someone with an account in ERM. Type the first few

characters of their name in the space provided. Select Not in the List to invite someone who doesn’t have

an ERM account. Fill in their first and last name, and enter the e-mail address notifications should be sent to.

Under Organization Type, click Internal if the person works in your organization, and select their

organization from the list. Click External if the person doesn’t work in your organization, and then enter

their organization name.

Click and drag a name and drop it on a scenario to invite the person to the scenario. Drop a name on the

workshop title to invite the person to participate in all scenarios. Click Drag All to invite all participants to

all scenarios.

The Add Workshop button is only displayed if unscored scenarios exist which have not already been

assigned to a workshop.


2. Describe the scenario to the group. If additional information or links to supporting information are

available, the documenter should display this information if possible.

3. Introduce the first impact category and invite the group to discuss the first question. The documenter

should display the impact category and question.

4. When the group is ready to vote the documenter will open voting for the question, if mobile voting is

being used. Invite the participants to submit their votes manually or using their mobile devices.

5. As voters submit their responses ERM will display the number of results received.

6. Once all votes have been received the documenter will close the poll, and ERM will display the poll

results in a graph. It will indicate the number of votes received for each response and the confidence levels selected by the voters. Results are anonymous; however, votes submitted by participants who are

subject matter experts in the impact category will be indicated by hashing.

7. The documenter will select a response and confidence level, and will display the next question.

8. After scoring all impact categories, score the likelihood of the event and its impacts occurring.

9. Continue with the next scenario, or conclude the workshop.

Watch a tutorial on facilitating scenario scoring workshops

Documenting a scenario scoring workshop

If you are the documenter in a scenario scoring workshop, your role is to use ERM to display the analysis

questionnaire for each scenario to be scored. If mobile voting is being used, you’ll use ERM’s mobile voting

application to collect participants’ votes and to display the results.

What you’ll need:

A computer with Internet access, so that you can open ERM. Ideally, use a projector to display ERM for

the participants.

You must have a user account in ERM.

You must be assigned as the documenter on the scenarios to be scored during the workshop. Otherwise,

you will not have access to the analysis questionnaire on the scenarios.

If you plan to use mobile voting, participants will need Internet access in order to use ERM’s Mobile

Voting application on their mobile devices.

You can repoll a question as many times as needed. For example, if there is substantial variation in the

responses received, lead the group in further discussion and then ask the participants to vote again.

The documenter will re-open the poll.




Documenting a scenario scoring workshop

1. Select the assessment, and click the Analysis tab. Scenarios developed for the assessment will be

displayed. Your name will be displayed in blue on scenarios for which you are the documenter.

2. Click the scenario to display the analysis questionnaire.

3. To enable participants to vote using their mobile devices, update their attendance status by clicking the

Scenario tab on the left. Set the Attendance Status to Attended for each participant at the workshop.

To send participants with a status of Attended a link to the mobile voting application, click Send Mobile Link.

4. Click the Analysis tab on the left to display the first impact category and question.

5. Open the mobile scoring session by clicking . Participants with mobile devices will see a screen notifying them to wait for a question to open.

6. The facilitator will introduce the scenario and start the analysis, inviting the participants to discuss the

impacts and likelihood of the scenario.

7. When the group is ready to vote on the first question, open the poll by clicking . .

Participants will see the first question on their screen, and will be able to select a response and confidence level, or to abstain from voting.

8. Participants will submit their responses.

9. Close the question and display the results. Results are anonymous; however, votes submitted by

participants who are subject matter experts in the impact category will be indicated by hashing. Position your mouse over an area of the graph to display details of the corresponding results.

10. Select the response to the question by clicking an area of the graph, or by clicking the response itself.

11. Optionally, use the Justification field to enter notes indicating the reason for the group’s response. For example, if the views of the experts in the room differed substantially you may want to make a note of it.

12. If the facilitator decides to repoll a question, click . Existing responses will be discarded, and participants will be asked to submit their responses again.

13. Optionally, use the Notes field for comments related to the impact category such as assumptions the

group made.

14. When all questions for the impact category have been answered, click Next to continue. Click Save to save your responses, or click Exit to discard your changes and return to the Scenario Details page.

15. When all impact and likelihood questions have been answered, click the Summary tab to display an overview of the scoring results by impact category.

16. When the facilitator and group are satisfied with the results of the analysis, click Finalize on the Summary tab. Finalizing a scenario prevents adjustments to the scoring, so ensure the analysis is

complete.

17. Repeat these steps if another scenario is to be analyzed in the workshop; otherwise, the facilitator will

conclude the workshop.


Scoring scenarios manually

ERM enables you to score scenarios with or without mobile devices, and using a combination of the two

methods.

If you want to use mobile voting but not all participants have mobile devices, open the poll and allow the

mobile voters to submit their responses. Close the poll and allow the group to discuss the results, giving

participants without devices an opportunity to weigh in.

If you are not using mobile voting, allow the group to discuss each question, and then manually select the

appropriate response and confidence level.

Participating in a workshop

The role of workshop scoring participants is to contribute their expertise on impact severity and likelihood

for one or more scenarios. A workshop may include multiple subject matter experts, each with knowledge

and experience in one or more areas related to the scenarios to be assessed.

As a group, the participants analyze the scenarios in order to rate the severity of their impacts and the

likelihood of the events and impacts occurring.

ERM includes a mobile voting application, which enables workshop participants to submit anonymous votes

on impact severity and likelihood using their mobile devices.

Watch a tutorial on participating in scenario scoring workshops

Overview of a typical scenario scoring workshop:

The facilitator will provide an overview of the process to be followed throughout the workshop. This may include a summary of the risk management process, and information on how the workshop results

will be used.

The facilitator will introduce the first scenario and start the analysis, inviting the participants to discuss

the impacts and likelihood of the scenario. If a projector is available, the documenter will use ERM to display the scenario details and context information.

When the group is ready to vote on the first question, the documenter will open the mobile scoring session in ERM, making voting available for participants with mobile devices. Participants will submit

their votes, and the group will continue with the next question.

If mobile voting is not being used, participants will discuss each question and will decide on a response

and confidence level as a group.

Once all questions have been discussed and answered, the facilitator will introduce the next scenario or

conclude the workshop.



User’s Guide - Risk Evaluation 25

Risk Evaluation

Risk Evaluation is the process of determining how to prioritize the risks your organization faces, given its

objectives and the impact and likelihood of a risk. The objective of the process is to determine a control

strategy for each risk. That is, to determine whether the risk will be accepted, avoided, shared with another

organization or treated. This process is typically performed by the Risk Officer and the Operational Manager,

in collaboration with the risk owner and the organization’s senior management.

Control strategies:

Accept: the organization chooses to accept the risk, rather than taking steps to treat it.

Avoid: the organization will change one or more of its activities in order to avoid the risk.

Reduce Impact: the organization will take steps to reduce the severity of the impacts of the risk.

Reduce Likelihood: the organization will take steps to reduce the likelihood of an event in order to lower

the risk.

Share/Transfer: the organization will reduce the severity of a risk by sharing it with another organization, or

by transferring one or more of its activities to another organization.

With the exception of “Accept”, each of these control strategies means that the organization plans to take

action to treat the risk. In the next section, you’ll learn how mitigations are used to define risk treatment

strategies.

1. Select the assessment, and click the Evaluation tab on the left.

2. The page will display a list of scored risks (risks for which at least one scenario has been scored and

finalized).

3. Use the checkboxes to select one or more risks, then select a control strategy and click Save.

Reviewing and Updating Risks

Because strategies, priorities and resources often change over time, an organization should review and

monitor the risks it has identified to ensure that they continue to provide an accurate and complete picture

of the threats to the organization’s objectives.

Watch a tutorial on reviewing and updating risks

Find and view a risk. Click Risks on the toolbar. A list of risks will be displayed based on the settings on

your user account. Click on a risk to view a summary of the risk, including the scenarios used to score it.



User’s Guide - Reviewing and Updating Risks 26

Click the Details tab on the left to view the organizational objectives the risk affects, the controls currently in

place to manage the risk, and to view or add risk stakeholders.

View scenarios developed for the risk. Click Risks on the toolbar, then click on a risk. Click the Scenarios

tab on the left for a list of scenarios developed for the risk. If a scenario has been scored, click Print to print

a summary of the analysis.

View mitigations associated with the risk. Click Risks on the toolbar, then click on a risk. Click the

Mitigations tab on the left to view mitigations developed for the risk.

Edit a risk. Click Risks on the toolbar, click on a risk, and then click Edit Risk. Whether a risk can be edited

depends on your user role and on the risk status:

The risk owner can edit the risk if its status is Active.

If your role is Risk Officer you can edit Active risks in your organization and in organizational units below, with the exception of Ministerial Advice Access risks.

If your role is Corporate Risk Office or System Administrator you can edit Active risks throughout the organization, including Ministerial Advice Access risks.

Risks with the status Closed can’t be edited.

Change the control strategy for a risk. If the decision on how to manage a risk is changed, you can update

the control strategy. If mitigations have already been entered for the risk, selecting Accept will cause

incomplete mitigations to be removed, and you will not be able to enter more mitigations. Selecting any

option other than Accept means that the organization plans to take action to reduce the adverse effects of

the risk.

Print a summary of the risk information as a PDF. Click Risks on the toolbar, click on a risk, then click

Risk Summary .

Close a risk. If a risk is no longer considered to have an effect on the organization’s ability to achieve its

objectives, the risk owner or another user with the appropriate permissions can close the risk. Edit the risk,

and under Risk Status, select Closed. Once a risk has been closed further changes can’t be made to it, and it

can’t be reset to Active.

How is Degree of Risk determined? If scenarios for the risk have been developed and analysed, the

Summary tab displays the scores, and indicates which scenario was used to score the risk. If the Scoring

Method for the risk is “Highest”, ERM uses the scenario with the highest combination of impact severity

and likelihood as the risk score. If the Scoring Method is “Manual”, the risk owner or another user with

permission to edit the risk can select a scenario to be used to score the risk.

User’s Guide - Reviewing and Updating Risks 27

Watch a tutorial on using the risks list

If there are many risks in the risk list, you can sort and filter the list to make it easier to find what you are

looking for:

To sort the list, click a column header, and then click the arrows to sort alphabetically in ascending

or descending order.

To filter the list, click a column header. Type the text to filter by, or click a value. For example, to display only risks with a Risk Degree of High, click the Risk Degree column header, then click High.

To clear the filter, clear the checkbox beside the text “Risk Degree = ‘High’”.



User’s Guide - Managing Mitigations 29

Watch a tutorial on risk treatment plans

Creating mitigations

1. Select the risk to add a mitigation for, and then click the Mitigations tab on the left.

2. Click Add Mitigation .

3. Enter a title and description in the spaces provided.

4. Under Mitigation Owner, select the name of the person responsible for managing the mitigation.

5. Optionally, enter a due date to indicate when the action or measure is expected to be complete.

6. Use the Status option to indicate whether the mitigation is proposed, approved, rejected, in progress or

complete.

7. Optionally, use the Status Comments field to enter details on the mitigation status.

Managing mitigations

Because strategies, priorities and resources often change over time, your organization should develop a

cycle for monitoring the effectiveness of its risk treatment plans, and updating them when needed.



User’s Guide - Viewing Risks and Mitigations where you are a Stakeholder 31

Viewing Risks and Mitigations where you are a Stakeholder

If you are the stakeholder on a risk or mitigation, the risk or mitigation will display on your dashboard, giving

you an overview of the risk-related information that is important to you.

If you are the stakeholder on a risk, click the risk to display the Risk Details page. This page shows the

scenario scoring summary, the control measures in place to handle the risk, the objectives that the risk

affects and other risk details.

If you are the stakeholder on a mitigation, click the mitigation to display the Mitigation Details page, where

you can review details including the description of the mitigation, performance indicators that have been

put in place and funding requests.

The dashboard link displays risks with a status of Active, and mitigations with statuses of Proposed, In

Progress and Approved.

My Recent Notifications

The My Recent Notifications area on the dashboard displays notifications of events that may require your

attention.

A notification will be created when the following events occur:

You are assigned or removed as the owner on a risk

You are assigned or removed as the owner on a mitigation

You are assigned or removed as a risk stakeholder

You are assigned or removed as a mitigation stakeholder

Scenario scoring is finalized for a risk you own

If you are assigned to a risk or mitigation as the owner or stakeholder, click the notification to view the risk

or mitigation. If scenario scoring is finalized for a risk you own, click the notification to view the scenario and

print the Scenario Assessment report. Notifications are displayed for one month.

Receiving notifications by e-mail

To receive an e-mail with your notifications in addition to viewing them on the dashboard, modify your

profile to select a notification frequency.

1. Click the arrow beside your name in the top right corner of the page, and select Edit Profile.

User’s Guide - Capabilities 32

2. Under Notification Frequency, select Weekly or Monthly to determine the frequency you’d like to

receive e-mail notifications. Select No Emails if you don’t want to receive notifications.

3. Click Save.

Capabilities

ERM's Capabilities module assists your organization in identifying the degree to which it has attained

capabilities considered essential to achieving its objectives, and in identifying and prioritizing areas in which

its capabilities differ from the state it wishes to achieve.

During the risk assessment process, referring to the organization's capability assessments and maturity

models give a broader understanding of the potential impact of risks it faces. If your organization has well-

established procedures for preventing, responding to and recovering from a specific threat, the risk posed by

the threat would be expected to be less severe than one for which the organization lacks the required

procedures, other factors being equal.

Managing an organization's capabilities involves two steps:

Enter an inventory of capabilities. An ERM System Administrator enters the inventory, adding new

capabilities for each risk type the organization assesses.

Complete the capabilities questionnaire. Once the inventory has been entered, ERM will display a

notification on the dashboard, with a link to each pending questionnaire. The notification displays only for

people whose user account includes the role “Complete Capabilities Questionnaire”.

Let's take a closer look at what is involved in assessing capabilities.

Capabilities

A capability is a specific factor contributing to an organization’s ability to achieve its objectives. Information

Governance is a capability. Organizations depend on information to develop products and services, to make

decisions, to protect property rights and to generate revenue. Leadership is another capability. Prioritizing

leadership development processes and skills training assists organizations in delivering predictable and

sustainable results.

Activities

Watch a tutorial on Capabilities




Activities are broad actions an organization takes to achieve its capabilities, and can be thought of as high

level groupings of tasks. Activities to achieve an Information Governance capability may include Disposition,

Retention, Availability and Accountability. Activities to achieve a Leadership capability may include

Financial Results, Skills Development and Change Management.

Each activity is broken down into tasks, and includes one or more performance measures.

Measures

Measures are qualitative or quantitative descriptions of how an organization rates its performance for each

activity related to a capability. Each activity may have one or more measures. Using Information

Governance as an example again, the Accountability activity may have performance measures “Information

management practices are periodically evaluated” and “Manager is aware of IM policies and resources”.

These factors rate how well the organization manages its information.

Tasks

Tasks define the specific steps the organization takes to accomplish activities. They are steps considered

essential for achieving the desired outcome of the capability, or the actions taken to prevent, protect

against, respond to or recover from an event. Breaking activities down into measurable tasks helps an

organization identify areas for improvement in its processes.

Maturity Ratings

Capability maturity models consist of a set of levels, or ratings, that describe how well an organization’s

processes can reliably produce specific outcomes. As you enter your capability inventories you should

define these ratings, ensuring that they relate to progress towards achieving the tasks and activities for the

capability.

For example, an Information Governance capability may have maturity ratings ranging from Level 1 through

Level 5, with Level 1 representing an environment in which record-keeping concerns are sub-standard, and

Level 5 representing an environment in which information governance has been effectively integrated into

corporate infrastructure and business processes.

Managing a Capabilities Inventory

ERM enables you to manage an inventory of capabilities related to each type of risk the organization

assesses. For example, if your organization assesses operational and disaster risks, you can enter an

inventory of operational capabilities and an inventory of disaster capabilities. For each capability you can

enter one or more activities, measures and tasks, and you’ll define a maturity model to summarize the

organization’s performance for each capability.


If your organization is at an early stage in describing its capabilities, it may be helpful to begin by identifying

the individual tasks needed to achieve each capability. Once you’ve identified the tasks, group them under

common headings to form activities. Then define the performance indicators that should be used to assess

the achievement of each task.

1. Click Admin on the toolbar, and under Lookup Tables, click Capability Inventory.

2. Click Add Capability.

3. Select the Risk Type the capability relates to. The risk type determines which questionnaire the

capability displays on, and the type of risks the capability relates to.

4. Enter a name or short description of the capability.

5. Enter a detailed description or definition of the capability. Enter enough information to allow the person completing the questionnaire to accurately rate the organization’s performance and maturity level with

regard to the capability.

6. Under Outcome, describe the expected results to be achieved by obtaining mature capabilities in the

area assessed.

7. Under Active, select Yes if you want the capability to be displayed on the questionnaire. Otherwise,

select No. This option is useful if you want to record a capability but don’t want it to appear on the questionnaire yet, or if you want to temporarily or permanently remove a capability from the

questionnaire.

8. Click Create to save the capability, or click Cancel.

Add an activity. Click the capability to display it, then click Add Activity. Enter a name and description.

Under Active, select Yes if you want the capability to be displayed on the questionnaire, then click Create.

Add a measure. Click a capability, then click the activity to add measures for. On the right of the activity's

gray bar, click Add. Enter a description that describes the standard to which your organization’s

achievement should be measured for the activity. For example, describe how much, how well or how quickly

the activity should be performed. Click Create to save the measure.

Add a task. Click a capability, then click the activity and measure to add tasks for. On the right of the

measure's gray bar, click Add. Enter a description, then click Create.

Add a maturity rating. Click a capability, then click the Maturity Ratings tab. Click Add Maturity Rating,

and enter a title and description. Ensure that the title indicates how the rating fits into the set of ratings to

be entered for the capability. Under Sort Order, enter a numeric value to indicate where the maturity rating

should display in the list of maturity ratings for the capability. Enter 1 to indicate that the rating should sort

first, enter 2 to indicate that the rating should sort second, and so on. Click Create to save the maturity

rating.


Completing Capability Questionnaires

If a capability assessment is pending for your organization, a link will display on the dashboard. If multiple

questionnaires are pending a link will be displayed for each, and you’ll complete them separately.

1. Click the dashboard link to display the questionnaire.

2. Each capability will display on a separate row. Click a capability to expand it and read the related

activities.

3. Click each activity to display the related measures, and click each measure to display the related tasks.

4. For each task, select Yes or No to indicate whether your organization has achieved the task. Select All

Yes if your organization has achieved all tasks for the measure, or All No if none of the tasks have been achieved. A measure is considered achieved once all its tasks have been achieved, an activity is

considered achieved once all its measures have been achieved and a capability is considered achieved

once all its activities have been achieved.

5. Click Select Maturity to choose the maturity rating that most accurately describes the organization’s performance for the capability. Your decision should be supported by your responses for each task. As

your organization matures in its capabilities, update the maturity rating.

6. Click Save, or click Cancel to discard your changes.

Updating Capabilities

Resources, strategies and priorities may change over time. To ensure your capabilities inventory remains

relevant and complete, your organization should establish a schedule for reviewing and updating it. If you

update the inventory, notify the person responsible for completing the questionnaire, so that they can

review it. If you add a new task to the inventory after a questionnaire has been completed, a notification will

display on the dashboard indicating that the questionnaire is pending.

It is not necessary to complete an entire questionnaire at once. You can save your changes and

return to it later.

The dashboard link for the questionnaire will display until you have selected Yes or No for each task.

Consider completing capability questionnaires in collaboration with other people in your organization. Particularly in larger organizations, detailed knowledge of the various areas of your

organization’s capabilities may be distributed among multiple people.

If a task is added to the capability inventory for a completed questionnaire, the dashboard link will

be redisplayed. Click the link to open the questionnaire, and view the Activities Achieved scores to locate the updated capability.

To review or update a completed questionnaire, click Capability on the toolbar and select the questionnaire.

User’s Guide - Reports 36

Strategic and operational capabilities are typically reviewed annually. Disaster capabilities may require

review every three to five years. However, these are guidelines only, and you should adopt the schedule that

best meets the needs of your organization.

Reports

Capability Assessment

The Capability Assessment report lists responses to your organization’s Capabilities Questionnaire for a

selected risk type. After the questionnaire has been completed, use this report to save the questionnaire

responses as a PDF.

1. Click Reports on the toolbar, and select Capability Assessment.

2. Choose a risk type.

3. Indicate whether to include tasks marked as Achieved on the questionnaire, tasks marked as Not Achieved, or tasks for which a response was not selected (multiple options can be selected).

4. Click Run Report to open or save the report as a PDF file.

Organizational Risk Summary

Use this report to summarize risk information for an organization based on degree of risk and risk type. The

report displays the following:

Cumulative impact scores for the selected risks. This enables the organization to view at a glance the

type of impacts its risks may result in, if left unmanaged.

Top ten risks by risk degree, for each risk category, for risks that resulted in a risk degree above a

threshold that you enter.

Top ten risks for each impact category by scenario score, for risks that resulted in a risk degree above the

threshold.

This is a useful report to send to an organization’s senior management or to other stakeholders who require

an overview of the organization’s risks.

1. Click Reports on the toolbar, and select Organizational Risk Summary.

2. Select the organization to generate the report for.

3. Select the threshold for the degree of risks to include on the report. For example, select Medium to

include risks with a degree of Medium or higher.

User’s Guide - Reports 37

4. Select one or more types of risks to include.

5. Click Run Report to open or save the report as a PDF file.

Disaster Scenario and Strategic/Operational Scenario

The Disaster Scenario and Strategic/Operational Scenario reports list the details of scenarios that have been

scored for the selected risk type. These reports enable you to obtain statistics on scores by impact category

(when scenarios are scored, the resulting risk degree is displayed, not a numerical score). The reports

exclude scenarios for risks that have been archived, and display scenarios only for risks visible based on your

user account security settings.

1. Click Reports on the toolbar, and select Disaster Scenarios or Strategic/Operational Scenarios.

User’s Guide - User Accounts and Permissions 38

User Accounts and Permissions

You’ll need to create a user account for each person who requires access to ERM. As part of creating user

accounts, you’ll select one or more user roles for each person. The user roles you choose determine the

features the person will have access to. This section describes how to set up user accounts, how to modify

and deactivate accounts and how to select appropriate user roles.

Adding user accounts

1. Click the Admin button on the toolbar, and select Users.

2. Click Add User .

3. Enter a user name that the person will use when signing in to ERM. Consider defining standard user names which will be easy to remember, such as the person’s first initial followed by their last name.

Alternatively, consider adopting standards which already exist in your organization for sign-in

credentials.

4. Enter the person’s first and last name in the spaces provided.

5. Enter the person’s e-mail address in the space provided. E-mail notifications will be sent to the address

entered here.

6. Optionally, enter the person’s job title. The job title is displayed in selection lists to help ensure the

correct name is chosen.

7. Select an organization level to determine the risks and related information the person requires access to.

For example, if the person requires access to risks only for their branch, select their branch from the list. If they require access to risks for all branches in their department, select their department from the list.

If they require access to all risks for the organization, select the top-level organization from the list.

8. Under Active, choose No if you want to create the user account but do not want the person to have

access to ERM at present. Otherwise, choose Yes. Inactive user accounts remain in the system so that they can be re-activated, but attempts to sign in to the system will be blocked.

9. In the Assign Role section, select one or more roles based on the features the person requires access to. When you assign a role, the associated actions the person will have access to will be indicated.

User Role When to select this role

Auditor The person requires read-only access to all risks, mitigations and assessments throughout the organization, with the exception of risks with the security level

Ministerial Advice Access. The person does not require the ability to edit

information, and does not require access to Administrative features.

Capability Assessment The person will be responsible for completing the Capability questionnaire for

their organization.

Corporate Risk Office The person requires the ability to view and edit all risks, mitigations and

assessments throughout the organization, including risks with the security

User’s Guide - User Accounts and Permissions 39

level Ministerial Advice Access. The person does not require access to

Administrative features.

Ministerial Advice Access The person requires read-only access to risks with the security level Ministerial

Advice Access and associated mitigations, within their organization and organizational units below. Most ERM roles don’t allow access to Ministerial

Advice Access risks. Add this role to a person’s account when you need to

allow them to access these risks.

Org Level Access The person requires read-only access to risks, mitigations and assessments in

their organization and organizational units below, with the exception of Ministerial Advice Access risks. The person does not require the ability to edit

information, and does not require access to Administrative features.

Risk Officer The person requires the ability to view and edit risks, mitigations and

assessments in their organization and organizational units below, with the

exception of Ministerial Advice Access risks. The person does not require access to Administrative features.

Sign In Only ERM automatically gives this role to people assigned as external documenters and assessment leads. The person will be able to sign into ERM, but can access

only the assessment(s) they are assigned to.

System Administrator The person requires full access to the system, including access to

Administrative features such as managing user accounts and updating

configuration information.

10. Click Create to save the user account, or click Cancel. When an account is created ERM will send an e-

mail to the address on the account with a link to ERM and a temporary password.

An important point to understand about roles in ERM is that they are cumulative. That is, a user account

may have multiple roles assigned to it, and the person will have access to the actions granted by all of their

roles. Here is an example:

Marie has the role Risk Officer. This means that she can view and edit risks, mitigations and assessments in

her organization and in organizational units below, with the exception of Ministerial Advice Access risks.

User’s Guide - Categories 41

Deactivate a user account. To deactivate an account so that sign in attempts by the user will be blocked,

set the Active option to No. Inactive user accounts remain in the system so that they can be re-activated.

User accounts can’t be deleted.

Categories

Risk categories are used when risk statements are added to ERM. By selecting the relevant category for each

risk, you can perform reporting on the nature and severity of risks the organization faces. For example, the

Organizational Summary report lists the top ten risks by risk degree, for each risk category. Categories are

grouped by the risk types Strategic, Operational and Disaster.

1. Click Admin on the toolbar, and under Lookup Tables, click Categories.

2. To add a new risk category, click Add Category.

3. Enter a name for the category. You must enter a name that has not already been used for a category

within the risk type.

4. Optionally, enter a description.

5. Select one or more risk types that the category applies to.

6. Optionally, enter a numeric Sort Order to indicate where the category should display in lists of categories for the risk type. Enter 1 to indicate that the category should sort first, enter 2 to indicate that

the category should sort second, and so on. By default, category will sort from the lowest number to the

highest.

7. Under Active, select Yes if you want the category to be displayed when adding and updating risk

statements. Otherwise, select No. This option is useful if you want to enter a category but don’t want it to be used yet, or if you want to temporarily or permanently remove a category from category lists

without affecting existing risks.

8. Click Create to save the category, or click Cancel.

Add a subcategory. Within each risk category you can specify sub-categories. For example, you may have a

category called Public Health, and sub-categories within it called Large-Scale Contamination and

Pandemics. Click the “parent” category, and then click Add Sub-Category.

Edit or delete a category. Click the category or sub-category, then click Edit Category (or Edit Sub-

Category). To delete a category or sub-category, edit it and then click Delete. You can’t delete a category if

it is in use on a risk, or if it has sub-categories.

User’s Guide - Geography Structure 42

Geography Structure

When a risk statement is added in ERM, you must specify the geographic location it applies to so that the

organization’s risks can be analyzed based on location. ERM enables you to add the following levels of

regions:

Province/Territory

Regions within the province/territory

Cities within each region

Subdivisions within each city

1. Click Admin on the toolbar, and under Lookup Tables, select Geography Structure. ERM will display a list of regions for your organization.

2. To add a new region click the “parent” region to add it to, and then click the Add icon.

3. Enter a name for the region, and optionally, enter a short form, or abbreviation, of the region name

under Code.

4. Under Active, select Yes if you want the region to be displayed when adding and updating risk statements. Otherwise, select No. This option is useful if you want to enter a region but don’t want it to

be used yet, or if you want to temporarily or permanently remove a region from region lists without

affecting existing risks.

5. Click Create to save the region, or click Cancel.

Edit or delete a region. Click the region, then click Edit. To delete a region, edit it and then click Delete.

You can’t delete a region if it is in use on a risk, or if it has regions within it.

Organizational Structure

Because risk assessments apply to specific organizational units, you must select the applicable organization

when you begin an assessment. Before you begin using ERM to perform risk assessments, ensure that the

hierarchy and structure of your organization has been properly defined.

1. Click Admin on the toolbar, and under Lookup Tables, select Organizational Structure.

2. To add an organizational level, click the “parent” organization to add a level to, and then click Add.

3. Enter the name of the organization, and optionally, enter a short form, or abbreviation, of the organization’s name under Code.

4. Optionally, enable one or more risk types for the organization. When you begin an assessment for an organization, you must select the risk type that the assessment will pertain to.

User’s Guide - More Resources 43

5. Under Active, select Yes if you want the organization to be displayed in ERM. Otherwise, select No.

6. Click Create to save the organizational level, or click Cancel.

Edit or delete an organizational level. Click the organization, then click Edit. To delete an organization,

edit it and then click Delete. You can’t delete an organization if it is in use, or if it has organizations within it.

For a hierarchical view showing the relation between organizational levels, click Tree View. For a flat list

showing all organizational levels, click Report View. The Report View also indicates the risk type modules enabled for each organizational level.

More Resources

This section contains links to information useful for risk managers and other assessment leaders, as well as

information that can be provided to workshop participants, organizations’ senior management and to other

stakeholders.

ERM Tutorials

This site contains links to a variety of short tutorials on ERM and the risk management process. These

tutorials are useful for anyone who is responsible for using ERM to manage risk assessments, as well as for

participants in the process.

ISO 31000 – Risk Management

The processes described in this guide are based on the ISO 31000 standards for risk management. Visit this

site for more information on the standards, and for articles on risk management.

Public Safety Canada - All Hazards Risk Assessment

Includes a link to Public Safety Canada’s All Hazards Risk Assessment guidelines. You will also find a variety

of articles relating to risk management and emergency preparedness, and many other resources useful for

risk managers.

Global Association of Risk Professionals (GARP)

A not-for-profit independent organization that helps to create a culture of risk awareness within

organizations, and promotes best practices in risk management.

Implementing Risk Management – Risk Manager’s Guide


http://www.iso.org/iso/home/standards/iso31000.htm

http://www.publicsafety.gc.ca/cnt/mrgnc-mngmnt/mrgnc-prprdnss/ll-hzrds-rsk-ssssmnt-eng.aspx

http://www.garp.org/

User’s Guide - More Resources 44

This document is intended for the risk manager or risk officer responsible for assisting an organization in its

adoption of a risk management process. View it by clicking the arrow in the top right corner beside your

name in ERM, and select Help/User Guides.

EnterpriseRisk Management - User's Guide · isk ype = perational . User’s Guide - Identifying...

Documents

Transcript of EnterpriseRisk Management - User's Guide · isk ype = perational . User’s Guide - Identifying...