Risk Management Principles and Guidelines

Relationships between the risk management principles, framework and process; 31000 (© 2009 ISO)
Relationships between the risk management principles, framework and process; 31000 (© 2009 ISO)

Active Agenda has been developed and refined over many years. The first code for Active Agenda was written in 1995. Many people encountering Active Agenda reflect on the obvious continuity between Active Agenda's design and the "Risk Management - Principles and Guidelines" published by the International Standards Organization (ISO 31000). The following images and section headers have been taken directly from ISO 31000 so that Active Agenda's functionality can be mapped directly to this international standard. Readers are strongly encouraged to secure a copy of ISO 31000(external link) if your organization is interested using Active Agenda to implement this standard.


Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization's objectives is risk.

All activities of an organization involve risk. Organizations manage risk by identifying it, analyzing it, and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Throughout this process, they communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk in order to ensure that no further risk treatment is required. This International Standard describes this systematic and logical process in detail.

While all organizations manage risk to some degree, this International Standard establishes a number of principles that need to be satisfied to make risk management effective. This International Standard recommends that organizations develop, implement, and continuously improve a framework whose purpose is to integrate the process for managing risk into the organization's overall governance, strategy and planning, management, reporting processes, policies, values, and culture.

Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects, and activities.

Although the practice of risk management has been developed over time and within many sectors in order to meet diverse needs, the adoption of consistent processes within a comprehensive framework can help to ensure that risk is managed effectively, efficiently, and coherently across an organization. The generic approach described in this International Standard provides the principles and guidelines for managing any form of risk in a systematic, transparent, and credible manner and within any scope and context.

Each specific sector or application of risk management brings with it individual needs, audiences, perceptions, and criteria. Therefore, a key feature of this International Standard is the inclusion of establishing the context as an activity at the start of this generic risk management process. Establishing the context will capture the objectives of the organization, the environment in which it pursues those objectives, its stakeholders, and the diversity of risk criteria - all of which will help reveal and assess the nature and complexity of its risks.

The relationship between the principles for managing risk, the framework in which it occurs, and the risk management process described in this International Standard are shown in the figure above.

Note: The Introduction section text, section headers, and diagrams were extracted directly from ISO 31000(external link); 2009

3 Principles for Managing Risk

Principles for managing risk (© 2009 ISO)
Principles for managing risk (© 2009 ISO)

a) Creates Value

Active Agenda is an open and collaborative communication framework that represents value across an entire organization. Active Agenda applies risk imperatives to common systems (modules) in order to extend the system's utility across business functions, silos, and geographies. Active Agenda's module generator enables a rapid, highly iterative tool for adapting the system to the operating realities of your organization.

Active Agenda approaches risk from the "bottom up" and focuses management activities on sources of risk. Each source of risk can be associated with organizational aspects and activities. This method allows an organization to quickly assess the sources of risk associated with a given activity of a specified organization. This method also allows risk assessments, hazard analyses and controls, and treatment assignments to be leveraged across an enterprise.

b) Integral part of organizational process

Active Agenda was designed out of frustration with isolated and ineffectual management practices. The original idea behind Active Agenda was to create modules corresponding with risk management practices that were common across business units (functions, silos, regions, etc.) as a means of integrating risk management into the overall operation. The goal was to reduce variability in risk management tools and methodologies across the organization and inspire collaboration. Active Agenda tracks global participation in the risk management processes by assigning individual accountabilities throughout the application and organization level responsibilities where they apply. Most of Active Agenda's modules are not specific to a particular risk silo because they are intended to support all organizational processes, including strategic planning, projects and change management processes.

c) Part of decision making

Active Agenda improves the information-gathering function of decision making and helps decision makers reduce the uncertainty of decision outcomes. It does this by collecting, centralizing, and making organizational knowledge and experience available in real time. The standard user interface, and comprehensive knowledge base, support decision making in a nonlinear, recursive manner. Information captured during continuous and ongoing use of Active Agenda reduces the typical constraints associated with the time and effort needed to gain the information needed to make better decisions.

d) Explicitly addresses uncertainty

Active Agenda requires you to enter a variety of sources of risk (i.e., vehicles, equipment, locations, people, budgets, etc.). Once a source has been entered into Active Agenda, the source of risk can be assessed for the likelihood and severity of potential loss, hazards that may increase the likelihood of loss, potential events to be avoided, preventative and mitigative controls, and possible business consequences. Once a source of risk has been assessed, the assessment can be used to assess similar risks. Every source of risk can be analyzed in a centralized risk index.

e) Systematic, structured and timely

Active Agenda was designed with structure and continuity of interface in mind. Every module of Active Agenda operates the same way. Users familiar with the interface of one module will be able to access data from any other module they have permission to view. Each module has been designed to traverse functional silos so that a single method is used to manage information across the organization. This approach simplifies training requirements and reduces dependency on limited system experts. The system is designed to work in a variety of common browsers so that users can leverage tools they are already familiar with. Risk information sharing and comparing efficiencies are maximized when Active Agenda is deployed in a server environment. Enterprise-wide deployment substantially improves the timeliness of information sharing and the reliability of data benefiting from peer review.

f) Based on the best available information

Active Agenda is a collaborative communication framework. The system is designed to facilitate the rapid collection and sharing of information and best practices across multiple functions, operating units, and geographical locations. The system collects data in a tabular format and enables the customization of a user's dashboard with data charts of greatest interest to each stakeholder using the system. Charts and reports are updated as Active Agenda participants interface with the organization and application in real time. Permissions to data can be limited by organization so that internal and external experts can contribute their unique and timely perspectives. Using Active Agenda to collect and manage information on a day-to-day basis ensures immediate access to the best risk information available.

g) Tailored

Active Agenda is very scalable. This scalability allows you to deploy the Active Agenda framework in a manner conducive to your internal and external culture. Your approach to implementation can be adjusted to accommodate your management environment (e.g., risk contexts). You can implement Active Agenda as a stand alone application within a single risk silo at a single location, or take a more collaborative approach across your enterprise.

h) Takes human and cultural factors into account

Active Agenda allows you to record and revisit assessments of internal and external management environments (also known as risk contexts). The system tracks the roles, qualifications, and experience of internal and external resources.

A variety of modules were specifically designed to enable the continuous assessment of people's ongoing perceptions. Active Agenda can ease the burden of managing an effective suggestion program and help you tap into the organization's knowledge (or idea) base and reinforce a culture of empowerment. The system enables the creation and deployment of perception surveys available to any stakeholder with access credentials to the system. Constructive and reinforcing feedback can be offered between stakeholders, offering cultural insights based on the ratio of constructive to reinforcing comments, by organization, location, department or person. Questions can submitted to the organization in a town hall format so the culture of the organization may benefit from the openness of the dialog. Values threats can be reported by all stakeholders when the organization is considering, or has made, a decision which threatens the organization's mission and values. Incentives are tracked and shared so that participants can share motivational criteria used to reward participation in the organizations' objectives.

Organizational details are captured for each Active Agenda participant so that cultural inferences and conclusions can be drawn from the manner in which people participate in the risk management process. For instance, the number of suggestions submitted, or the number and type of disciplinary actions taken by a supervisor reveals a great deal about management alignment with organizational values and initiatives. Active Agenda allows you to compare and contrast your values with your actual performance so that a positive culture can be monitored and sustained.

i) Transparent and inclusive

Active Agenda has a unique ability to track internal and external stakeholder participation. Participation is categorized as involvement or accountability, depending upon the nature of the role being performed. Participation is typically associated with key dates to ensure timeliness of involvement and relevance of the risks being tracked and managed. Active Agenda allows you to identify roles as accountabilities and transfer accountabilities between stakeholders as turnover occurs. Involvement is open and transparent and can be assessed across a global enterprise.

Active Agenda allows you to assign responsibilities to the risk management process by organizational level. Each person tracked within Active Agenda can be assigned an organizational level. This approach allows you to generate a list of level responsibilities to compliment a person's specific involvement and accountability. Active Agenda allows you to assess involvement in a pie chart by person, organization, function, level, department, and a variety of other parameters. You can use run charts to evaluate involvement over time, or radar charts to analyze the balanced nature of involvement by risk silo.

j) Dynamic, iterative and responsive to change

Active Agenda is highly customizable from a design perspective. The system consists of a rapid, highly iterative, application development platform. This platform allows you to build new modules to accommodate changing needs and modify existing modules very quickly. Each new module will inherit the basic features of Active Agenda (i.e., charts, permissions, reports, search, dashboard, standard user interface, etc.). Active Agenda embraces the practical reality of change and the importance of business continuity. New, and previously identified risks are captured and recorded for prosperity and the educational value they represent. Active Agenda data belongs to your organization and not a third party vendor. As vendor relationships change, the continuity of your data is preserved. Active Agenda also allows you to manage the reality of risk owner turnover. As accountable internal (e.g., employees) and external (e.g., service providers) participants turnover, Active Agenda allows you to transfer their accountabilities to incumbent participants.

k) Facilitates continual improvement and enhancement of the organization

Active Agenda is designed to free risk management knowledge, activities, and practices from the confines of isolated silos, personal spreadsheets and databases, proprietary vendor solutions, and other mechanisms of division and inefficiency. The system is designed to help organizations manage risk (uncertainty) across an enterprise without being limited by the functional source of the risk. Active Agenda achieves its purpose with an open and transparent communication framework relying on Internet technologies. Active Agenda allows widely distributed internal and external stakeholders to continuously improve and refine the risk management process in real time.

4 Framework for Managing Risk

Framework for managing risk (© 2009 ISO)
Framework for managing risk (© 2009 ISO)

4.2 Mandate and commitment

Active Agenda allows organizations to go beyond statements and rhetoric. The system allows you to record organizational objectives and mandates while quantifying and sharing organizational performance against those objectives. Active Agenda allows you to:
  • post and share management policies and local implementation efforts. Each policy and local program tracks key stakeholder responsibilities that can be transferred if roles or people change. Each policy can stipulate expectations which are passed through to each adopting organization. These expectations can be audited and scored at a frequency deemed to be appropriate by the Policy organization. Policies, local partnerships, and implementation performance can be efficiently shared across the enterprise;
  • record organizational mission and values and threats to those values. Each of Active Agenda's modules is a component part of a comprehensive risk management policy. Activity data from these modules can be used to assess alignment with the overall risk management policy;
  • stipulate risk management performance indicators alongside the performance indicators across the enterprise. Centralizing performance indicators allows you to assess alignment across the enterprise and avoid the use of indicators that may be at odds with one another or result in a competitive environment that places culture at risk;
  • record all legal and regulatory mandates imposed on your organization. Once a regulation, standard, or legal mandate is entered into the system, the requirement can be directly associated with the specific sources of risk and the manner in which the organization is affected by the requirement;
  • assign accountabilities to internal and external participants and transfer accountabilities when human resource turnover occurs. People and responsibilities can be assigned to appropriate organization levels so that personal accountabilities and level-based responsibilities can be used to guide involvement;
  • identify and track internal and external resources and monitor human asset allocations. Charts can be generated to identify unbalanced assignments and monitor the likelihood of becoming under resourced;
  • communicate and record communication with internal and external stakeholders. Active Agenda tracks communication associated with specific sources of risk and helps to trigger the need for communication. Each of Active Agenda's module records can be sent as an email notification to key stakeholders. Charts, reports, and data can be "pulled" by interested stakeholders rather than pushed to those on a predicted list of interested persons;
  • distribute risk management roles, responsibilities, and accountabilities amongst internal and external stakeholders so that Active Agenda's database remains current with evolving operations and impervious to revolving participants.

4.3 Design of framework for managing risk

4.3.1 Understanding of the organization and its context

One of Active Agenda's purposes is to help organizations gain a greater understanding of their management environment. Active Agenda modules provide continuous, real time, measurements of risk management activities and insights into internal and external management environments. However, organizations just beginning to implement a risk management process will need to assess their management environments more subjectively.

Active Agenda allows you to assign evaluators to the assessment of management environments (sometimes referred to as "contexts"). All assessments of management environments are saved to a central table where they can be monitored and updated as internal and external environments change. This central view of assessments allows you to share, and learn from observations of a variety of management environments. Comprehensive utilization of Active Agenda can substantially improve your ability to assess internal and external environments.

4.3.2 Establishing risk management policy

Active Agenda will not write your risk management policy, but it will help you document your policy, share ideas between local implementations of policy requirements, and track policy audits. Active Agenda modules also help to track and measure the component elements of a comprehensive risk management policy. Active Agenda's development framework allows you to quickly extend the application to address unique risk management needs.

4.3.3 Accountability

Accountability is a central tenet of Active Agenda. All risk management program participation is assigned to people by name. Participation is categorized as 'involvement' (short term) or 'accountability' (ongoing obligation). All participation can be monitored and assessed in a central view where charts and reports can help you determine the appropriateness of human resource allocations. Accountabilities can be transferred between participants when internal and external stakeholder turnover occurs. Active Agenda facilitates accountability by:

4.3.4 Integration into organizational processes

"Priority is better achieved through the ability to capitalize on similarities than the ability to highlight differences."

~ Founder, Active Agenda LLC

Active Agenda was originally called 'Compliance Integration Tabs' in 1995. The system is designed to work as an integrated system whereby different departments utilize common systems to mange different functional risks. It can also be used by individuals interested in improving their personal job performance. Active Agenda's utility is maximized when people share information and collaborate across an enterprise. An implementation of Active Agenda can be introduced as a pilot project within a single department, as conceptualized in our 1998 article No such attachment on this page, or as an enterprise risk management program.

Active Agenda also allows you to track and share policies across your enterprise, project planning and tracking - irrespective of functional silo, change management processes, and enterprise-wide risk management implementation road maps.

4.3.5 Resources

Active Agenda allows you to track internal and external human resources. Active Agenda also tracks a variety of non-human resources necessary for the management of organization-wide risk. The system facilitates resource tracking and allocations by:
  • tracking people participating in the risk management process, whether they are internal or external to your organization;
  • enabling you to track the qualifications of all participants;
  • establishing a list of participation roles, and assigning people to those roles;
  • allowing you to prevent accountability vacancies following turnover events;
  • building event response procedures by role and listing all people fulfilling each respective role;
  • establishing budgets and expenditures associated with the risk management process, and categorizing costs of risk using generally accepted Total Cost of Risk categories;
  • enabling the tracking and sharing of organization-wide policies and local procedures, while facilitating audits of local performance against stated expectations. Assigning a person to each local procedure allows you to generate a risk process ownership matrix for each facility tracking program management within Active Agenda;
  • providing an integrated risk information, knowledge management, and best practice sharing system;
  • tracking risk management training requirements and delivery by job title?; and
  • establishing job analyses to maximize every stakeholder's ability to improve risk reduction and control at the task level. Active Agenda's job analyses exceed the familiar use of such tools by helping you record task value reviews and track task waste (a.k.a. loss; a.a.k.a. risk).

4.3.6 Establishing internal communication and reporting mechanisms

Active Agenda is first and foremost, a collaborative communication framework. Active Agenda allows you to track and share a wide variety of source-specific communication events. The system also allows you to establish an email contact list on a module-by-module basis so that risk notifications containing record contents can be sent to key stakeholders. Active Agenda's many charts and reports make communication immediate, transparent, and available to all stakeholders based on their level of permission? to access the system. Active Agenda facilitates internal communication and reporting by:
  • making risk information immediately available to internal stakeholders, irrespective of their location;
  • exporting performance charts to public areas to communicate risk management activity and effectiveness in real time with the greatest efficiency and least amount of waste;
  • allowing you to build event-based contact lists? of internal stakeholders and track contact statuses?;
  • generating an audit trail of all data input and modification activity by user and date. The audit trail allows you to "roll back" data to a stipulated date;
  • tracking required documentation and establishing documentation recipient requirements? on a module-by-module basis and tracking the status of document distribution?;
  • automating the population of required forms and enabling the export of data for sharing in a variety of formats (i.e., PDF, XML, CSV, and spreadsheet).
  • tracking posting requirements and enabling regular audits of posting currency; and
  • availing the system to all internal stakeholders for purposes of soliciting feedback, incident reporting, suggestions, open questions, survey participation, and module-specific data input based on assigned participation.
  • enabling the solicitation of anonymous reports via the Internet or company intranet. Anonymous reporting is required by some jurisdictions. Active Agenda makes anonymous reporting possible for any module of the system using any subset of fields you choose to avail (i.e.; anonymous incident report form; anonymous suggestion form; etc.).
Active Agenda manages permissions? by module and organization. Users can be allowed to view and/or edit date, or they can be prohibited from access a module all together. Active Agenda also allows you to establish permission groups? to ease the assignment of user access to the system.

4.3.7 Establishing external communication and reporting mechanisms

Active Agenda's collaborative communication framework extends to external stakeholders. Any information that can be tracked and shared internally can also be shared externally. System notifications can include external stakeholders (e.g., insurance claims administrator) and risk management participants (e.g., carrier loss control consultant). Active Agenda facilitates external communication and reporting by:
  • making risk information immediately available to external stakeholders, irrespective of their organization or location;
  • allowing the addition of external stakeholders to module-specific notification lists;
  • allowing you to build event-based contact lists? of external stakeholders (i.e., insurance claims adjusters, regulatory agencies, etc.) and track contact statuses?;
  • tracking documentation mandates, establishing external documentation recipients? on a module-by-module basis, and tracking the status of document distribution?;
  • automating the population of regulatory required forms and enabling the export of data for import into external stakeholder systems (i.e., XML, CSV, and spreadsheet);
  • availing the system to external stakeholders for purposes of soliciting risk management support; such as: identifying audit items?, reviewing incident reports, reviewing chemical data, recording their work activity and related costs, identifying relevant regulations and standards, reviewing certificates of insurance, providing constructive and/or reinforcing feedback to the organization, and just about any other module-specific data input needs based on assigned participation; and,
  • building external stakeholder confidence in the organization and its ability to manage risk.
Active Agenda manages permissions by module and organization. Users can be allowed to view and/or edit data, or they can be prohibited from accessing a module all together.

4.4 Implementing risk management

4.4.1 Implementing the framework for managing risk

Active Agenda begins with the assignment of accountable process owners and strategic prioritization. Each instance of Active Agenda can consist of multiple implementation road maps. This allows you to track implementation at a variety of levels for a number of disparate locations. Active Agenda facilitates implementation of the risk management framework by:
  • assessing and recording internal and external management environments? at the local, regional, national, and international levels;
  • identifying key internal? and external stakeholders;
  • identifying and recording legal and regulatory requirements, applicable standards, and internal policies and policy implementations;
  • prioritizing the implementation strategy and assigning risk process owners on a module-by-module basis;
  • recruiting and assigning stakeholders to ensure the risk management information remains current; and,
  • tracking information and training sessions? associated with the risk management process.

4.4.2 Implementing the risk management process

Organizational culture is the key to deciding how you will implement Active Agenda. Active Agenda can be introduced as a tool for a sole practitioner to improve personal performance, a pilot project within a single department, or as an enterprise risk management framework. Active Agenda is ideally implemented across all levels and functions of the organization and integrated into existing practices and processes. If your culture is not capable of supporting an enterprise-wide, open, collaborative implementation, you can always start small and scale the implementation as the culture becomes more receptive to collaborative information sharing. Active Agenda allows to to scale from a reactive, to an active information culture.

4.5 Monitoring and review of the framework

Active Agenda is a tool to support a dynamic, ever-changing, risk management process. The system was created to eliminate the dreaded "programs of the month" that are typically reduced to written compliance documents placed in binders on a dusty shelf. Each Active Agenda module can be thought of as a section from the "dusty compliance binder," but with Active Agenda, the activities outlined within the binder can be monitored and reviewed in real time. Active Agenda facilitates monitoring and review by:
  • recording risk management performance indicators and tracking results? in real time;
  • enabling stakeholders to "subscribe" to data charts based on level of interest and area of responsibility;
  • recording implementation road maps and enabling the monitoring of performance against plans;
  • capturing and reviewing feedback, suggestions, module-specific activity, and policy reviews? following reported events to assess the plan's appropriateness for the management environment;
  • facilitating periodic internal audits? of policy performance and tracking improvement over time;
  • enabling the ongoing evaluation of the framework by adding review item and criteria? to audit checklists; and,
  • establishing gap analyses criteria? for initial or ongoing assessments of performance against prescribed standards.

4.6 Continual improvement of the framework

Active Agenda is a dynamic information management system. Collaborative implementation meetings, ongoing use, and regular monitoring of the system will result in suggested improvements to Active Agenda as a framework for managing risk. The rapid, iterative, nature of Active Agenda's module generator allows you to incorporate newly identified risk management processes into the framework quite easily. The Active Agenda team continues to work on ways to improve the framework and accommodate a wider spectrum of organization cultures. Providing regular feedback to the Active Agenda developers is usually the fastest way to incorporate framework improvements.

5 Process for Managing Risk

Process for managing risk (© 2009 ISO)
Process for managing risk (© 2009 ISO)

5.2 Communication and consultation

Active Agenda is a collaborative, communication framework. A team-based, consultative approach is the best method for implementing Active Agenda. The system utilizes Internet technologies to increase the diversity, quantity, and quality of stakeholders participating in an organization's risk management process. Active Agenda facilitates communication and consultation by:
  • helping organizations record, track, and share their internal and external management environments?;
  • ensuring that data can be shared openly and transparently so that the interests of stakeholders can be shared and considered;
  • facilitating risk framework implementation road maps;
  • capturing and sharing the sources of risk with greater levels of specificity (i.e., vehicles, people, equipment, systems, buildings, etc.);
  • enabling all areas and levels of expertise to collaborate on hazard and risk assessments;
  • sharing the assignment and assessment of risk treatments? with internal and external stakeholders; and,
  • enhancing the change management process during the risk management process;
  • generating data export reports capable of eliminating data entry redundancies for internal and external stakeholders;
  • generating charts that facilitate communication of risk information in the simplest possible format; and,
  • enabling the sharing of risk information using automated notifications.

5.3 Establishing the context

Active Agenda refers to the context as internal and external management environments?. Evaluating, understanding, and recording the management environment is an indispensable step when implementing the risk management process. Active Agenda allows you to record assessments of the management environment by nexus (internal or external), by type (i.e., cultural, procedural, structural, etc.), and by encounter level (International, National, Regional, or local). Assessments of the management environment are all displayed within the implementation road map for stakeholder consideration during implementation planning sessions.

5.3.5 Defining risk criteria

Active Agenda cannot determine how you will evaluate and treat risks. Each organization must develop their own criteria for risk evaluation, and this should occur early during the implementation process. Active Agenda facilitates the definition and application of risk criteria by enabling the establishment of risk likelihoods?, risk severities?, and risk index? values; AND, the establishment of return return likelihoods?, return estimates?, and return index? values so they may be assigned to sources of risk and generate a centralized risk matrix for assessment and monitoring. Active Agenda also allows you to establish risk appetites by organization, nature of risk (e.g., modules identified as source of risk), and appetite level (i.e.; averse, minimal, cautious, open, and hungry). Risks appetites are displayed for users when a risk index matches an: appetite index, organization, and nature of risk; if, an appetite has been established for the organization and respective nature of risk.

5.4 Risk assessment

Active Agenda contains a variety of tools to facilitate ongoing risk assessments. The collaborative nature of Active Agenda's communication platform enables brainstorming amongst a distributed network of internal and external stakeholders and subject matter experts. Active Agenda facilitates ongoing risk assessments by:
  • generating record level checklists so that Active Agenda users will be prompted to complete key tasks when sources of risk are entered into the system;
  • enabling the assignment of audit items? to sources of risk. Audit items can be compiled into inspection and audit checklists, so risk owners can be notified of outstanding items. Identified deficiencies and mitigation activities can be tracked and monitored;
  • facilitating periodic program audits? for internal and external compliance;
  • facilitating gap analyses of operational programs and best practices;
  • capturing hazard reports, preventative and mitigative controls?, potential consequences? of unabated hazards, and enabling the generation of bow tie diagrams;
  • collecting reports of incidents and related events and facilitating detailed cause analyses;
  • generating and centralizing probability matrices? based on risk analyses of enterprise wide sources of risk;
  • soliciting risk information from across the organization in the way of feedback, town hall questions, suggestions, and survey participation;
  • enabling broadly defined risk assessments based on a compilation of hazard-based risk analyses performed on existing sources of risk.

5.4.2 Risk identification

Active Agenda tracks many sources of risk (buildings, contracts, chemicals, equipment, tasks, locations, people, systems, vehicles, etc.), and can be easily customized to track sources not considered within the existing application. Every source of risk tracked within Active Agenda can be associated with detailed risk analyses. Active Agenda's open architecture allows you to perform risk analyses for any source of risk entered into the system, irrespective of the organization owning the source or assigned to control its risk. Every source of risk is assigned to a single risk owner by name. Risk owners can be easily reassigned as turnover occurs so the continuity of risk accountability is maintained. Active Agenda's collaborative framework allows you to extend participation in risk identification to subject matter experts and key employees around the globe.

5.4.3 Risk analysis

Every source of risk entered into Active Agenda can be analyzed for existing, or potential, hazards that may increase the likelihood of loss. Active Agenda facilitates risk analysis by allowing you to:
  • track hazards to a source of risk that may increase the likelihood of a loss event;
  • assign the types of events that may emanate from a hazard, and identify the top event? likely to result in loss;
  • associate one or more predictive and/or mitigative controls?, identified by treatment type, to each hazard;
  • identify and assign one or more business consequences? (also known as perils) likely to result from each hazard;
  • establish risk risk likelihoods?, risk severities?, and risk index? values so they may be assigned to sources of risk and generate a centralized risk matrix for assessment and monitoring;
  • establish return return likelihoods?, return estimates?, and return index? values so they may be assigned to sources of risk and generate a centralized risk matrix for assessment and monitoring.
  • associate key information (e.g. images, videos, recordings, etc.) with each hazard identified and enable key stakeholders to access the information in a central location;
  • track risk analysis participants and assign personal accountability for each hazard analyzed;
  • associate every hazard with a specific location so that locations can be identified by the level of hazards present;
  • associate identified hazards with incident reports
Risk analyses from one source of risk can be copied to similar sources of risk without having to reproduce the analysis. Copied analyses can be refined to address exceptions rather than engaging in redundant analyses.

5.4.4 Risk evaluation

Active Agenda collects hazard-based risk analyses in a central repository. This centralized view allows key stakeholders to easily locate and evaluate previous risk analyses for accuracy; currency; appropriateness of identified hazards; anticipated events and consequences; and the statuses of preventative and mitigative controls. Ongoing evaluations of prior risk analyses can benefit from consideration of your organization's changing risk appetite and management environment?.

5.5 Risk treatment

Active Agenda integrates treatments? and controls?. Every hazard associated with a source of risk can be associated with multiple preventative or mitigative controls. Each risk can be assigned multiple treatments by category (i.e., avoidance, acceptance, elimination, prevention, mitigation, sharing, or retaining). Risks can be filtered by treatment category and viewed in a central repository of treatments. Treatments are also displayed on the view screen of the respective risk.

5.6 Monitoring and review

Active Agenda is a communication and risk management framework. It was designed to facilitate the instantaneous sharing of risk information. Active Agenda's design permits ongoing monitoring and review of risk information and management practices across a global enterprise, irrespective of industry or location. Active Agenda facilitates ongoing monitoring and review by:
  • capturing clearly defined responsibilities for monitoring and review based on organization level;
  • simplifying the assignment, and reassignment of risk ownership and other risk management accountabilities;
  • recording audit items? necessitating review and tracking the performance of audit item reviews;
  • capturing program management expectations and tracking the performance of program audits?;
  • recording the results of gap analyses conducted to compare exiting performance with best or standard practices;
  • making risk information available to internal and external stakeholders via automated notifications and the provision of user credentials;
  • generating a myriad of charts displaying risk information on the dashboards of stakeholders in real time;
  • tracking information that is imperative for trend analysis and prevention (i.e.; reported events, change management, best practices, key learning, hazard reports, suggestions, feedback, etc.).
  • increasing the likelihood of system use by integrating risk information tracking across silos, functions, and physical locations;
  • tracking external and internal context? so that risk treatments? can be compared to changing risk criteria;
  • capturing new sources of risk as they are acquired and/or encountered; and,
  • tracking, charting, and sharing key measurements assigned throughout the enterprise.

5.7 Recording the risk management process

Active Agenda can be viewed as an interactive, digital filing cabinet for risk management programs and related information. Active Agenda facilitates recording of the risk management process by:
  • centralizing data to enhance availability, facilitate redundancy, and enhance security;
  • saving risk data to a log file and never actually deleting information from the database;
  • enabling the establishment of organizational record keeping requirements (i.e.; storage methods; retention periods; disposal methods; etc.);
  • tracking the establishment of physical files in accordance with established requirements and associating physical files? with digital records;
  • maintaining continuity of data using a standard user interface, preventing 'data dumps', and facilitating simplified reassignments of accountabilities;
  • limiting access to risk information by user, group, information type, organization, and permission type? (i.e.; view and/or edit access to: all organizations, stipulated organizations, or none); and,
  • logging user access and navigation? throughout the system.

The content on this page is licensed under the terms of the Copyright.