Based on previously created Risk Groups and their risk taxonomy, the next step is to map and link these hierarchies on one or more dimensions. This process will allow putting various projects with related risks into the various groups and segments for analysis and the ability to view how a certain risk permeates through the organization as well as how a specific risk element may touch multiple departments, divisions, processes, and so forth.
The previously completed segments can then be mapped in the Risk Mapping section, as shown in Figure 2.4. For example, a Risk Category can be mapped to one or multiple G.O.P.A.D. categories, which can then be mapped to one or more Divisions. Note that all divisions roll up to the corporation. This way, when a risk element is entered in the Risk Register later on, a risk category can be selected, and the remaining connection routes will be automatically determined. Using these mapped connections, the software can slice and dice and look at different Divisions or G.O.P.A.D. categories and see the risk profile from various points of view.
While it is tempting to connect a single risk category to multiple G.O.P.A.D. or Divisions, it is recommended that the connections be set as one to one. This one-to-one correspondence allows any risk values and KRI to be attributed correctly to the relevant risk categories or divisions and prevents any accidental double counting.
Created connections can be seen in the data grid at the bottom. Connections can be edited by clicking on the Edit pencil icons, and changes can then be saved after any modifications. A report can also be created, indicating all the connections.
As a reminder, setting up these three sections, Global Settings, Risk Groups, and Risk Mapping, should be done with great care, as the settings here will flow throughout the entire ERM software. All subsequent reports and analyses will be based on these settings. Sometimes preliminary planning and strategizing are critical to creating a good ERM model.
Figure 2.2: Risk Settings
Figure 2.3: Risk Groupings in an Organization
Figure 2.4: Risk Mapping or Grouped Relationships