Skip to main content
Skip table of contents

Risk, Risk Instance


The iGrafx Platform has two types of risk objects: Risk and Risk Instance.

A Risk object is usually the abstract "catalog item" whereas the Risk Instance is the actual manifestation of a Risk in your enterprise architecture. You can start mapping top down with building the catalog of Risks and then relating to the actual Risk Instances which are then used to measure the actual Risk on an actual object. Or you start bottom up, by identifying the risk on an actual object i.e. a process or activity and then assign it to a Risk in your risk management system or catalog.

The Risk object can be created only within the Risk Catalog folder and they can be decomposed by creating a Risk under an existing Risk. The Risk Instance object can be created almost everywhere in the repository tree, but can't be decomposed further or have have any other objects below it.

A Risk can have relations to multiple Risk Instances and can be a risk for multiple objects (i.e. processes).

A Risk Instance can only be an instance of one Risk and only be a Risk for one object (i.e. process).

Create Risk and Risk Instances

Add a Risk

To add a Risk to the Risk Catalog, do the following:

  1. Navigate the Risk Catalog folder to the object to which you want to add a Risk
  2. Click the text of an enterprise object to highlight the object
  3. Click the ADD OBJECT button at the top of the repository tree
  4. Click the Select drop-down and choose Risk
  5. Define the Details as desired
  6. Click FINISH

Add a Risk Instance

  1. Navigate the repository tree to the object to which you want to add a Risk Instance

  2. Click the text of an enterprise object to highlight the object
  3. Click the ADD OBJECT button at the top of the repository tree
  4. Click the Select drop-down and choose Risk Instance
  5. Define the Details as desired
    1. If you create a Risk Instance as a child of a Risk, then an Instance of Risk relationship is automatically created to the Risk you created the Risk Instance under. The relation can be changed during object creation or afterwards in the RELATIONSHIPS tab. You can add a relationship to any other repository object while creating the Risk Instance.
    2. If you create a Risk Instance as a child of a non-Risk repository object, then a Risk For relationship is automatically created to the object you created the Risk Instance under. The relation can be changed during object creation afterwards in the RELATIONSHIPS tab. You can add a relationship to a Risk from the Risk Catalog while creating the Risk Instance.
  6. Click FINISH

Configure Risk and Risk Instance settings

Both Risk and Risk instances objects have the settings discussed below.

Risk Instance Type

Risk and Risk Instance objects must have a type. The available options can be defined by your administrator.

Data Type

The Standard data type is the most frequently used data type and derives the initial risk value through a matrix of Impact and Likelihood values.

The Value data type is less frequently used and can contain any value without the ability to derive it from a matrix. 

Risk Categories

A Risk or Risk instance can have multiple categories. The available options are the same for Risk, Risk Instance, Control and Control Instance objects. The purpose of this categorization is to make sure that mitigating controls overlap all categories a risk is assigned to. If they don't match, then a warning indicator is displayed on the object main tab or on the risk summary of the object the risk is assigned to.

Financial Impact Unit

The unit of the values entered on the Data tab for the financial risk of a risk assessment.

Risk Data

All risk data related information provided assumes Standard risk data type is selected in the risk settings.

Data entry and history

You can add current and historical risk values. The values selected for impact and likelihood will derive the initial risk value, which is displayed on the same page. For more information on initial / inherent / residual risk values, see Residual Risk Calculation.

Current Risk Value

On the main tab of a Risk or Risk Instance, click Risk section, down arrow to display current risk values.

Risk Data Points added with Date values in the future of the current date are not displayed on this tab. Only the most recent historical data is displayed. The basic math on this page is:

[Current Inherent Risk Value] - [Combined Controls] = [Current Residual Risk]

See Residual Risk Calculation for detailed information on how the values are calculated.

The above screenshot also shows a warning icon 

next to the Residual Risk Value, click the icon for an explanation of Risk categories that are not addressed by the associated Controls. For example, if you categorized the Risk to be Financial and Operational, then the assigned controls should cover all those categories and not only a subset.


 The expanded Risk section also displays details of how the Residual risk is calculated:


Relationships

Risk and Risk Instance objects have relationships unique to their object types.

Risk for

In the screenshot example below, the Risk Instance "Defective Goods Produced", has a "Risk For" relationship to the "Manufacture Good" Process which documents the risk of defective goods being produced by the "Manufacture Good" process:

From this page, following these steps:

  1. Click "Manufacture Good" link
  2. Choose the main page of the "Manufacture Good" Process
  3. Expand the Risk section of the main page

This displays Risk Values on the "Manufacture Good" process main page:

In this example, the Risk Instance object is a child of the Process object. This hierarchy, however, is not a requirement and the Risk Instance could be defined elsewhere in the repository if desired.

In the above screenshot, the link icon

indicates that the "Defective Goods Produced" Risk Instance has a relationship to an object in the Risk Catalog. This icon
indicates a Risk Instance without a Risk Catalog relationship.

Instance of Risk

As mentioned at the top of this page, a Risk object is usually the abstract "catalog item" whereas the Risk Instance is the actual manifestation of a Risk in your enterprise architecture. Organization can start modeling top-down with building the catalog of Risks and then relating to the actual Risk Instances which are then used to measure the actual risk on an object (i.e. a process or activity). Or an organization can start bottom-up, by identifying the risk on an object with a Risk Instance and then assign it to a Risk in your risk management system or catalog.

Use the Instance of Risk relationship to associate a Risk Instance with its related Risk . From the perspective of the Risk, this is called a Has Risk Instance relationship.

Controlled By

For the Residual Risk Calculation the relations of this type are most important. Controls and Control Instances which mitigate risks will reduce their risk rating, if a control rating is defined.


This article contains

See also

Enterprise Object Relationships

Residual Risk Calculation

Risk and Risk Instance configuration


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close