ICM Risk Management App[edit]


= ICM Risk Management App =

== Overview ==

The Icertis (ICM) platform introduces the Risk Management application to make it easier for professionals to carry out their tasks related to Risk Management such as assessment, due diligence, remediation, monitoring and reassessment. Risk Management is the process of identifying the potential risk, assessing the magnitude of the risk based on business objectives and devising strategies to mitigate them and tracking the performance until they are completely mitigated.&nbsp;<br/> It enables secure communication with different parties involved in the process of Risk Management that is more effective than the traditional ways of communication such as email. Its user-friendly interface makes it possible for anyone in the enterprise, from the risk management personnel to the supply analytics team, to be able to use the platform with ease.&nbsp;<br/> ICM Risk Management consists of:&nbsp;

*Risk assessment (with survey) 
*Auto instantiation of risk area 
*Configurable contract types risk assessment and risk area with its workflow based on risk management process 
*Masterdata that captures risk library, risk taxonomy and risk score matrix to effectively govern the risk management process 

screen 1

ICM Risk Management application is based on the ICM platform that supports the following business scenarios:

*Contractual Risk Management 
*Counter Party Risk Management (for example managing risks relevant to suppliers or vendors) 
*Business Operations Level Risk Management 

== The Prerequisites ==

The user must have:&nbsp;

*Completed ICM Product Training 
*Risk Management App must be enabled on customer environment  

== Configuration setup overview ==

ICM offers the ability to determine the application type (Contracting, Sourcing, Obligation Management and Risk Management application) when creating a contract type. This is possible with the inclusion of two new choice type attributes, Business Application Type and Business Application Category at the contract type level. This feature helps effortlessly drive business applications on ICM platform.<br/> These attributes are enabled through technical configuration and &nbsp;applicable for agreements and associated document contract types. The access privileges for business applications (such as Risk Management) are managed through security groups.&nbsp;<br/> screen2

The Risk Management Application provides some seeded entities that are necessary for the flow of the Risk Management. Some of the entities are:&nbsp;

*Masterdata:&nbsp; 
**Risk Taxonomy 
**Risk Remediation 
**Risk Area Master 
**Likelihood Rating 
**Likelihood & Consequence Rating 
**Risk Score Matrix   
*Contract types: 
**Risk Assessment as agreement contract type with business application type as risk management and business application category as risk assessment defined at contract type level 
**Risk Area as associated document contract type with business application type as risk management and business application category as risk area defined at contract type level   
*Rules: 
**Instantiate the risk areas after completing the risk assessment 
**Copy attribute values from risk assessment to the risk area 
**Add risk area owner to the team 
**Add Approver 
**Add Team members 
**Select the Template   
*Notifications for events: 
**Risk area is created 
**Risk area due diligence is initiated 
**Risk area remediation is initiated 
**Risk area monitoring is initiated 
**Risk area is deactivated   

Please refer to the Risk Management Configuration guide for details.<br/> &nbsp;

== Setting up masterdata values ==

Risk Management Application provides some seeded masterdata that are necessary for the flow of the Risk Management. Users can create masterdata instances with desired values.<br/> To create masterdata instance:

#'''Click '''''Configuration ''> ''Masterdata ''> ''Create Masterdata ''on the ''Home ''page. The ''Create Masterdata ''page opens. 

Screen 3
<ol start="2">
<li>'''Select '''the ''Masterdata Contract Type''. For example, ''Risk Area Master''.</li>
</ol>

Screen 4
<ol start="3">
<li>'''Click '''''Next''. The ''Attributes ''page opens.</li>
<li>'''Enter '''or '''select '''the details in the fields.</li>
<li>'''Click '''''Save''. The masterdata instance is created.</li>
</ol>

screen 5

Similarly, setup masterdata for ''Risk Taxonomy, Risk Remediation action, Risk Area, Likelihood Rating, Likelihood & Consequence Rating and Risk Score Matrix Masters''.

== Working with Risk Assessment ==

The Icertis Risk Management app enables users to manage risks by creating risk assessment. Risk Assessment deals with the process of identifying and evaluating the magnitude of potential risk areas. For example, buyers can use the ICM Risk Management application that allows configuring a questionnaire to perform supplier risk assessment. The risk areas can be identified based on the responses received for the questionnaire as the outcome of the risk assessment process.<br/> Risk assessment workflow performed by risk assessment owners typically involves the following:

*Initiating Risk Assessment: The risk assessment owners can instantiate the risk assessment workflow to identify the risks. For example, the risk assessment can be a questionnaire where the users respond to the questions by submitting the risk assessment. This initiates the risk assessment in Draft state. 
*Risk Assessment approval: Based on the complexity of risk assessment, ICM administrators can configure the rules to add approvers to the assessment team. If there are approvers added to the assessment team, the risk assessment is sent to the approvers for approval. The risk assessment is approved automatically if no approvers are added to the assessment team. 
*Risk Assessment Complete: The status of the risk assessment changes to Assessment Complete when the risk assessment is approved. The risk area can be identified and auto instantiated based on the configured rules. 

<br/> Here is the Risk Assessment workflow at a glance:

image 6

== Creating a Risk Assessment ==

#'''Click '''the ''Risk Management'' tile on the ''Home ''page. The drop-down opens with options: 
<ul style="margin-left: 40px;">
<li>''Risk Assessment''</li>
<li>''Create Risk Assessment''</li>
</ul>

screen 7

#'''Click '''''Create Risk Assessment''. The ''Attributes ''page for ''Create Risk Assessment ''opens. The ''Attributes ''page includes questions to capture the responses based on which the risk areas can be generated. These questions are non-seeded attributes and users can add them to the ''Risk Assessment'' contract type as per their business needs. 

The sections on the attributes page can be:
<ul style="margin-left: 40px;">
<li>''Identification''</li>
<li>''Risk Assessment Timeline''</li>
<li>''Supplier Perspective''</li>
<li>''Risk Assessment and Treatment''</li>
<li>''Security Policy''</li>
<li>''Organization Security''</li>
<li>''Asset and Information''</li>
<li>''Human Resource Security''</li>
<li>''Physical and Environmental''</li>
<li>''Ops Management''</li>
<li>''Access Control''</li>
<li>''Application Security''</li>
<li>''Incident Management''</li>
<li>''Business Resilience''</li>
<li>''Compliance''</li>
</ul>
<ol start="3">
<li>'''Enter '''the details in fields in the ''Identification ''section:</li>
</ol>
<ul style="margin-left: 40px;">
<li>''Risk Assessment Name'': Enter the risk assessment name. To make it easier for the users of your organization to find the risk assessment, the name should include some basic information about the risk assessment. For example, purpose of the risk assessment. For example, enter a name as Risk_Assessment_May2020.</li>
<li>''Risk Assessment Description:'' Enter the description of the risk assessment you are creating. This should include information that will help in finding the risk assessment based on the information you entered. For example, this is created to assess the probable risks due to the COVID-19 pandemic.&nbsp;</li>
<li>''Risk Assessment Entity: ''Select the entity for which you are creating the risk assessment. This includes entities which might be at risk. For example, select Business Operations.</li>
</ul>

&nbsp;screen 8
<ol start="4">
<li>'''Enter '''the details in fields in the ''Risk Assessment Timeline section''.</li>
</ol>
<ul style="margin-left: 40px;">
<li>''Assessment Start Date: ''Select the start date of the assessment. This is the date from which you want to assess the probable risks to business due to specific reasons. For example May 31, 2020.</li>
<li>''Assessment End Date: ''Select the end date of the assessment. This is the date till which the probable risks to business will be assessed. For example, June 1, 2020.</li>
</ul>

screen 9
<ol start="5">
<li>'''Enter '''the details in fields in all the sections on the ''Attributes ''page.</li>
<li>'''Click '''''Next''. The ''Verify ''page opens.</li>
</ol>

Note: The template to create the risk assessment is seeded and selected through the configured ''Template Selection'' rule.
<ol start="7">
<li>'''Click '''''Create''. The risk assessment is created in ''Draft ''state.&nbsp;</li>
</ol>

&nbsp;screen 10

Once created, users can ''Edit, Delete, Cancel ''or ''Submit ''the ''Risk Assessment''.&nbsp;

=== Searching and viewing the Risk Assessment ===

#'''Click '''the ''Risk Management ''> ''Risk Assessment ''on the ''Home ''page. 

screen 11

The saved search result page opens with all ''Risk Assessment ''records.

screen 12
<ol start="2">
<li>'''Click '''the ''View Record ''icon next to the ''Risk Assessment ''record you want to open. For example, ''Risk_Assessment_May2020''. The ''Risk Assessment Details ''page opens.</li>
</ol>

screen 13

=== Editing the Risk Assessment ===
<ol start="3">
<li>'''Click '''Edit on the Risk Assessment Details page. The Edit Agreement page opens.</li>
</ol>

screen 14
<ol start="4">
<li>'''Make '''the required changes and click Next. The Verify page opens.</li>
<li>'''Verify '''the details and click Update. The risk assessment is updated and remains in Draft state.</li>
</ol>

=== Canceling the Risk Assessment ===
<ol start="6">
<li>'''Click '''Cancel on the Risk Assessment Details page.</li>
</ol>

screen 15

The confirmation window opens.

screen 16
<ol start="7">
<li>'''Click '''Yes. The Add Note window opens.</li>
</ol>

screen 17
<ol start="8">
<li>'''Add '''note text and select the Reason Code.</li>
<li>'''Click '''Add. The Risk Assessment status changes to Cancelled.</li>
</ol>

screen 18

=== Deleting the Risk Assessment ===
<ol start="10">
<li>'''Click '''Delete on the Risk Assessment Details page. The risk assessment will be deleted.</li>
</ol>

screen 19

=== Submitting the Risk Assessment ===
<ol start="11">
<li>'''Click '''Submit on the Risk Assessment Details page. The risk assessment is sent for approval and its status changes to Waiting for Approval.&nbsp;</li>
</ol>

screen 20

Approvers can Approve or Reject the Risk Assessment from the risk assessment Details page.&nbsp;

'''To reject:'''
<ol start="12">
<li>'''Click '''Reject. The Add note window opens.</li>
</ol>

screen 21
<ol start="13">
<li>'''Add '''note text and select the Reason Code.</li>
<li>'''Click '''Add. The Risk Assessment goes back to Draft state.</li>
</ol>

'''To approve:'''
<ol start="15">
<li>'''Click '''Approve. The Add Note window opens.&nbsp;</li>
<li>'''Add '''note text and select the Reason Code.</li>
<li>'''Click '''Add. The Risk Assessment state changes to Assessment Complete.</li>
</ol>

If there are no Approvers added to the Risk Assessment Team, the record will be approved directly and move to the Assessment Complete state.<br/> &nbsp;

screen 22

Note: The Assessment Complete state is the final state for Risk Assessment, and users cannot take further actions.

=== Auditing Risk Assessment ===

Changes made to the Risk Assessment record during various ICM risk management workflows are captured and can be viewed under History tab. For example, changes in Risk_Assessment_May2020 throughout its lifecycle are captured.

screen 23

&nbsp;

== Working with Risk Area ==

Managing Risk Area includes:&nbsp;

*Ensuring the validity of the identified risk area 
*Devising strategies to mitigate risks 
*Tracking the performance until risks are completely mitigated 

The risk area can be generated automatically by seeded rules based on the risk assessment responses. Users can also add the risk area manually to the risk assessment.

=== <br/> Creating Risk Area automatically using rules ===

=== Creating Risk Area manually ===

To create a risk area for risk assessment:&nbsp;

#'''Click '''Risk Management > Risk Assessment on the Home page. The search results page with all risk assessment records opens. 
#'''Click '''the View Record icon next to the Risk Assessment for which you want to create Risk Area. The Risk Assessment Details page opens. 
#'''Click '''Create Association action icon (plus sign) next to Risk Area under the Associations. The Create Association for Risk Area page opens. 

screen 1

The Create Association Risk Area page has sections:

*Reference Risk Assessment 
*Risk Area Details&nbsp; 
*Inherent Risk Rating&nbsp; 
*Risk Remediation Plan&nbsp; 
*Residual Risk Rating&nbsp; 
<ol start="4">
<li>'''Select '''or enter the details in the attributes in all the sections. The attributes can be mandatory, lookup type, cascading, conditional, multi-select and so on.</li>
</ol>

'''Reference Risk Assessment'''

This section contains the attributes:

*Risk Assessment Name: This field is populated automatically based on the information entered when creating the risk assessment.&nbsp; 
*Risk Assessment Description: This field is populated automatically based on the information entered when creating the risk assessment.&nbsp; 

screen 2

'''Risk Area Details&nbsp;'''

This section contains the attributes:&nbsp;

*Risk Area Instance ID: This is generated automatically after the risk area is created. 
*Risk Area Name: Select the risk area name from the drop-down list. This populates the information for the following attributes.&nbsp; 
**Risk Area Master ID&nbsp; 
**Short Description 
**Category 
**Sub Category   
*Origin: Enter the description that contains information about the probable source of risk area.&nbsp; 
*Effect: Enter the description about the probable effects of the risks foreseen based on the risk assessment created. 
*Risk Area Owner: Select the user from the risk assessment team as the risk area owner who can validate whether the created risk is valid and the probable level of risk.&nbsp; 
*Additional Risk Area Owners: You can add additional risk area owners to whom the risk assessment task can be delegated as required. 

screen 3

Note: The values in the risk area details section can be auto-populated from Risk Area Master. The Risk Owner can be added to the risk area through configured rules.

'''Inherent Risk Rating&nbsp;'''

Inherent risk rating is the risk rating applicable to the risk when it was determined for the first time.<br/> This section contains the attributes:

*Inherent Risk Trigger Date: Select the date and time on which the inherent risk record is created. 
*Inherent Likelihood Rating: This comprises of the level of impact of the probable risk. Select the appropriate level from this list.&nbsp; 
*Inherent Consequence Rating: This comprises of the effects of the foreseen risks happening in reality.&nbsp; 
*Inherent Risk Level: This comprises of the risk posed by the errors made by factors other than a failure of internal control. Select the level of inherent risks based on the risk assessment created. 
*Inherent Risk score: This comprises the amount of impact a foreseen risk might have on the business operations and so on. 

Note: The Inherent risk level and score is determined from the values in inherent likelihood rating and consequences rating and can be entered manually or by configuring rules.

*Comments: This includes any additional information that you might want to provide regarding the risk assessment created. 

screen 4

'''Risk Remediation Plan&nbsp;'''

This section includes the informaton related to the remediation stategies and actions that can be taken to mitigate the risk areas.<br/> This section contains the attributes:&nbsp;

*Remediation Action: Enter the remediation action that is planned to be taken to minimize the probable risks.&nbsp; 
*Control Effectiveness: Select the level from the drop-down list that defines the level of effectiveness of measures that will be applied to minimize the risks. 
*Remediation Action Details: Enter the remediation action details that describe the remediation actions that will be taken to minimize the risk.&nbsp; 

&nbsp;screen 5

'''Residual Risk Rating'''<br/> This section includes the information related to the residual risk left after the remediation actions are taken.<br/> This section contains the attributes:

*Residual Risk Update Date: This date is populated automatically based on the remaining risk after the mitigation actions are implemented.&nbsp; 
*Residual Likelihood Rating: This indicates the score that depicts the likelihood of the remaining risk.&nbsp; 
*Residual Consequence Rating: This indicates the level of consequences of the remaining risks happening after the mitigations actions are implemented. 
*Residual Risk Level: This indicates the level of remaining risk after the mitigation actions are implemented.&nbsp; 
*Residual Risk Score: It is the score that depicts the remaining risk after the mitigation actions are implemented.&nbsp; 

screen 6

*File Path: Select and upload any document that provides more information about the risk assessment.&nbsp; 
*Business Status: Select the business status of the risk area that you are creating. For example, Assessment.&nbsp; 

screen 7
<ol start="5">
<li>'''Click '''Create. The Risk Area is created in Assessment state.&nbsp;</li>
</ol>

screen 8

=== Searching Risk Area records ===

Risk Area records can be searched from:

*Associations index page 
*Risk Assessments search result page 

To search risk area from association index page:

#'''Click '''Associations Management > Associations on the Home page. The Associations index page opens. 
#'''Filter '''the records for Risk Area entity using Categories facet search. All available Risk Area records are displayed. 

&nbsp;screen 9

To search risk area from Risk Assessments search result page:

#'''Click '''Risk Management > Risk Assessment on the Home page. The search page with all risk assessment records opens. 
#'''Select '''Risk Area in the Please select Entities to search field. 
#'''Click '''search icon. All available Risk Area records are displayed. 

screen 10

=== Taking actions on the Risk Area ===

The Risk owner can be added to the risk area through configured rules. Risk owner then can take certain actions from the risk area Details page when the risk area is in Assessment state. &nbsp;<br/> The actions can be:

*Initiate Due Diligence - action taken to capture more information related to the risk and validate the identified risk area.&nbsp; 
*Remediate - action taken to mitigate the valid risk 
*Deactivate - action taken for risks identified as invalid. Users can not take further &nbsp;actions once the risk area is deactivated. 
*Monitor - action taken to track the performance based on remediation actions until risks are completely mitigated 

Users can repeat the workflow Due Diligence – Remediate – Monitor until the risk is completely mitigated.<br/> Users can also automate the workflows to initiate due diligence, remediate and monitor risk areas by configuring rules.<br/> &nbsp;

==== Editing Risk Area ====

#'''Click '''Risk Management > Risk Assessments on the Home page. The list of all available risk assessments opens. 
#'''Click '''View Record icon next to the Risk Assessment you want to opens. The Risk Assessment Details page opens. 
#'''Click '''Risk Area tab in the left navigation. The risk area grid opens. 
#'''Click '''View Record icon next to the risk area you want to open. The risk area Details page opens. 
#'''Click '''Edit. The Edit Associated Document for Risk Area page opens. 

screen 11
<ol start="6">
<li>'''Make '''the required changes and click Update. The Risk Area is updated and the Risk Area Details page opens again.</li>
</ol>

==== Initiating Due Diligence ====

'''Click '''Initiate Due Diligence. The Risk Area Details page opens again.&nbsp;

screen 12

The status of the risk area changes to Due Diligence.

screen 13

==== Remediating the risk area ====

'''Click '''Remediate on the risk area Details page. The Risk Area Details page opens again.&nbsp;

screen 14

The status of the risk area changes to Remediation.

screen 15

==== Monitoring the risk area ====

Users can monitor the risk areas based on the remediation actions taken to check whether the risks are reduced.&nbsp;<br/> To monitor a risk area:&nbsp;<br/> Click Monitor on the risk area Details page. The Risk Area Details page opens.&nbsp;

screen 16

The status of the risk area changes to Monitoring.

screen 17

==== Reassessing the risk area ====

Users can repeat the actions taken on the risk areas until the risks are completely mitigated.

#'''Click '''Initiate Due Diligence or Remediate on the risk area Details page for the risk area in the Monitoring state. For example, select Initiate Due Diligence. The Association Initiate Due Diligence note window opens to add a note. 
#'''Add '''a note text and select a Reason code. 

screen 18
<ol start="3">
<li>'''Click '''Add. The status of the risk area changes back to Due Diligence.</li>
</ol>

screen 19

==== Deactivating the risk area ====

Risk owners can deactivate the invalid risk area. Once deactivated, no further actions are allowed on the risk area.

#'''Click '''Deactivate on the risk area Details page. The Association Deactivate note window opens to add a note. 

screen 20
<ol start="2">
<li>'''Add '''a note text and select a Reason code.</li>
<li>'''Click '''Add. The status of the risk area changes to Deactivated.</li>
</ol>

screen 21

==== Auditing Risk Area ====

Changes made to the Risk Area record during various ICM risk management workflows are captured and can be viewed under History tab. The History tab for Risk Area has All, Draft, Approval and Post-Approval tabs. For example, changes in ICMRiskArea_372 throughout its lifecycle are captured.

screen 22

==== Automation of Risk Area workflow ====

The Risk Area action workflows can also be managed automatically by configuring rules. Users can set the value in the script type attribute Target ICM to move the Risk Area workflow automatically from Assessment state to Due Diligence, Remediation or Monitoring state.

== Creating and managing tasks for Risk workflow ==

Users can create remediation tasks for managing risks using commitments, obligations or any third party system. ICM Risk management app currently supports managing Risk Assessments using ICM Commitment functionaity.<br/> To create a task using commitment:

#'''Click '''the Risk Management > Risk Assessment on the Home page. The saved search result page opens with all Risk Assessment records. 
#'''Click '''the View Record icon next to the Risk Assessment record you want to open. For example, Risk_Assessment_May2020. The Risk Assessment Details page opens. 
#'''Click '''the Commitments tab in the left navigation. The existing commitments are displayed if any. 
#'''Click '''Select Action (3 dots) icon next to the Commitment text. The actions available for the selected commitment will be displayed in the drop-down. 
#'''Edit '''or '''delete '''the existing Commitment using the Edit Commitment or Delete Commitment options. 
#'''Click '''Add Commitment action icon. The Add Commitment window opens.&nbsp; 

screen 1
<ol start="7">
<li>'''Enter '''the details for the commitment.</li>
</ol>

screen 2
<ol start="8">
<li>'''Click '''Add Commitment. The commitment is created and added to the risk assessment.</li>
</ol>

screen 3

To view and take action on the commitment tasks:
<ol start="9">
<li>'''Click '''the icon Take action on commitment. The Add Action window opens.</li>
<li>'''Add '''the action details.</li>
<li>'''Click '''Save. The Commitment status is updated according to the action taken.</li>
</ol>

screen 4

== Accessing the Risk Area actions Notifications&nbsp; ==

The ICM Risk Management app sends the notifications when certain actions are taken on the Risk Area. These notifications are seeded.<br/> The notifications are sent when events occurs:

*Risk area is created 
*Risk area due diligence is initiated 
*Risk area remediation is initiated 
*Risk area monitoring is initiated 
*Risk area is deactivated 

The recipients can access the notifications from Notification Dashboard:

#'''Click '''Notifications tab on the Home page. The Notifications Dashboard opens. 
#'''Click '''Risk Management Notifications. The list of notification events opens. 
#'''Expand '''the notification event. The notifications belonging to the selected event are displayed.&nbsp; 
#'''Select '''the Notification you want to view. The selected Notification opens in the right pane. 

screen 5

&nbsp;

&nbsp;

&nbsp;