Skip to main content

1. Risks

The Risk section in QuartzGOV contains a list of all Risks that were created for the business. You will see that there are three Risk levels which include, Top Risk, Key Risk, and Department Risk.

In the following sections, you will learn how to view a Risk, create or modify a Risk and how to perform certifications on Risks.

Risk section in QuartzGOV Viewing a Risk Editing a Risk Closing a Risk Creating a Risk (Top Risk) Creating a Risk (Key Risk or Department Risk) Risk Certification (RCSA)

Answering the Self-Assessment as a risk owner

Risk section in QuartzGOV

The Risk module in QuartzGOV contains 3 sections. In order to see a Risk, you must click on the Risks button.

Risk Management Section in QuartzGOV

image.png

Viewing a Risk

The Risks section contains the list of all Risks that have been created for the business. Users can search for a specific Risk by using the filters on the left side of the screen. To open and view a Risk, users can click on the Risk details.

Main Risks page and Opening a specific Risk

risk1.png

Once you have opened a Risk, you will see the following details:

  • Assessor: User who is the owner of the Risk
  • Name: Name of the Risk
  • Type: The level of Risk you have selected i.e. Department Risk, Key Risk, or Top Risk.
  • Department: The business department where the Risk is located.
  • Description: A description of the Risk.
  • Last Risk and Control self-assessments: The way the Risk was ranked according to the following factors: Probability, Severity, Mitigation.

:::(Warning) () Please note that the risk level is calculated over three factors i.e. Probability, Severity, and Mitigation. The fourth factor ''Overall'' is calculated automatically based on the three factor ratings. In some cases, management can also modify the Overall factor based on their personnal analyses. As such, you could sometimes see an Overall level that doesn't match the three factors ratings. :::

Below these items, you should be able to see two sections: summary and history. As mentioned previously, there are three risk levels in the system. The information contained within the summary section will change depending on the risk level you have selected. See summary table below:

Risk LevelInformation in Summary
Top RisksRelated Key Risks
Key RisksRelated Top Risks and Related Department Risks
Department RisksRelated Key Risks and Relating Controls

The reason for this breakdown relates to the way the Risks are structured. Department Risks are based on Key Risks which are based on Top Risks. The only Risk that can be covered with a Control Activity is a Department Risk. This is why the other two types will not show any relating Control Activities.

You can click on the Risk and Controls shown below if you would like to see more details.

Risk Details

image.png

In the History section, you will see the recordings of the last risk assessment levels that have been performed.

History Section of a Risk

image.png

Editing a Risk

From the Risk details page, you can edit or close a Risk. If you want to edit the Risk, you must click on the pen icon that is located on the top right hand side of the screen.

Editing a Risk Button

Editing a risk.png

After clicking this button you will be taken to a new window called ''Update Risk''. From this page, can do multiple things:

  • Change the risk name
  • Select a new Risk Class / Risk Type
  • Change the description
  • Make it a suggested risk or recommend closing it
  • Add a delegate

Once you are done making your changes, you can click on the update button at the bottom of the page to save.

Editing a Risk

image.png

Closing a Risk

From the risk details page, you can edit or close a Risk. If you want to close a Risk, you must click on the close icon that is located on the top right hand side of the screen.

After you do this, a screen will open asking you to confirm your choice. You simply need to click the Close Risk button to close the risk. Please note that in order to do this, one needs to ensure that the Risk is no longer related to other Risks or controls.

Closing a Risk Button

image.png

Creating a new Risk (Top Risk)

There are multiple ways one can create a risk. From the main QuartzGOV menu, you will see that there is a create Top Risk button. Top Risks can be created directly from this menu. If you need to create a Key Risk or a Department Risk, you can scroll down to the next section.

To create a Top Risk, click on the Top Risk button.

Top Risk Button

creating a risk.png

Once you have clicked this button, you will be sent to a new window asking you to fill in all of the Risk information. Once you have completed all fields, you can click on create to create your risk.

Top Risk creation form

image.png

Creating a new Risk (Key Risk or Department Risk)

In order to create a lower risk level, users must first select the relating Risk in the system. For example, if you want to create a Key Risk, you will need to first find a Top Risk to which your Risk will be associated. If you want to create a Department Risk, you will need to first find the Key Risk to which your Risk will be associated.

In order to do this, open the Risk you have selected, and click on the ( + ) icon that is listed in the Department Risks section below. Please note that if you were creating a Key Risk, the section would be called Key Risks.

creatign a risk.png

The process to create the risk is the same as the one for Top Risks. The only difference is in this case, you will need to add an Assessor and a Delegate.

Risk Certification (RCSA)

In line with the RCSA process, each Department Risk that exists in the business must be reviewed and certified on a yearly basis. During this process, all individuals responsible for Department Risks must review them and determine which Risk level must be associated to their Probability, Severity, and Mitigation levels.

Creating a Self-Assessment campaign

In order to create a new Self-Assessment campaign, management must click the settings section of the page to select the Governance Process menu option and click the Risk Self-Assessment button.

Creating a new Self-Assessment campaign

Creating a new RCSA.png
info

The following articles also refer to the Governance Processes screen:

Governance Mandate 2. Governance mandate action plan process

Information Security Mandate 2. Information security mandate action plan governance process

Master and Key Controls 2. ARIC process management

Oversight, Audit and Tracking 2. Audit action plan governance process 3. Audit email tracking

After clicking the button, a new window will open. The user can click the new button to create a campaign.

Creating a new Self-Assessment campaign from the Risk Self-Assessment Menu

Creating a new RCSA2.png

After clicking the button, a new window will open with a form to create a Self-Assessment campagin. The user can complete the form to create the next campaign. In order to do so, users must select the Type, the Fiscal Year, the Name of the campaign, the Start Date, End Date, and Deadline. After the form is complete, the user can click on the create button to create the form.

New Self-Assessment campaign form

image.png

Running the Self-Assessment campaign

Once a campaign has been created, every user that is linked to the campaign will receive a notification asking them to complete it within the recommeded timeline.

In order to view the campaign, users can go to their personnal page in QuartzGOV and click the campaign name below their personal information. See example below.

Viewing a Self-Assessment campaign

Creating a new RCSA3.png

After clicking the campaign name, the users will be sent to a new page that lists the advancement of the clicked campaign.

Self-Assessment Campaign Page Risk Self Assessment.png

From this page, the user can see the list of Risk owners that have been asked to complete the Self-Assessment. The user can use the filters on the left to see individuals based on their response status. If a user wants to see only In progress results, the user simply needs to click the In progress button on the left.

From this page, the user can perform multiple tasks:

  1. Send Reminders to users that haven't completed their Self-Assessment;
  2. Review the Top or Key Risks
  3. Perform a series of actions for a specific person.

Sending a Reminder

There are two ways a user can send a reminder in this tool. The first is to click the Send Reminder button that is located next to the search bar at the top. After doing this, a user will be given the opportunity to select multiple users to send them a reminder via email.

The second way one can send a reminder is simply by clicking someone's card. After doing this, the card will turn and four buttons will be shown to the user. The user simply needs to click the Send a Reminder Button which looks like an envelope.

Send a Reminder Button

Reminder.png

After clicking this button, the user will be asked to provide a deadline and will be able to press send to send the reminder.

Sending a Reminder

image.png

Reviewing the Top and Key Risks

This step will only be available after the full Self-Assessment has been performed. It should only be used by the company governance team.

Other actions to perform from user cards

When clicking someone's card in the list, users will be presented with a few action options. For anyone who has their analysis as In progress, Not Started, or Completed users will have four options (see image below). The arrow button allows you to come back to the person's card. The Envelope button as mentioned previously can be used to send a reminder. The hammer button, allows users to re-do the assessment. The printer button allows users to print the person's Self-Assessment.

Actions to perform from In progress, Not Started, or Completed users

image.png

For Ready to Review users, the options are a little bit different. The umbrella button allows users to review the person's Self-Assessment and the lock button allows the user to unlock the assessment.

Actions to perform from a Ready to Review users

image.png

Answering the Self-Assessment as a Risk Owner

When a user is a Risk owner, they should receive a notification asking them to review their controls. If they accept to do this, they should reach the following page. Users can click Begin to start the Self-Assessment.

Starting the Self-Assessment

image.png

After clicking the button, the user will be asked to answer a few questions. After answering the questions, the user will be asked whether each one of their Risk is still applicable, whether its description is still accurate. After answering the two questions, the user will have to select the Risk for Probability, Severity, and Mitigation. These selections will calculate the Overall Risk.

Self-Assessment Screen

RCSA.png

After doing this for all of their Risks, the users will be able to submit their assessment by clicking the Submit Assessment button.

Submitting the Assessment

RCSA222.png