Tip of the Month: Using Unit Impact Values to Rate Risk

January 23, 2019

Did you know?

BarnOwl enables you to rate your risk in two ways:

  • Qualitatively – by using a risk rating matrix based on impact rating x likelihood rating
  • Quantitatively – by using a currency amount based on the financial impact or loss that the organisation would suffer if the risk is realised

Impact values can now be specified in each unit for each risk category. This means that you can specify currency amounts in the Quantitative tab in the Risk form, and the qualitative rating (impact x likelihood) will automatically be updated based on the Impact values specified for the unit.

Setting the System Impact Values

Before you can specify the Unit impact values, you need to specify the system defaults in the Server Management Console.
Server Management Console > Risk Management > Parameters > Risks > System Impact Value Matrix Setup
If you will be using the Unit Risk Impact function, you must select the “Risk Impact Rating based on the Risk Impact Value” checkbox.
You can now set the System Impact values per risk category. BarnOwl will use these impact values as the system default if no other Impact values have been specified at the Unit level.
Each risk category can have a different value. If a category is shaded grey, it means that it is inheriting the System default (specified at the top of the matrix and shown in italics). If you specify different values for certain categories (for example, the Regulatory Risk category may have different values per impact rating), these will be displayed with a white background.
If you have made changes to the Impact values, click the Update Risk Impact Ratings button. This will update the system defaults for each category in the units.
For more information, see System Impact Value Matrix Setup.

Setting Impact Values for a Unit

After you have specified your system impact values, you can go and make changes as required for your units. This is done in the BarnOwl Risk Management client.
You can specify these settings for new and existing units.
Risk Management > Organisational Structure > Right-click Unit > Edit Unit
In the Unit Edit form, click the Unit Impact Value Matrix tab on the right side of the form.
This matrix works in the same way as the System Impact Value matrix, except that it applies only to the select unit.
The Unit default is displayed in italics, and is used when the category value is not specified or changed.
Categories which are inheriting values from the unit default display a grey background.
If you want to change the ratings for the selected category in the selected unit, Click in a cell in the matrix to change the Impact value for each Impact rating per category. Where values have been changed (and are no longer inherited) the row displays white. In this example, the Regulatory Risk category has been changed.
Remember that the impact values must be in ascending order (lowest to highest). Therefore, values corresponding to rating 1 (very low impact) must be lower than values corresponding to rating 2 (low impact). Note that the impact matrix is specified according to your organisation’s Impact matrix, so your intervals may be differently labelled. (For more information see Risk Impact Settings)
Save the unit details by clicking the Save button.
To update all the impact ratings for risks in the specified unit, click the Update Risk Impact Ratings button.

Rating Risk Impact using Quantitative Values

In the Risk form, you can now rate the risk on the Inherent Quantitative or Residual Quantitative risk tab.
You can either specify an amount (in the Impact Value field) and the Inherent / Residual Impact will automatically be set to the Inherent Impact rating which corresponds to the Impact value. In this example, the amount of R400 000 was specified, which makes the Impact rating 3 – Medium Impact.
You can also set the Impact value based on the Impact rating by checking the “Set Impact Value based on Impact Rating” check box. Select the Impact rating from the Impact rating drop-down list, and the corresponding Impact Value is selected.
The Qualitative ratings are updated based on the quantitative values.
For additional information, see Setting Risk Impact Values per Unit.