Self-Assessment
By the use of the Risk Analysis System the benefit to the user organization is that all levels of management have a much better understanding and control of the risks facing their organization.
For each process included in the pre-defined scope, a campaign should provide an assessment of residual risks, taking into consideration standard or alternative controls that may have been implemented by assessed entities. The rating of each residual risk will have to be chosen by users among the following: High (represented by the color red), Significant (orange), Medium (yellow) and Low (green). If a risk is not applicable, users will be allowed to leave a comment in a dedicated area.
The system provides for standard and alternative controls, i.e., users won’t have to describe each situation, they will be able to answer the following “yes/no” questions:
- Is the control applicable?
- Is the control implemented?
- Is the control documented?
- Is the related procedure formalized?
- Is the related procedure communicated to relevant staff?
The self-assessment questionnaires (i.e. lists of risks and related controls organized by process) will be submitted via the Internet and the results will be consolidated and presented according to pre-defined formats.
The main functions allow for the administration of a risk analysis campaign, the review, consolidation and presentation of the campaign's results and a comparison with prior year campaigns.