From ICIHelp8.2
Revision as of 05:06, 16 September 2020 by WikiSysop (Talk | contribs)

Jump to: navigation, search

ICI Risk Management App

Overview

The Icertis Contract Intelligence (ICI) platform introduces the Risk Management Application to make it easier for professionals to carry out their tasks related to risk management such as assessment, due diligence, remediation, monitoring and reassessment. Risk management is the process of identifying potential risk, assessing the magnitude of risk based on the business objectives, devising strategies to eliminate them and tracking the performance until they are completely mitigated.

The platform’s modern, scalable and integration-friendly cloud architecture can model even the most complex risk management scenarios. The App provides secure access such that only authorized users can access the App entities and data, using ICI’s access control functionalities. The user-friendly interface makes it possible for anyone in the enterprise having access to be able to use the platform with ease. 

Icertis uses a standard framework of discovery, assessment, remediation, monitoring and optimization to manage enterprise risk.

The Risk Management process has the following stages:

1. Configure and Setup: 

  • Configure objects for risk assessment and the risk area (with its workflow). 
  • Configure the masterdata that captures risk area, risk taxonomy and risk score matrix to effectively govern the risk management process. 

2. Discover: 

  • Rules engine can be used to discover potential risk areas and its risk score and risk level based on responses to risk assessment questions.

3. Assess: 

  • Validate if the risk areas being identified are valid or not. If valid, check whether any further information is needed as part of due diligence.
  • Prioritize risks based on the risk category prioritization and risk tolerance.

4. Remediation: 

  • Create tasks to mitigate risks based on risk area, and its risk score and risk level.

5. Monitor and Optimize: 

  • Track the performance of risk and measure risk remediation effectiveness. 
  • Track residual risk against the inherent risk to continuously monitor and optimize performance by devising other remediation strategies.
     

ICI Risk Management supports the following risk management business scenarios:  

  • Business Operations Risk: For example, the impact of pandemic on the business operations of an organization. 
  • Contractual Risk: For example, managing risks that arise from non-standard agreement terms, clauses, and so on. 
  • Counter-Party Risk: For example, managing risks relevant to suppliers and vendors.

The Prerequisites

The user must have: 

  • Completed ICI Product Training
  • Risk Management App must be enabled on customer environment 

Configuration setup overview

ICI offers the ability to determine the application type (Contracting, Sourcing, Obligation Management and Risk Management application) when creating a contract type. This is possible with the inclusion of two new choice type attributes, Business Application Type and Business Application Category at the contract type level. This feature helps effortlessly drive business applications on ICI platform.
These attributes are enabled through technical configuration and  applicable for agreements and associated document contract types. The access privileges for business applications (such as Risk Management) are managed through security groups. 
 

Seeded Configuration and setup

The ICI Risk Management application provides  some seeded  entities, attributes, workflows, rules and notifications that are necessary for the flow of the risk management. Some of the entities are:

  • Masterdata: 
    • Risk Taxonomy
    • Risk Remediation
    • Risk Area Master
    • Likelihood Rating
    • Risk Score Matrix
  • Contract types:
    • Risk Assessment: as agreement contract type with Business Application Type as Risk Management and Business Application Category as Risk Assessment defined at contract type level.Risk Area as associated document contract type with business application type as risk management and business application category as risk area defined at contract type level.
    • Risk Area: as associated document contract type with Business Application Type as Risk Management and Business Application Category as Risk Area defined at contract type level.
  • Rules:
    • Instantiate the risk areas after completing the risk assessment
    • Copy attribute values from risk assessment to the risk area
    • Add Team members to the risk area
  • Notifications for events:
    • Risk area is created
    • Risk area due diligence is initiated
    • Risk area remediation is initiated
    • Risk area monitoring is initiated
    • Risk area is deactivated

Refer the Risk Management Configuration guide for details.
 

Prerequisite set-up 

The ICI Risk Management application provides some seeded masterdata that are necessary for the flow of the risk management. Users can create masterdata instances with desired values.
To create masterdata instance:

1. Click Configuration > Masterdata > Create Masterdata on the Home page. The Create Masterdata page opens.

RTENOTITLE

2. Select the Masterdata Contract Type. For example, Risk Area Master.

RTENOTITLE

3. Click Next. The Attributes page opens.

4. Enter or select the details in the fields. For example, enter Risk Area Name as Anti-Bribery Corruption. 

5. Click Save. The masterdata instance is created.

7.12-RiskManagement-RiskAreaMaster1.png

Similarly, setup masterdata for Risk Taxonomy, Risk Remediation action,  Likelihood Rating and  Risk Score Matrix Masters.

Working with Risk Assessment

The ICI Risk Management application enables users to manage risks by creating risk assessment. Risk Assessment deals with the process of identifying and evaluating the magnitude of potential risk areas. For example, buyers can use the ICI Risk Management application  that allows configuring a questionnaire to perform supplier risk assessment. The risk areas can be identified based on the responses received for the questionnaire as the outcome of the risk assessment process.
Risk assessment workflow performed by risk assessment owners typically involves the following:

  • Initiating Risk Assessment: The risk assessment owners can initiate the risk assessment workflow to identify the risks. For example, the risk assessment can be a questionnaire where the users respond to the questions by submitting it. This initiates the risk assessment in Draft state.
  • Approving Risk Assessment: Based on the complexity of risk assessment, ICI administrators can configure the rules to add approvers to the assessment team. If there are approvers added to the team, the risk assessment is sent to the approvers for approval. The risk assessment is approved automatically if no approvers are added to the team.
  • Completing Risk Assessment: The status of the risk assessment changes to Assessment Complete when the risk assessment is approved. The risk area can be identified and auto-instantiated based on the configured rules.


Here is the Risk Assessment workflow at a glance:

7.12-RiskManagementWorkflow.png

Creating a Risk Assessment

1.Click the Risk Management tile on the Home page. The drop-down opens with options:

  • Risk Assessment
  • Create Risk Assessment
7.12-RiskManagement-CreateRiskAssessment1.png
 

2. Click Create Risk Assessment. The Attributes page for Create Risk Assessment opens. The Attributes page includes questions to capture the responses based on which the risk areas can be generated. These questions are non-seeded attributes and users can configure  them to the Risk Assessment contract type as per their business needs.

Attributes page has seeded sections as:

  • Identification
  • Risk Assessment Timeline

3. Enter the details in fields in the Identification section:

  • Risk Assessment Name
  • Risk Assessment Description 
  • Risk Assessment Entity: The context for which the risk assessment is being created. For example, Business Operations, Contractual or Counter Party.
 7.12-RiskManagement-RiskAreaMaster2.png

4. Enter the details in fields in the Risk Assessment Timeline section.

  • Assessment Start Date: The date that you start the risk assessment of entity. For example, May 31, 2020.
  • Assessment End Date: The date by which risk assessment of entity should be completed. The assessment end date should be greater than the start date else validation is displayed.
7.12-RiskManagement-RiskAreaMaster3.png

5. Enter the details in fields in all the sections on the Attributes page.

6. Click Next. The Verify page opens.

7. Verify the details and click Create. The risk assessment is created in Draft state. 

 7.12-RiskManagement-RiskAreaMaster4.png

Once created, users can Edit, Delete, Cancel or Submit the Risk Assessment

Searching and viewing the Risk Assessment

1. Click the Risk Management > Risk Assessment on the Home page.

The saved search result page opens with all Risk Assessment records. Users can refine the search result by applying filters, options and keywords.
 
7.12-RiskManagement-ViewRiskAssesment2.png

2. Click the View Record icon next to the Risk Assessment record you want to open. For example, Risk_Assessment_May2020. The Risk Assessment Details page opens.

7.12-RiskManagement-RiskAssessmentDetails.png
 

 

Editing the Risk Assessment

1. Click Edit on the Risk Assessment Details page. The Edit Agreement page opens.

7.12-RiskManagement-Edit1.png
 
2. Make the required changes and click Next. The Verify page opens. 
7.12-RiskManagement-Edit2.png

3. Verify the details and click Update. The risk assessment is updated and remains in Draft state.

7.12-RiskManagement-Edit3.png

 

Canceling the Risk Assessment

1.Click Cancel on the Risk Assessment Details page.

7.12-RiskManagement-CancellingRiskAssessment.png

The confirmation window opens.

7.12-RiskManagement-CancellingRiskAssessment1.png

2. Click Yes. The Add Note window opens.

7.12-RiskManagement-CancellingRiskAssessment2.png

3. Add note text and select the Reason Code.

4. Click Add. The Risk Assessment status changes to Cancelled.

7.12-RiskManagement-CancellingRiskAssessment3.png

 

Deleting the Risk Assessment

1. Click Delete on the Risk Assessment Details page. 

7.12-RiskManagement-DeleteRiskAssessment.png
 
The Add Note window opens. 
 
RTENOTITLE

2. Add note text and select the Reason Code.

3. Click Add. The risk assessment will be deleted and agreement index  page opens.

 

Submitting the Risk Assessment

 Click Submit on the Risk Assessment Details page. The risk assessment is sent for approval and its status changes to Waiting for Approva;

7.12-RiskManagement-SubmittingRiskAssessment.png

Approvers can Approve or Reject the Risk Assessment from the risk assessment Details page. 

Rejecting the risk assessment

To reject:

1. Click Reject

7.12-RiskManagement-RejectRiskAssessment.png

2. Add note text and select the Reason Code.

7.12-RiskManagement-RejectRiskAssessment1.png

3. Click Add. The Risk Assessment is rejected and goes back to Draft state.

Approving the risk assessment

To approve:

1. Click Approve. The Add Note window opens. 

7.12-RiskManagement-ApproveRiskAssessment.png

2. Add note text.

7.12-RiskManagement-ApproveRiskAssessment1.png

3. Click Add. The Risk Assessment state changes to Assessment Complete.

If there are no Approvers added to the Risk Assessment Team, the record will be approved directly and move to the Assessment Complete state.


7.12-RiskManagement-RiskAssessmmentDetails.png

 

Note: The Assessment Complete state is the final state for Risk Assessment, and users cannot take further actions.

 

Auditing Risk Assessment

Changes made to the Risk Assessment record during various ICI risk management workflows are captured and can be viewed under History tab. For example, changes in Risk_Assessment_May2020 throughout its lifecycle are captured.

7.12-RiskManagement-AuditingRiskAssessment.png

Click Show All Changes to view the details of the particular event of the risk assessment instance.

7.12-RiskManagement-AuditingRiskAssessment1.png
 

 

Working with Risk Area

Managing Risk Area includes: 

  • Ensuring the validity of the identified risk area
  • Devising strategies to mitigate risks
  • Tracking the performance until risks are completely mitigated

The risk area can be generated automatically by seeded rules based on the risk assessment responses. Users can also add the risk area manually to the risk assessment.


Creating Risk Area automatically using rules

The ICI Risk Management application provides set of rules to generate Risk Areas automatically based on the responses gathered from the risk assessment. Refer the ICI Risk Management Configuration Guide for details on rules used in the ICI Risk Management application.

The workflow for generating risk areas automatically includes process as follows:

1. A recommended rule Identify Risk Areas on the event Risk Assessment Created identifies applicable risk areas based on the specific attribute values from the Risk Assessment record.

For example, the sample Identify Risk Areas rule with the attribute Risk Assessment Description. When this attribute has the response as Assessment for Supplier, then the Applicable Risk Area is identified and set as Anti Bribery & Corruption.

7.12-RiskAreausingRules.png
 
2. Once the Risk Areas are identified, the seeded rule Auto instantiate applicable risk area generates those identified risk areas.
3. Another seeded rule Copy attribute values then copies values specified in the rule from Risk Assessment record to the Risk Areas.
For example, when the Risk_Assessment_May2020 is approved, the risk area is automatically created as Anti Bribery & Corruption.
 
7.12-RiskAreaList.png

Creating Risk Area manually 

To create a risk area for risk assessment: 

1. Click Risk Management > Risk Assessment on the Home page. The search results page with all risk assessment records opens.

2. Click the View Record icon next to the Risk Assessment for which you want to create Risk Area. The Risk Assessment Details page opens.

3. Click Create Association action icon (plus sign) next to Risk Area under the Associations. The Create Association for Risk Area page opens.

7.12-CreateRiskArea.png

The Create Association Risk Area page has sections:

  • Reference Risk Assessment
  • Risk Area Details 
  • Inherent Risk Rating 
  • Risk Remediation Plan 
  • Residual Risk Rating 

4. Select or enter the details in the attributes in all the sections. The attributes can be mandatory, lookup type, cascading, conditional, multi-select and so on.

Reference Risk Assessment

This section contains the attributes:

  • Risk Assessment Name: This field is populated automatically based on the information entered when creating the risk assessment. 
  • Risk Assessment Description: This field is populated automatically based on the information entered when creating the risk assessment. 
7.12-ReferenceRiskArea.png

Risk Area Details 

This section contains the attributes: 

  • Risk Area Instance ID: This is generated automatically after the risk area is created.
  • Risk Area Name: Select the risk area name from the drop-down list. This populates the information for the following attributes from the masterdata. 
    • Risk Area Master ID 
    • Short Description
    • Category
    • Sub Category
    • Risk Area Owner
  • Origin: Enter the description that contains information about the probable source of risk area. 
  • Effect: Enter the description about the probable effects of the risks foreseen based on the risk assessment created.
  • Additional Risk Area Owners: If risk area owner is not available in master, then user can add additional risk area owners. 
     

Risk Area owners are Subject Matter Experts who can look into risk area end to end for validity of risk, planning risk remediation, monitoring the progress and performance of risk remediation actions

7.12-RiskAreaOwners.png

 

Note: The certain values in the risk area details section can be auto-populated from Risk Area Master . The Risk Owner and Additional Risk Area Owners can be added to the risk area team through configured rules.

 

Inherent Risk Rating 

Inherent risk rating is the risk rating applicable to the risk when it was determined for the first time.
This section contains the attributes:

  • Inherent Risk Trigger Date: The date and time on which the inherent risk record is created.
  • Inherent Likelihood Rating: The probability of occurrence of risk.
  • Inherent Consequence Rating: The impact or consequence of risk occurrence. 
  • Inherent Risk Level:Qualitative scoring based on likelihood of risk occurrence and consequence if risk occurred. 
  • Inherent Risk score:Quantitative scoring based on likelihood of risk occurrence and consequence if risk occurred. 
Note: The Inherent risk level and score is determined from the values in inherent likelihood rating and consequences rating and can be entered manually or by configuring rules.
  • Comments: This includes any additional information that you might want to provide regarding the risk assessment created.
7.12-RiskArea-InherentRiskRating.png

Risk Remediation Plan 

This section includes the informaton related to the remediation strategies and actions that can be taken to mitigate the risk areas.
This section contains the attributes: 

  • Remediation Action: Enter the remediation action that is planned to be taken to minimize the probable risks. 
  • Control Effectiveness: Select the level from the drop-down list that defines the level of effectiveness of measures that will be applied to minimize the risks.
  • Remediation Action Details: Enter the remediation action details that describe the remediation actions that will be taken to minimize the risk. 
 7.12-RiskAreaRemediation.png

Residual Risk Rating
This section includes the information related to the residual risk left after the remediation actions are taken.
This section contains the attributes:

  • Residual Risk Update Date: The date on which the residual risk record is updated.
  • Residual Likelihood Rating: This indicates the likelihood of occurrence of the remaining risk. 
  • Residual Consequence Rating: This indicates impact of occurrence of the remaining risks happening after the mitigations actions are implemented.
  • Residual Risk Level: Qualitative scoring based on likelihood and consequence if residual risk occurred.  
  • Residual Risk Score: Quantitative scoring based on likelihood and consequence if residual risk occurred. 
  • Comments for Residual Risk: This includes any additional information that you might want to provide regarding the risk area.
7.12-ResidualRiskRating.png

5. Click Create. The Risk Area is created in Assessment state. 

7.12-RiskAreaCreatedList.png
 

 

Searching Risk Area records

Risk Area records can be searched from:

  • Advanced Search page
  • Global Search
  • Associations index page

To search risk area from Advanced Search page:

1. Click Search tile on the ICI UI. The Advanced Search page opens.
2. Select Risk Area in the Please select Entities to search field.
3. Click the search icon. All available Risk Area records are displayed.

7.12-RiskArea-AdvancedSearch.png

 

To search risk area using Global Search 

Enter the relevant search criteria in the Enter search here…search bar on the ICI UI. For example, Risk Area. All available Risk Area records are displayed in a drop down.

7.12-RiskArea-GlobalSearch.png

 

To search risk area from association index page:

1. Click Associations Management > Associations on the Home page. The Associations index page opens.

2. Filter the records for Risk Area entity using Categories facet search. All available Risk Area records are displayed.

 7.12-RiskArea-AssociationIndexpage.png

 

Working of existing ICI actions for Risk Area

Risk area owner can take existing ICI actions for associations on risk area.

  • View Document: Opens the preview of the risk area if available, in the Document Viewer window.
  • View Smart Link: Opens the smart links if available, in a Smart Links window. 
  • Dissociate: Displays the error message as Oops something went wrong, please try again. : You do not have necessary access privileges for this functionality,
  • Copy: Copies risk area instance.
  • Edit: Opens the Edit Associated Document - Risk Area page to modify the details of the risk area instance.

7.12-ICIActionsforRiskArea.png
 

Taking actions on the Risk Area

The Risk owner can be added to the risk area through configured rules. Risk owner can then take certain actions from the risk area Details page.  
The actions can be:

  • Initiate Due Diligence - action taken to capture more information related to the risk and validate the identified risk area. 
  • Remediate - action taken to mitigate the valid risk area.
  • Deactivate - action taken for risk area identified as invalid. Users cannot take further  actions once the risk area is deactivated.
  • Monitor - action taken to track the performance based on remediation actions until risks are completely mitigated

Users can repeat the workflow Due Diligence – Remediate – Monitor until the risk is completely mitigated.
Users can also automate the workflows to initiate due diligence, remediate and monitor risk areas by configuring rules.
 

Editing Risk Area

1. Click Risk Management > Risk Assessments on the Home page. The list of all available risk assessments opens.

2. Click View Record icon next to the Risk Assessment you want to opens. The Risk Assessment Details page opens.

3. Click Risk Area tab in the left navigation. The risk area grid opens.

4. Click View Record icon next to the risk area you want to open. The risk area Details page opens.

5. Click Edit. The Edit Associated Document for Risk Area page opens.

7.12-EditRiskArea.png

6. Make the required changes and click Update. The Risk Area is updated and the Risk Area Details page opens again.

7.12-UpdateRiskArea.png

 

Users can edit the risk area from risk area details page as well.

7.12-EditRiskArea1.png
 

 

Initiating Due Diligence

Click Initiate Due Diligence. The Risk Area Details page opens again. 

7.12-InitiateDueDiligence.png

The status of the risk area changes to Due Diligence.

7.12-InitiateDueDiligence1.png
 
 

Remediating the risk area

Click Remediate on the risk area Details page. The Risk Area Details page opens again. 

7.12-RemediateRiskArea.png

 

The risk area Details page opens again and the status of the risk area changes to Remediation..

7.12-RiskAreaRemediation1.png

 

 

Monitoring the risk area

Users can monitor the risk areas based on the remediation actions taken to check whether the risks are reduced. 

To monitor a risk area: 

Click Monitor on the risk area Details page. The risk area Details page opens again and the status of the risk area changes to Monitoring

7.12-MonitoringRiskArea1.png

The status of the risk area changes to Monitoring.

7.12-MonitoringRiskArea.png

 

 

Iterating workflow for risk area

Users can repeat the actions taken on the risk areas until the risks are completely mitigated.

1.Click Initiate Due Diligence or Remediate on the risk area Details page for the risk area in the Monitoring state. For example, select Initiate Due Diligence. The Association Initiate Due Diligence note window opens to add a note.

2.Add a note text and select a Reason code.

7.12-Association Initiate Due Diligence.png

3. Click Add. The status of the risk area changes back to Due Diligence.

7.12-Association Initiate Due Diligence1.png

 

 

Deactivating the risk area

Risk owners can deactivate the invalid risk area. Once deactivated, no further actions are allowed on the risk area.

1. Click Deactivate on the risk area Details page. The Association Deactivate note window opens to add a note.

7.12-DeactivateRiskArea.png

2. Add a note text and select a Reason code.

7.12-DeactivateRiskArea1.png

3. Click Add. The status of the risk area changes to Deactivated.

7.12-DeactivateRiskArea2.png

 

Auditing Risk Area

Changes made to the Risk Area record during various ICI risk management workflows are captured and can be viewed under History tab. For example, changes in ICIRiskArea_372 throughout its lifecycle are captured.

7.12-AuditingRiskArea.png
 

Click Show All Changes to view the details of the particular event of the risk area instance.

7.12-AuditingRiskArea1.png

 

Moving Risk Area workflow automatically

The users can manage the Risk Assessment and Risk Area action workflows using the script attribute Target ICM Status. Users can set the value in Target ICM Status to specific status and move records to that particular state during the risk management workflow. For example, risk area record can be moved from the Draft  state to either Due Diligence, Remediation or Monitoring state using attribute Target ICM status .

Risk assessment and risk area records can be uploaded in ICI directly in specific status by setting the state value in the Target ICM Status attribute using ICI’s Legacy Upload functionality. The business status would then be set accordingly.

For example, when users want to upload large number of historical risk assessment records using Legacy Upload, they can directly upload in the Approved state by setting it in the Target ICM Status attribute and the business state would be set as Assessment Complete.

Refer  the ICI Risk Management Configuration Guide for details on Managing Risk Workflows using attribute Target ICM Status.

 

Creating and managing tasks for Risk workflow

Users  can create remediation tasks for managing risks using commitments, obligations or any third party system. ICI Risk Management app currently supports managing Risk Assessment and Risk Area using ICI Commitment functionality.


To create a task using commitment:

1. Click the Risk Management > Risk Assessment on the Home page. The saved search result page opens with all Risk Assessment records.

2. Click the View Record icon next to the Risk Assessment record you want to open. For example, Risk_Assessment_May2020. The Risk Assessment Details page opens.

3. Click the Commitments tab in the left navigation. The existing commitments are displayed if any.

4. Click Add Commitment action icon. The Add Commitment window opens

 7.12-RiskManagement-AddCommitment.png

5. Enter the details for the commitment.

7.12-RiskManagement-AddCommitment1.png

6. Click Add Commitment. The commitment is created and added to risk assessment. 

7.12-RiskManagement-AddCommitment2.png

To view and take action on the commitment tasks:

1. Click the icon Take action on commitment. The Add Action window opens.

7.12-RiskManagement-TakeAction on commitments.png

2. Add the action details.

3. Click Save. The Commitment status is updated according to the action taken.

7.12-RiskManagement-TakeAction on commitments1.png

Refer to the Compliance Management for more details on working with commitments.

Accessing the Risk Area actions Notifications 

The ICI Risk Management app sends the notifications when certain actions are taken on the Risk Area. These notifications are seeded.
The notifications are sent when events occurs:

  • Risk area is created
  • Risk area due diligence is initiated
  • Risk area remediation is initiated
  • Risk area monitoring is initiated
  • Risk area is deactivated

The recipients can access the notifications from Notification Dashboard:

  1. Click Notifications tab on the Home page. The Notifications Dashboard opens.
  2. Click Risk Management Notifications. The list of notification events opens.
  3. Expand the notification event. The notifications belonging to the selected event are displayed. 
  4. Select the Notification you want to view. The selected Notification opens in the right pane.
7.12-RiskAreaNotifications.png