Enterprise Risk Management - User Manual

Enterprise Risk Management - User Manual

Introduction

The Enterprise Risk Management module provides a comprehensive solution for organisations to identify, assess, treat and monitor risks in accordance with ISO 31000:2018 standards. This manual will guide you through the features and functionality to effectively manage your organisation's risk landscape.

Getting Started

After installing the module, a new "Risk Management" menu will appear in your Odoo navigation. This menu provides access to all risk management functions.

User Roles

The module includes three levels of access:

  • Viewer: Can view risks and related data
  • User: Can create and edit risks, controls, treatments and reviews
  • Manager: Has full access including configuration options

Core Concepts

Risk Register

The risk register is the central repository for all identified risks. Each risk includes:

  • Basic information (title, owner, category)
  • Detailed description, causes and consequences
  • Risk assessment (inherent, residual and target risk levels)
  • Controls, treatments and review history

Risk Assessment Process

Risk assessment follows a structured approach:

  1. Identify the Risk: Create a new risk entry with basic details
  2. Assess the Risk: Evaluate likelihood and impact using the assessment matrix
  3. Treat the Risk: Define treatment strategy and actions
  4. Monitor the Risk: Regular reviews and reassessments

Risk Matrix

The risk matrix provides a framework for consistent risk assessment across the organisation. The standard matrix includes:

  • 5 levels of likelihood (Rare to Almost Certain)
  • 5 levels of impact (Insignificant to Catastrophic)
  • Calculated risk scores and corresponding risk levels (Low, Medium, High, Very High)

Managing Risks

Creating a New Risk

  1. Navigate to Risk Management > Risk Register
  2. Click "Create" to open a new form
  3. Fill in the required information:
    • Risk title
    • Category
    • Risk owner
    • Description, causes and consequences
  4. Save the form to create the risk in "Draft" status

Assessing a Risk

  1. Open the risk record
  2. Go to the "Risk Assessment" tab
  3. Select an assessment matrix
  4. Enter likelihood and impact values for:
    • Inherent risk (before controls)
    • Residual risk (current state with existing controls)
    • Target risk (desired future state)
  5. Click "Assess" to move the risk to "Assessed" status

Adding Controls

  1. Open the risk record
  2. Go to the "Controls" tab
  3. Click "Add a line" to create a new control
  4. Fill in the control details:
    • Title
    • Type (Preventive, Detective, Corrective, Directive)
    • Owner
    • Description
    • Implementation details
  5. Save the form

Controls follow their own lifecycle:

  • Draft > Implemented > Effective/Ineffective

Creating Treatment Actions

  1. Open the risk record
  2. Go to the "Treatment Plan" tab
  3. Click "Add a line" to create a new treatment action
  4. Fill in the action details:
    • Title
    • Priority
    • Owner
    • Due date
    • Description and expected outcomes
  5. Save the form

Treatment actions follow their own lifecycle:

  • Draft > In Progress > Completed/Cancelled

Scheduling Reviews

  1. Open the risk record
  2. Click "Schedule Review" button
  3. Fill in the review details:
    • Review date
    • Reviewer
    • Next review date
    • Assessment changes (if applicable)
  4. Save the form

Dashboard and Reporting

The risk register provides various views to analyse your risk landscape:

  • Kanban View: Visual representation of risks by status
  • List View: Table of risks with colour coding by risk level
  • Search Filters: Find risks by various criteria including level, category, owner, etc.

Configuration

Risk Categories

Define categories to organise risks by type:

  1. Navigate to Risk Management > Configuration > Risk Categories
  2. Create categories relevant to your organisation (e.g., Strategic, Operational, Financial)

Assessment Matrices

Customise risk assessment matrices:

  1. Navigate to Risk Management > Configuration > Assessment Matrices
  2. Define likelihood levels, impact levels and scoring rules

Control Types

Define the types of controls used in your organisation:

  1. Navigate to Risk Management > Configuration > Control Types
  2. Create new types or modify existing ones

Impact Types

Specify different impact dimensions for risk assessment:

  1. Navigate to Risk Management > Configuration > Impact Types
  2. Define impact areas relevant to your organisation (e.g., Financial, Reputation, Safety)

Best Practices

  • Regularly review and update the risk register
  • Ensure risk owners are responsible for monitoring their assigned risks
  • Conduct formal risk reviews according to the schedule determined by risk level
  • Document the effectiveness of controls to support risk assessment
  • Track treatment actions to completion
  • Use risk categories and tags to enable effective filtering and reporting

Support

For additional support with the Enterprise Risk Management module, please contact Cyder Solutions at info@cyder.com.au.