GRC Risk Scoring & Reporting

Right. So hi, everyone, and welcome. We are so glad you could join us for today’s webinar on risk scoring and reporting. I’m Reina Hawthorne, product marketing manager for all things GRC here at Origami Risk, and I’m joined by Brandon. Hi, everyone. I’m Brandon Thompson. I’m the GRC practice lead here at Origami. GRC, of course, standing for governance risk and compliance. And I’ve prerecorded today’s demonstrations showing you how risk scoring and reporting works in the Origami risk platform. Awesome. But before we jump in, a couple of house keeping notes. First, we are going to have some time at the end of the presentation today to answer a few questions. So as those pop into your mind, please be sure to drop them into the Q and A box. And we are also recording today’s session, and we will be sending that to you all who are here today as well as anyone who wasn’t able to join us. Okay. With that out of the way, Brandon, let’s start with the basement basics. Yeah. So risk management has really changed a lot over the years. It used to be about checking boxes and reacting to risks as they popped up. But today, expect risk professionals to be a bit more proactive to identify potential risks before they escalate and to provide data backed recommendations. Exactly. Exactly. But the challenge is, the challenge is that many teams are still relying on spreadsheets or disconnected systems. I know you talk to these folks every day, Brandon, which really makes it hard for them to get a full picture of their risk, which is where technology like ours, Origami’s, can really change the game for them. And we’re gonna jump into our solution in just a couple minutes to show you a a few ways that it does. But first, I wanna dive into some of the best practice advice for identifying, assessing, and prioritizing risk. Absolutely. So we know that a strong risk management program starts with a structured approach to risk identification, assessment, and prioritization. We can’t deep dive into all the best practices that we would love to recommend in the time that we have today, but here are three key ones to keep in mind. Yep. So first, we want to aim for comprehensive risk identification. So using multiple sources, such as incident reports, employee feedback, expert guidance, to ensure that no risks are are being overlooked, and and then to track the identified risks in a centralized risk register to capture everything consistently, in one place. Yeah. Super important. Second, we would recommend that you standardize your risk assessment criteria. Establish clear scoring metrics and definitions for the metrics that you’re measuring, whether that’s impact, likelihood, velocity, to ensure that you’re comparing risks accurately and consistently across the board. And third, we wanna remember that not all risks are created equal. So we wanna focus on the ones that pose the biggest threat to, you know, your organization’s strategic goals and objectives. And the best way to the best way to identify those risks is to align them with your strategic goals, assess your risk register regular regularly, excuse me, regularly, and diligently review the results so you can adjust priorities appropriately. Awesome. So with those best practices in mind, we’re gonna jump into how Origami Risk can support connecting business objectives and empowering consistent assessments. Absolutely. Let’s, let’s jump in. Okay. So we’re gonna start off on a risk page. So you can see here I’m I’m currently on, my example risk around cyber and IT security. Now at the top of the page, we can see basic details about this risk. Things like a unique number in the background, a short name, the category for this particular risk, a brief description, all common details you’d expect to find about any risk record in your risk register. Now what we wanna do first is we wanna connect this risk to different objects, and we’re gonna we’re gonna use business objectives as an example. Now if I scroll to the bottom of this page, I’ve got a number of different collapsible tables, including one here for objectives, where I can see the objectives that are already associated to this particular risk. And if I want to make changes to this current list, I can just go ahead and click on the manage associated objectives button. But let’s assume that we hadn’t connected this risk to objectives already, and I was starting from scratch. In this example, what I wanna do is click on the more button. And here under the associated, I’m going to look for objectives. And from here, brings me to the same place. I can choose, which objectives I’d like linked to this, particular risk. Now for the sake of example, I’m just gonna go ahead and select an objective here. Let’s say number seven, we wanna become the number one online retailer. That’s our overall strategic goal. And once I’m done selecting, I go ahead and say done. And now, after the page refreshes, I can see my changes have now taken effect. Let me just scroll back down. And now I can see that that objective is now associated with this particular risk. So that’s how easy it is to make those, relationships and connections. And, of course, in Origami, these are bidirectional. So I’m starting at risk and linking out to objectives. I could also start at the objectives library and tie back to risks. And while I’m here, let’s go ahead and initiate a risk assessment. A couple different opportunities here. Number one, if your company is doing risk assessments on a regular cadence such as quarterly or annually, for example, we can go ahead and schedule that as part of an ongoing plan. Or at any point in time, I can come to a risk such as this one, click on the score risk button, and this is going to launch my risk assessment form right here on the screen. Now by default, Origami breaks our risk assessments up between the inherent and the residual. Inherent, you’ll remember, is the way that we measure risk before we factor in any controls or or mitigating activities, and then the residual score takes a look at those same risks after we take into account the controls and mitigations that we have in place. Now by default, we’re measuring, our scores on two dimensions. What is the impact this risk would have on the organization, And how likely is it that that how likely is it that this risk actually occurs? Now measuring this inherently is in the absence of control. So what would the impact be of a cyber attack considering that we have no mitigations or protections in place? Well, as you can see here, that would be considered catastrophic. And by definition, what we mean is a financial risk, or financial impact greater than twenty million dollars. And in terms of likelihood, well, also, probably very likely, maybe even almost certain with the absence of controls. And so you can see here, likely is deemed as a chance between fifty fifty to ninety percent, rate of occurrence. Now everything that you see here on the screen is configurable, so you’ll have the, the chance to define your own labels, your own definitions. You can even expand on these, to include, other areas such as velocity or how well is management prepared for this particular risk. You’ll also notice, the score that I’ve got selected is is being displayed right here real time as well as the previous score, the last time that that this risk was assessed. Those are also configurable settings. You can choose to hide the previous score. You can even choose to hide the current score, if you don’t want your users knowing exactly where, certain thresholds exist. Maybe this is something you only display in reports or in or in dashboards. Again, completely configurable, entirely up to you and your organization. Now let’s say that we’re gonna leave our inherent score alone, and I’m gonna scroll down here to look and focus on the residual score. Now because the residual score takes into account the controls and mitigations, any controls that you’ve mapped to this risk record will automatically show up here on the screen when you’re performing your risk assessment. And if you’re using Origami to test the effectiveness of those controls, even if it’s a different team altogether that’s doing the evaluation of the those controls, you’ll be able to see that latest testing result here. So you’ll be able to factor that information in for how well are my controls currently performing in terms of mitigating this overall risk. The same thing can also be true for any indicators, Any key risk indicators, any key performance indicators that you’ve mapped, those will also automatically show up when you’re performing the risk assessment. And as you can see here, not only do I see what target values we’re after, I can see the current values. And if those are exceeding, intended thresholds, I’ll also be able to quickly identify those as well. Now let’s say in this example, the fact that, you know, one of my controls is ineffective, one’s only partially effective, my KRIs are all signaling warnings and and, critical thresholds being breached. This makes me wanna increase my residual score just a little bit. So I can come up here and make a new selection. And what you’ll see is as I’m making my selections, the numerical score is then changing real time. And then anytime I cross a threshold is when the color is gonna change, the label is gonna change. And, again, these are all things that your organization will have the ability to define. Finally, I have the ability to capture additional details on my risk assessment, maybe that don’t contribute to the overall score for this particular risk. In this example, I’ve got a comment box. Maybe I wanna capture something like, what’s the rationale? Why did I score this particular risk the way that I did? And now I’ve got that, captured here in the comments in case anybody questions my my scores later. When I’m done, I can click on the complete button, and that will submit my my risk assessment, either, finalize it or in the case of workflow, submit this, for the next step in the workflow. So as you can see, it’s not just a static risk register. You can dynamically update, risk factors, easily apply your scoring methodology, and then instantly see how your results compare to, to previous sessions. Yeah. Absolutely. A a step up from spreadsheets for sure. And what we think this means is that risk professionals can focus their efforts where it matters the most, rather than getting bogged down. Now that you’ve got all of your scores risk or your risks scored and aligned, the next step is to make sure that leadership has the right insights. So let’s jump to talk about reporting. Of course. We know that having the data is one thing, but knowing what to do with it is a completely different story. And leadership doesn’t have the time to to, you know, sift through all the the raw data. They need clear visual insights, and that’s where, some of this reporting, can really come into play. Exactly. And that’s why reporting and dashboards are so critical. Instead of spending hours building reports manually, Risk teams need access to automated dashboards that present key risk key results and risk indicators. And this seems like a perfect time to look at how that works in Origami, so let’s jump into the software again. So now let’s take a look at the dashboards in Origami. Dashboards are considered landing pages for users. So when you first log in, this is the kind of information you could be presented with depending on your role and and level of access. Dashboards tend to be very informative. Lots of different styles of charts and graphs, tables displaying the data in a variety of meaningful ways. And these can be configured either for a group of users to share a common dashboard or even each individual user customizing and using a dashboard that’s been personalized for their own use. Dashboards also tend to be very interactive. So you’ll notice here at the top, I’ve got some KPI cards with highlights of information. Here, for example, I can see which risks are currently, identified as above tolerance level. If I go ahead and click on that number, it’s gonna open up a new page that takes me right out to that list of thirty nine risks that are above, risk tolerance. I can also zoom in on information. So here, for example, if I were to click on one of the numbers in the pie chart that I’m sorry. In the heat map, that’s gonna let me know what risks exist in that particular cell in the heat map where I can then click on the risk name to be taking more information about that particular risk, but I can also expand this to full screen mode. And then what I’ll see is a listing of all the risks that have been assessed in the order that they’ve been risk ranked. Individual sections of a dashboard such as this can be shared by clicking on the more button and maybe exporting to PDF, but I also have the ability to share the entire dashboard also as a PDF document. I can even add a schedule to this if this is something I wanna routinely send out to, let’s say, folks in leadership positions. Maybe once a month, I just want them to see, a dashboard that they can review without having to ever log in or or be users of the system. There’s different styles of dashboards. So let’s say this one for the risk champion, this is more of an oversight view of all the related activities that I have ongoing, whereas an individual risk owner within maybe has a dashboard more like this, bit more focused just on the tasks that they have on their plate to perform. Making changes to dashboard is easy. I can click on the edit dashboard button here at the top, and that will take me into an editable mode where I can then make changes. I can move things around. I can change the overall look and feel of the page. I can get rid of different widget widgets. Really easy to make changes to the dashboard and configure it to meet your specific needs. Dashboards can also be used for a variety of different information. So, where I was just looking at, enterprise risk data, now I’m looking at a particular type of compliance data. I can jump into a dashboard specific to key risk indicator metrics. So the possibilities really are endless for the different types of data that you can display on dashboards. You can also have a mix of information. Maybe I want claim data mixed together with risk data, together with safety information. It’s really up to you. In addition to dashboards, we also have standard style reports. So Origami comes preconfigured with a number of different templates that you can use. You can also create your own reports ad hoc from scratch, and reports can either be run directly in Origami or we can export into different formats like PDF, Word, and Excel. If I go ahead and click on this report name, and I’m just gonna say run report, I’m gonna run this report directly in the system. This just takes a moment to load. But as soon as this report comes back, what this report is gonna show me is for each risk in my risk register, how is that risk doing, and how are the associated controls for that particular risk doing as well. So let’s just scroll down a little bit here. So here we can see one of my risks is around anti money laundering. I can see who’s responsible for that risk, how it’s been categorized. Here, how is it doing from an inherent score perspective, a residual score perspective. And then for this risk, I can see there’s a number of different controls. And for each of those controls, who owns them and when were they last evaluated and then how are they doing. Now the nice thing about running these reports directly in Origami is these then become clickable links. So if I wanna learn more about a particular record, I can simply click on it, and I’m taken right out to that, particular risk in the risk register. Yeah. So I I think you could see it’s it’s really powerful with just a few clicks. You can filter the data, generate reports, and then share those insights back with your leaders. Yeah. And that not only saves risk teams time, but it also ensures decision makers are getting the most up to date insights into your programs. And that reminds me of something you said the other day, Reina. Do we have a few minutes to dive into your favorite part of the solution? I think we do. My favorite part of our solution is the automation that we can build into tracking KRIs and KPIs, and I think that’d be a perfect thing to show today. Perfect. Then let’s jump in. So now let’s take a look at KRIs or key risk indicators, those early warning metrics, that can be associated directly with our risks and our risk register. Now so I’m back on that cyber risk example. And if I go ahead and scroll down towards the bottom, you’ll see I’ve got a section here on indicators, and let’s expand that. And because this is a cyber related risk, I’ve got a number of different IT related indicators that I’m curious about. And let’s use this bottom one as an example. We wanna know what percentage of our employees are able to pass an internal email phishing test. You know, the one where IT sends you a link in an email. You’re not supposed to click the link. You click it anyways, and then you get dinged. Probably have to take additional training. Well, that’s an important measure for us because the more, of our employees that can’t pass that test, the more exposed we are to a potential cyber event. Our target value is eighty five, so we expect at least eighty five percent of our employees to be able to pass that test without clicking the link. We are currently only at seventy four percent, which is why this is showing up as yellow in the warning. And if I go ahead and click on this, we’re gonna be able to see a bit more details about this particular, key risk indicator. At the top, we have a brief description about why this measurement is important to us in in the first place. We can track who is an owner or responsible for this particular metric, and this example may be somebody from IT. Here’s where we can set what our, identified target value is. And then down below is where we can set increasing and decreasing thresholds. Well, it wouldn’t make sense to have an increasing threshold in this in case because the higher that number is, the closer to a hundred percent we get, the better. So we don’t care how high it goes. We really only care when it starts to dip. And down here for decreasing thresholds, we’ve set a couple of them. Number one, at seventy five percent, once we drop below that number, this metric will be flagged in yellow with a warning rating. The system will also email us a notification letting us know, hey. This, KRI has dropped below this initial threshold. And then we’ve got a second decreasing threshold set at sixty five percent that will mark this in red and a warning label of critical. And in addition to sending that email, Origami will also create an issue so that there’s an open record in the system that remains open until we explain how we got there and and closed it out. Now in terms of getting these values into the system, there’s a a couple different ways we can go about that. Number one, this can be manual data entry. So maybe once a month, for example, the system can send an email link reminder out to somebody, say, hey. What are the current metrics? And those can get populated, manually. We could also, via integration, pull this information in from another system. Let’s say, for example, this is being maintained somewhere in, say, ServiceNow, and we wanted to pull that information from ServiceNow into Origami, we could automate that, via integration, and then we would only be notified, when a threshold has been breached. So a great way to use, to track this information and also to, like I said, have an early warning system for risks that maybe we’re more concerned about. Awesome. I absolutely love that part of origami. So to recap what we’ve talked about today, modern risk professionals need tools that go beyond just tracking their risk. They need standardized scoring, executive ready reporting, and streamlined workflows and automation. Exactly. And we’re just about to open it up for questions. So make sure you’ve got those into the q and a box. I I seen a couple, and in fact, another one just popped up. So if you’d like to see more or explore how Origami could support your risk management goals, there’s gonna be a short quiz after this webinar. Just fill that out, and and someone will reach out to you to schedule a a more personalized demo. Yes. We would absolutely love to chat with you. But let’s jump into the questions. The first one I see is let’s see. When compared to other GRC platforms, what are the unique offerings that Origami provides? Brandon, you wanna take that one? Yeah. And great question. Love getting this one. So I think when you just compare, you know, kind of features against features, you’re gonna notice there’s a lot of similarities across the the different GRC platforms that are out there. But what really makes Origami unique is we really cover the full breadth of of risk management. So in addition to just our GRC platform, we also have our Rimus platform where you can capture your your incidents, your claims, your insurance policies, so all of the insurable side of risk. We also have an environmental health and safety platform for capturing safety related incidents and hazards and lockout tagout and that kind of thing. So being able to to see that full picture all in one software platform with every user kinda coming in from their own perspective, but then seeing the impact that their data has across the whole organization. I I think that’s the the the really powerful part of of Origami. It allows you to do analytics in a way that, other vendors simply can’t do because they don’t have that same information, captured in their system. Yeah. Absolutely. We say we cover the entire scope of true enterprise risk because you’re looking at all of your insurable stuff, all your enterprise stuff, and even all of your safety stuff. And it really lives in one data center. So like Brandon pointed out in the first demo, think, you can compare your claims data directly to your enterprise data in one place because it’s all in the same same back end. Alright. I see, another question. This one’s from John. He’s asking how customizable is the risk scoring model? Like, can we adjust the weighting of different risk factors to fit our program? Yeah. Absolutely, John. It’s it’s completely, configurable. You can define, your own unique, scoring methodology and approach. In regards to the weighting, there’s a a few different options that you have there. So for example, let’s say we took something like impact and we wanted to break impact out across what’s the financial impact of the organization, the reputational impact, the legal impact. You could do something like, say, I wanna take the average of those three different impacts and make that my overall impact score. You could say, I wanna take the high watermark. So any one of those, whether it’s financial, reputational, I think I said legal, whichever one of those is the highest, make that my impact score. Or to your question specifically about weightings, we could even do something that where, like, financial impact is worth thirty percent of the overall score, reputational impact is worth forty percent, and then legal is worth, you know, the remaining thirty percent there. So really entirely up to you. And the nice thing too is the the methodology is flexible and adaptable over time. So as your program grows and evolves, as new best practices come out, we’ll be able to to keep up with those as well. Awesome. Yes. Origami risk, I think we’re we’re pretty well known for being very configurable. Our goal is really to match your program with our software, not make your program adjust to fit our software. If I said that correctly, I think. Okay. So we have another question. Let’s see. Can you schedule or automate, the leadership reports? I guess sending those out on a KEDEX. Absolutely. You you can. Both the the dashboards can be scheduled, to be sent out, as well as the reports. Now, the dashboards, because they’re very drillable and you can, you know, click into different charts and and be brought to other things, you lose that ability to drill down if you send the dashboard out as a PDF document. It really just looks like exactly how it looked on the page. So you miss some of that that drill down capabilities, but you can absolutely schedule those and send those out on a regular cadence. Doesn’t even have to be users. You can send that to any email address or or distribution list. And for the reports, you can also schedule those to be sent out automatically, and those can also be bundled. So let’s say, for example, I’m sending, you know, a director five reports every month for his or her area of the of the business. I can either send that as five unique, emails and and reports get attached, or I can just bundle all that together in one, so that they’re not getting a a a bunch of email address or a bunch of emails every, every month. Sounds very helpful. Great question. It looks like we have time for maybe just one final question, and here’s a good one. We had a question. So we mentioned the IRM capabilities, and we have an attendee who’s asking, how does the platform support EHS, and is this solution showcase exclusive to So, yes, this is a solution webinar focused on our solution. But, Brandon, do you wanna talk a little bit maybe about the connection between and EHS? Yeah. In fact, we we see a number of, kind of connection points, and I I think the most common one is, enterprise risk management is all about capturing risks that are gonna have an impact on strategic goals at an enterprise level. You know, supply chain disruption, cyber attacks, you know, natural disasters, pandemics, the really, you know, big kind of risks. Whereas, environmental health and safety tends to focus on a much more kind of granular hazard based level. You know, somebody can, you know, trip over that that cord in the middle of the floor or, you know, there’s a you know, there’s wet there’s wet floors where people just mopped in the lobby, something along those lines. But the idea behind it is very similar. I want to understand what can go wrong. I want to understand how impactful that hazard, that risk can be, and I wanna track what are my mitigations. What are the controls or the action plans or the treatment plans that I’ve put in place to address those? So a lot of similarities between enterprise risk and and environmental health and safety. And like I said before, the nice thing is being able to map all of that together. So I may even be able to take a collection of those safety hazards, you know, people injuring themselves, getting hurt in the workplace, that kind of thing, maybe I roll all that up to an enterprise risk around employee safety. And that ties back to one of my strategic objectives of not having any, you know, workplace accidents or or something along those lines. So that ability to connect all that together in the system, like I said before, is one of the the the main aspects of of, how powerful the platform is, and that’s one of the differentiators for Origami. Yeah. Awesome. I love that example, Brandon. And on a more technical side of things, we have a full suite of EHS solutions that you can pick what you need for your organization and a full suite of GRC solutions. And it’s like we talked about in the IRM, the integrated risk management being IRM, section of the conversation earlier. Those are built on the same platform of code, so they talk to each other as Brandon shared kind of very seamlessly. So we would love to show you both of those if you want to reach out and answer our survey that and sharing that you’re interested in that. Okay. So that’s that’s all the time we have today. You so much for joining us, and thank you for all of your really great questions. Remember that if we didn’t get to your questions today, we will be following up by email, So look out for that. And if you’re interested in connecting with our team, with a for a personalized demo, please fill out the short for short survey, following the webinar, and we will be sure to reach out. Thank you so much.