Risk Management
Combine information on risks, incidents and BCM plans
Combine information on risks, incidents and BCM plans
The more information, the more reliable estimates and more adequate reaction to events.
BCMLogic ONE has everything you need for Risk Management:​
-
list of resources, people and processes,
-
the ability to describe the causes of the risk,
-
strategy selection,
-
assignment of action plans
-
reporting and monitoring.
However, it offers much more. Integration with information on incidents, BIA analysis and BCP plans allows you to make the risk assessment even better. The probability level can be set based on the number of incidents that affected a given process or resource.
Wide range of uses
ERM risk management
Risks relating to business processes and services, typically handled at the departmental/divisional level.
BCM risk management
Risks in terms of business continuity, usually covering the following categories: people, IT infrastructure, locations, suppliers. Examined at both the process and resource levels.
IT risk management
Risks relating to systems and applications and key infrastructure. On the one hand, determining threats using checklists (in the form of a survey linked to the vulnerability database), and on the other hand, cooperation with dedicated solutions, such as vulnerability scanners. Possibility to determine the priority of removing a large number of vulnerabilities thanks to knowledge about how many and how critical business processes and how many and what data sets use a given device.
Managing risks of non-compliance
The module offers a risk library that can be managed from the application level or imported from an external source.
Managing policy exceptions
If a project or other situation requires a exception from safety rules, a deviation form is used. It allows you to specify the rule from which the applicant wants to deviate, express the opinion of substantive departments (e.g. legal, security, IT, etc.), and determine the level of risk associated with the deviation. In case of acceptance, an expiration date is specified.
Register of operational events
A register of events that actually occurred with the ability to determine expected financial and non-financial losses (in any number of categories).
Categorization and monitoring of vulnerabilities
Prioritization based on knowledge about the connections between processes (and their criticality) and resources. Mechanisms for assigning and monitoring the implementation of tasks.
Control of risk treatment plans
Assignment, acceptance and monitoring.
Risk treatment plans are practically an additional sub-module. On the one hand, integrated with the list of risks, and on the other, having its ownWorkflow, notifications and reminders, guaranteeing the automation of the full life cycle from plan to finished protection to monitor performance.
Module functions and elements
Risk base
A basic repository that, thanks to its flexibility, enables parallel handling of many types of risks. The basic division is the risk category (a definable dictionary), on the basis of which it is determined which application forms (so-called tabs) are to be available for a given category. For each risk you can define:
-
Existing safeguards that reduce the level of risk
-
Risk level – determined on the basis of a matrix completed by the analyzer (probability and any number of impact types) or on the basis of numerical values assigned to vulnerabilities
-
Strategy of conduct
-
Risk management plans, if required by the adopted strategy
-
Business processes at risk
-
Resources (e.g. IT systems, infrastructure, but also suppliers)
The risk database is based on workflow - description later.
Authorizations for risks are dynamically granted based on elements such as: risk category, risk assignment to an organizational unit, resource, process and any other attributes available in the extensive database. This enables very precise access control. Two users entering the same list may see a completely different set of risks, depending on their role.
Risk form - identification and assessment
Each risk is described by a risk card, which includes the possibility of, among others: defining the goals/requirements that must be achieved/met to achieve the expected risk level, the ability to indicate the effects of risk materialization in terms of impact on a specific area in the organization, as well as the function of defining options and a risk treatment plan.
The risk card is divided into tabs containing individual functions. Tabs can be disabled, made available for viewing or editing dynamically, based on the category, current status and role of the user. Currently, there are several tabs available in the application.
In case of specific needs, we first introduce modifications to existing tabs, and if the number of changes is large, we create a dedicated tab. From the screen, it is possible to change the risk status (workflow context buttons in the upper left part) and generate a report - using a Word template, which is dynamically filled with current risk data.
Relationship of risk with resources and processes
For each risk, it is possible to define the impact on resources and processes within registers common to the entire platform. At the same time, it is possible to perform a dedicated risk analysis for a specific resource.
Risk analytics
Risk identification and analysis is the beginning of the process. In our opinion, the most important thing in the risk management process is appropriate conclusions and support in making current decisions.
This is what analytical tools are used for:
-
KRI library with the possibility of combining indicators with data collected within the platform (incidents, failures, etc.) and from other systems
-
KRI values can also be calculated based on information collected from users
-
Analytical reports, data visualization and export to MS Excel
-
Risk dashboards dedicated to the role/group (Management Board, Supervisory Board, area directors)
Database
of security and risk treatment plans
Another object used in the module, closely related to risk. The basic division of security is existing and planned/implemented security.
Existing security measures are simply a catalog of available general measures (e.g. antivirus on a workstation) or measures dedicated to a specific resource (e.g. a fire extinguishing system in a server room or an employee motivation program to reduce the risk of key personnel leaving).
Planned/implemented safeguards are simply risk management plans initiated when a given risk has an unacceptable level (e.g. purchasing a faster backup system if the current one does not allow for meeting the recovery times specified during the BIA analysis). The completed action plan becomes an active safeguard.
Each security feature can be assigned a digital value, allowing you to numerically determine the current risk value after they are applied/disabled.
Risk treatment plans
If the undertaken risk management strategy assumes the implementation of specific actions, then we assign the required number of Risk Management Plans to the risk in the application.
The risk management plan presents what safeguards will be used to reduce the identified risk and who is responsible for their implementation, to what extent and when.
Control mechanisms (security) are elements of the risk management system intended to reduce the probability of risk occurrence or eliminate the effects of the risk.
Register of operational events
The main way to log in to the BCMLogic Platform is the so-called SSO, i.e. access to the application based on previous authorizations obtained when logging in the user's computer to the organization's domain. For the user, this means there is no need to remember the login and password. This is very convenient, especially when the user uses the system occasionally - e.g. when he or she receives a notification about an action to be taken as part of the implementation of post-audit recommendations. They then click on the link provided in the notification, the application verifies permissions in the background and, if positive, displays the appropriate screen.
Consistent risk management in the organization
From asset assessment to global risks across the organization
BCMLogic is a risk analysis at various levels: from the IT system or location, through various management systems (BCM, Compliance, Information Security, etc.), to operational risks at the level of units, the entire company or an international corporation.
The system ensures the isolation of individual levels and categories, but does not preclude coherent flow to higher levels. If the administrator of a key location diagnoses a serious risk affecting business processes, then this information can be propagated further. Depending on the type and level of risk, users use the most appropriate application forms and screens.
Registers
Dictionaries and registers
The risk module uses built-in dictionaries and registers. Registers are used to build internal data libraries from within the application or can be imported from other sources.
Threats register
Expandable library of threats and vulnerabilities assigned to them. For a hazard, you can specify its numerical value.
Vulnerability register
It allows you to establish risk groups for the purposes of the risk library. For each group, a risk category (dictionary, possibility of adding new ones) and a risk type (also dictionary) are defined.
Registers of risk groups and categories
Each vulnerability has a specific status and a numerical value that can be used to calculate the risk level in a more advanced way.
Protections library
It allows you to define standard Risk Treatment Plans that can be automatically assigned (e.g. to a system, application) after detecting a vulnerability. It is possible to define the default person to whom the RTP, risk management strategy, or application (security, control) will be assigned. The use of the library is shown in the next register.
Question mapping for risk self-assessment
For each risk, a survey can be added and answered by the process owner, location administrator, system administrator, HR head, etc., depending on the category and type of risk. Each question can have closed answers, assigned a numerical value and a code.
If a given answer is provided for a given question, it may mean the need to create/edit a risk for the tested resource/process and add this vulnerability to it. Optionally, you can indicate that after creating a vulnerability, the RTP relating to this vulnerability should be immediately assigned to the risk (0-N RTPs). These parameters are used by the application during the automatic risk analysis phase.
Categorization and monitoring of vulnerabilities
Prioritization based on knowledge about the connections between processes (and their criticality) and resources. Mechanisms for assigning and monitoring the implementation of tasks.