Risk Shield User Reference Manual Risk Shield Version 5.0 ... - PicNet
Risk Shield User Reference Manual Risk Shield Version 5.0 ... - PicNet
Risk Shield User Reference Manual Risk Shield Version 5.0 ... - PicNet
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Risk</strong> <strong>Shield</strong> <strong>User</strong> <strong>Reference</strong> <strong>Manual</strong><br />
<strong>Risk</strong> <strong>Shield</strong> <strong>Version</strong> <strong>5.0</strong><br />
5 November 2008<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net
Contents<br />
Description<br />
Page Number<br />
1 About <strong>Risk</strong> <strong>Shield</strong> 6<br />
2 <strong>Risk</strong> <strong>Shield</strong> Concepts and Functions 7<br />
2.1 <strong>Risk</strong> <strong>Shield</strong> Interface<br />
2.2 <strong>Risk</strong> <strong>Shield</strong> Hierarchies<br />
2.2.1 About Hierarchical Items in <strong>Risk</strong> <strong>Shield</strong><br />
2.2.2 Company Tiers<br />
2.3 Standard Symbols<br />
2.4 General Functionality<br />
2.4.1 Sorting<br />
2.4.2 Copy/Move<br />
2.4.3 Hierarchy Filtering On/Off<br />
2.4.4 Re-ordering of items<br />
3 Getting Started<br />
3.1 Setting up <strong>Risk</strong> <strong>Shield</strong> for your Enterprise<br />
3.2 Setting up Company Structure<br />
3.3 Setting up <strong>Risk</strong> <strong>Shield</strong> <strong>User</strong>s<br />
7<br />
7<br />
9<br />
9<br />
11<br />
11<br />
11<br />
12<br />
3.3.1 Adding New <strong>User</strong>s<br />
3.3.2 Assign Access Levels<br />
4 Administration Module<br />
4.1 System Administration<br />
14<br />
14<br />
4.1.1 Alerts Settings<br />
4.1.2 Clean Up Admin Lists<br />
4.1.3 Companies Details<br />
4.1.4 Company Structure<br />
4.1.5 Control Efficiencies<br />
4.1.6 Control Mitigation Strategies<br />
4.1.7 Deleted Entities History<br />
4.1.8 External <strong>User</strong>s<br />
4.1.9 Home Page<br />
4.1.10 Import Data<br />
4.1.11 On Demand Account Details<br />
4.1.12 <strong>User</strong> Administration<br />
4.1.13 <strong>User</strong> Rights<br />
4.1.14 Access Rights<br />
4.1.15 Changing <strong>Risk</strong> <strong>Shield</strong> <strong>User</strong>s Password<br />
4.1.16 Searching for <strong>User</strong>s<br />
4.1.17 Work Flow States<br />
4.2 Administration – Register<br />
4.2.1 Categories<br />
4.2.2 Controls<br />
19<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net
4.2.3 <strong>Risk</strong> Criteria<br />
4.2.4 <strong>Risk</strong> Matrix Component<br />
4.2.5 <strong>Risk</strong> Matrix Ratings<br />
4.2.6 <strong>Risk</strong> Status<br />
4.2.7 <strong>Risk</strong> work Flow Settings<br />
4.3 Administration – Hazards<br />
22<br />
4.3.1 Hazard Categories<br />
4.3.2 Locations<br />
4.4 Administration – Threat <strong>Risk</strong> Analysis (TRA)<br />
22<br />
4.4.1 Threat Security Concerns<br />
4.4.2 Threat Matrix Component<br />
4.4.3 Threat Matrix Threat Ratinsg<br />
4.4.4 Criticalities / Threats / Vulnerabilities & Asset/<br />
4.5 Administration – Emissions<br />
4.5.1 Emissions Types and Factors<br />
4.5.2 Country / State<br />
4.5.3 Thresholds<br />
4.6 Administration – Advanced <strong>Risk</strong> Analysis (ARA)<br />
4.6.1 Casual Pathways<br />
4.6.2 Categories<br />
4.6.3 Contributing Factors<br />
4.6.4 Controls<br />
4.6.5 Emergency Responses<br />
4.6.6 Measures<br />
4.6.7 <strong>Risk</strong> Criteria<br />
4.7 Administration – Incidents<br />
24<br />
25<br />
26<br />
4.7.1 Authority Reports<br />
4.7.2 Consequences<br />
4.7.3 Estimates<br />
4.7.4 Incident Severities<br />
4.7.5 Incident Types<br />
4.7.6 Incident Work Flow Settings<br />
4.7.7 Injured Body Parts<br />
4.7.8 Injury Types<br />
4.7.9 Locations<br />
5 <strong>Risk</strong> Register Module<br />
5.1 Controls Sub Tab<br />
5.2 Analysis Sub Tab<br />
5.3 Actions Sub Tab<br />
5.4 Work Flow Sub Tab<br />
5.5 Attachment Sub Tab<br />
28<br />
29<br />
6 Hazard Module 32<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net
7 Work Plan Module<br />
7.1 Work Plan Sub Tab<br />
8 Threat <strong>Risk</strong> Analysis Module<br />
8.1 Threats Sub Tab<br />
8.2 Vulnerabilities Sub Tab<br />
8.3 <strong>Risk</strong>s Sub Tab<br />
9 Emissions Management Module<br />
9.1 Actions Sub Tab<br />
9.2 Attachments Sub Tab<br />
9.3 <strong>Risk</strong>s Sub Tab<br />
10 Incidents Module<br />
10.1 Incidents Sub Tab<br />
11 Advanced <strong>Risk</strong> Analysis Module<br />
11.1 Bow Tie Diagram<br />
33<br />
33<br />
35<br />
35<br />
36<br />
36<br />
37<br />
38<br />
38<br />
38<br />
39<br />
39<br />
41<br />
42<br />
12 Actions Module 43<br />
13 Reporting<br />
13.1 Integrated Analytics Report<br />
13.1.1 <strong>Risk</strong> Profile Summary (Monte Carlo)<br />
13.1.2 Repetitive <strong>Risk</strong> Analysis – Summary<br />
13.1.3 Register <strong>Risk</strong> Summary at a Glance (Weighted)<br />
13.1.4 Register <strong>Risk</strong> Summary (Weighted)<br />
13.1.5 Register <strong>Risk</strong> Detail<br />
13.2 Register Reports<br />
13.2.1 Register Summary at a Glance<br />
13.2.2 Register Summary<br />
13.2.3 Register Detail<br />
13.2.4 Register Controls<br />
13.3 Hazards Reports<br />
13.3.1 Hazards Summary<br />
13.3.2 Hazards Details<br />
13.4 Work Plans Reports<br />
13.4.1 Work Plans Summary at a Glance<br />
13.4.2 Work Plans Summary<br />
13.5 TRA Reports<br />
13.5.1 TRA Summary at a Glance<br />
13.5.2 TRA Asset List<br />
13.5.3 TRA Threat / Vulnerability List<br />
44<br />
48<br />
52<br />
53<br />
53<br />
54<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net
13.5.4 TRA Detailed Report<br />
13.6 Emissions Report<br />
13.6.1 Emissions Summary at a Glance<br />
13.6.2 Emissions Summary<br />
13.6.3 Emissions Detailed Report<br />
13.7 Incidents Reports<br />
13.7.1 Incidents Summary Report<br />
13.7.2 Incidents Detailed Report<br />
13.8 ARA Reports<br />
13.8.1 ARA Summary Report<br />
13.8.2 ARA Detailed Report<br />
13.8.3 ARA Actions & Emergency Response Report<br />
13.9 Actions Reports<br />
56<br />
56<br />
57<br />
57<br />
14 <strong>Risk</strong> Management Glossary 58<br />
15 <strong>Risk</strong> <strong>Shield</strong> Introductory Videos 58<br />
16 <strong>Risk</strong> <strong>Shield</strong> Pocket 58<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net
1. About <strong>Risk</strong> <strong>Shield</strong><br />
<strong>Risk</strong> <strong>Shield</strong> provides a comprehensive risk management solution for your enterprise. It<br />
has been designed to assist risk managers in the assessment of all aspects of risks:<br />
their severity, potential impacts and consequences.<br />
<strong>Risk</strong> managers can access and utilise <strong>Risk</strong> <strong>Shield</strong>’s core functionality through a standard<br />
web browser. Some functions however require the following applications to make full use<br />
of <strong>Risk</strong> <strong>Shield</strong>’s functions:<br />
Application Required For <strong>Reference</strong><br />
Microsoft Excel<br />
Business Impact Analysis Section 4.7<br />
templates<br />
Microsoft Visio Bow-Tie diagrams Section 11.2<br />
About this manual<br />
This manual is targeted towards helping risk managers to understand and utilise <strong>Risk</strong><br />
<strong>Shield</strong>’s features. A general understanding of risk management is assumed.<br />
There are two main components to this manual:<br />
• An overview of <strong>Risk</strong> <strong>Shield</strong>’s concepts and functions (Section 2)<br />
• A brief “Getting Started” guide (Section 3)<br />
• Details of <strong>Risk</strong> <strong>Shield</strong>’s features (Sections 4 to 14)<br />
In addition, there is an extensive risk management glossary (link) in Section 15.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 6 -
2. <strong>Risk</strong> <strong>Shield</strong> Concepts and Functions<br />
<strong>Risk</strong> <strong>Shield</strong> is a modular application. It offers a core suite of functionality, onto which you<br />
can add various modules in accordance with your enterprise’s needs. Each major<br />
function or module has its own tab in the <strong>Risk</strong> <strong>Shield</strong> interface. The image below shows<br />
the full collection of <strong>Risk</strong> <strong>Shield</strong> tabs, with all optional modules loaded.<br />
2.1. <strong>Risk</strong> <strong>Shield</strong> Interface<br />
Function/Tab<br />
Home<br />
Register<br />
Hazards<br />
Work Plans<br />
TRA<br />
Emissions<br />
Incidents<br />
Adv. <strong>Risk</strong> Analysis<br />
BCP<br />
Actions<br />
Reports<br />
Admin<br />
Description<br />
Links to news and key links<br />
Lists all risks<br />
<strong>Risk</strong> associated with particular hazard<br />
<strong>Risk</strong> associated with projects or processes<br />
Threat <strong>Risk</strong> Analysis<br />
Carbon <strong>Risk</strong> Management<br />
Incident Management<br />
Advanced <strong>Risk</strong> Analysis and Bow Ties<br />
Business Continuity Planning<br />
Action Management<br />
Reporting<br />
Administration<br />
The structure of this document largely follows the sequence of tabs in the<br />
interface, except that the Admin module is discussed first.<br />
2.2. <strong>Risk</strong> <strong>Shield</strong> Hierarchies<br />
Most enterprises are hierarchical entities and <strong>Risk</strong> <strong>Shield</strong> accommodates these<br />
structures within its design in various ways. There are general rules for the treatment<br />
of hierarchical items within <strong>Risk</strong> <strong>Shield</strong>, as well as explicit recognition of company<br />
tiers within the interface.<br />
2.2.1. About hierarchical items in <strong>Risk</strong> <strong>Shield</strong><br />
There is one general rule here:<br />
An entity must have a unique name within its parent.<br />
For example, a risk must have a unique name in its company tier or step (if in a<br />
work plan). A control must have a unique name in the parent risk.<br />
Illustration: “Shortage of staff” is a risk allocated to the Department of<br />
Mathematics in the Faculty of Science. The same risk name (“Shortage of staff”)<br />
cannot be repeated in the same Department of Mathematics; however, it can<br />
exist under the Department of Physics, also belonging to the Faculty of Science.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 7 -
Remember:<br />
• A Control must be unique within a risk.<br />
• A Work Plan, like risks, must be unique within the same tier.<br />
• A step name must be unique within a Work Plan.<br />
• A risk must be unique within a step in a Work Plan.<br />
• An Incident name must be unique within the same tier.<br />
2.2.2. Company Tiers<br />
<strong>Risk</strong> <strong>Shield</strong> supports the hierarchical aspect of enterprise structures through<br />
“company tiers”. Company tiers represent the enterprise’s organisational<br />
structure from a risk-management perspective. As a rule this perspective closely<br />
corresponds to the enterprise’s standard organisational charts.<br />
<strong>User</strong>s can enter items to any company tier, subject to their security rights.<br />
Most <strong>Risk</strong> <strong>Shield</strong> items allocated to a higher Tier are available to the<br />
lower Tiers.<br />
Once the appropriate company tiers have been established for your enterprise,<br />
the user adds each risk, Incident, Work Plan, etc a specific company tier as the<br />
entity is created. The company tier is selected from the top bar, just below the<br />
main system tabs, as illustrated below.<br />
Click on the downwards pointing arrow on the left of the drop-down menu to<br />
display all the items already entered in the enterprise.<br />
Click on the label (e.g. Select Business Unit) on the right of the drop-down menu<br />
to select a specific layer of that tier.<br />
Then, depending how many tiers are defined for that company, and depending<br />
on the user rights, the user can continue selecting specific tiers and layers where<br />
the items to enter are allocated.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 8 -
2.3. Standard Symbols<br />
The following symbols are standard across <strong>Risk</strong> <strong>Shield</strong>.<br />
Description<br />
Add an item.<br />
Copy or move (clone) items from a company layer to another.<br />
Open in a new browser<br />
Open/Save to an excel file<br />
Saves the information on the screen.<br />
Spell check.<br />
View the changes made to a risk or incident (History or Audit<br />
trail).<br />
Print a risk, incident or other major component.<br />
Cancel any changes made / go back to a main page (not<br />
necessarily the same as a browser’s back button)<br />
A “red asterisk” indicates that the field is compulsory.<br />
Add new items to a list.<br />
Search for an item<br />
Set the recurrence schedule of an action.<br />
Turn hierarchy filter on.<br />
Turn hierarchy filter off.<br />
2.4. General Functionality<br />
All <strong>Risk</strong> <strong>Shield</strong> pages inherit a number of standard behaviours, as described below.<br />
2.4.1. Sorting<br />
All summary pages will display lists of items, e.g. lists of risks, incidents, etc. All<br />
lists can be sorted by pressing the top heading.<br />
A column in a list can be unsorted, sorted ascending or descending.<br />
A list can be only be sorted by one column at a time.<br />
When<br />
containing<br />
according to<br />
sorting by a certain column containing multiple items<br />
the same name, these items are not subsequently sorted<br />
any other column.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 9 -
2.4.2. Copy/Move<br />
To copy/move items from one layer to another, drag them.<br />
To copy/move multiple items, select the parent to copy or move all the<br />
items below that parent.<br />
Control-click to select multiple alternative items, or shift-click to select<br />
multiple continuous items.<br />
Making sure that the appropriate radio button (Copy/Move) is selected before<br />
performing the action.<br />
2.4.3. Hierarchy Filtering On/Off<br />
To turn the hierarchy filtering on/off within an entity lists, simply click on the<br />
icon to apply the filtering or click on the<br />
icon to remove the filtering.<br />
2.4.4. Re-ordering of items<br />
When re-ordering items on the list, the item gets inserted and re-orders<br />
the numbering of the entire lists rather than just swap the numbering of<br />
the items.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 10 -
3. Getting Started<br />
3.1. Setting up <strong>Risk</strong> <strong>Shield</strong> for your Enterprise<br />
Your <strong>Risk</strong> <strong>Shield</strong> consultant will set up an administrator account, which you can then<br />
use to set up <strong>Risk</strong> <strong>Shield</strong> for your enterprise.<br />
To help you get started, <strong>Risk</strong> <strong>Shield</strong> Templates, Default <strong>Risk</strong> Matrix and Severities,<br />
Register <strong>Risk</strong> Status, BIA Templates, Control Efficiencies and Mitigation Strategies<br />
have been setup by default by <strong>Risk</strong> <strong>Shield</strong>. These items can still be modified by the<br />
Administrator in accordance to the company’s liking.<br />
But some items still need to be setup. The following items need to be set up initially<br />
by the Administrator to be able to start using <strong>Risk</strong> <strong>Shield</strong> Enterprise:<br />
• Company Structure<br />
• <strong>User</strong>s<br />
3.2. Setting up Company Structure<br />
Company Structure allows for the creation of company tiers according to the<br />
structure that a company wants to follow. <strong>Risk</strong> <strong>Shield</strong> allows for an indefinite number<br />
of tiers and layers of tiers.<br />
For example the first tier could be the company’s divisions, Tier 2 could be the<br />
business units within the specified division, Tier 3 could be a functional department,<br />
etc. This allows for a better management and grouping of risks and incidents being<br />
entered.<br />
A risk or incident can be allocated to any company tier. A company tier can have a<br />
“weight” allocated to it. This weight allows increasing or decreasing the relative risk<br />
rating of an assessment on the Integrated Analytics “weighted report”.<br />
A tier can also be an activity or a project, whatever the user would like to define as a<br />
position or location to store risks, incidents, work plans, etc.<br />
A company tier can also include the number of employees of that tier. This optional<br />
value is used in the Advanced <strong>Risk</strong> Analysis module.<br />
The following figure displays a simple example of a company structure:<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 11 -
3.3. Setting up <strong>Risk</strong> <strong>Shield</strong> <strong>User</strong>s<br />
3.3.1. Add New <strong>User</strong>s<br />
To add a new user, click on the Admin tab, then <strong>Risk</strong> <strong>Shield</strong> <strong>User</strong>s. In the form<br />
that follows, enter the details for the new user, and click on icon. All fields in<br />
this form are mandatory.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 12 -
3.3.2. Assign Access Levels<br />
You will then assign access levels to the user in the following screen.<br />
The company tiers are displayed on the left of the screen: select the appropriate<br />
level for this user. <strong>User</strong>s should be assigned to the highest possible Company<br />
Tier that they will have access to. Unless access is removed, the user gets<br />
automatic access right to all the lower Tiers (children).<br />
• Click on System Administrator to give the user access to the Admin tab<br />
• Click on Enterprise Access Level to give the user complete access across<br />
the enterprise.<br />
These access levels are explained in greater detail in Section 4.1.14<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 13 -
4. Administration Module<br />
The Administration Module helps the user manage the system. In here the user can<br />
manage the appearance of the home page, set users’ access levels, set up the structure of<br />
company tiers and much more. The main Administration module screen is depicted below.<br />
4.1. System Administration<br />
4.1.1. Alerts Settings<br />
The Alerts / Notifications section allows users to set notices and alarms in the<br />
form of emails to alert the creation, update, and deletion of items within different<br />
modules. Alert settings may be configured for Actions, <strong>Risk</strong>s and Incidents.<br />
On Create/Update/Delete<br />
This user will receive alerts of all Actions, <strong>Risk</strong>s or Incidents<br />
created in the specified Company Tier.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 14 -
Action Alert Settings also include the following configurations:<br />
On Close<br />
This user will receive alerts of all Actions, <strong>Risk</strong>s or Incidents<br />
closed in the specified Company Tier.<br />
On Expire<br />
This user will receive alerts of all action expiries (due date<br />
reached) in this Module in the specified Company Tier.<br />
The user may also select a set of conditions or controls so that only<br />
specific changes within an item will prompt an alert. More than one<br />
control may be selected by holding down the control key on the<br />
keyboard while selecting.<br />
<strong>Risk</strong> <strong>Shield</strong> will also send a Notification in these situations:<br />
When a <strong>User</strong> or Notifiable <strong>User</strong> is assigned to a <strong>Risk</strong>, Control or<br />
Action.<br />
When an action expires/recurs. The person responsible will<br />
always receive a notification.<br />
Click on the<br />
settings.<br />
icon when finished to save all alert notification<br />
4.1.2. Clean Up Admin Lists<br />
At times when redundant data has been entered and duplicated between<br />
different tiers due to the movement and combining of company tiers, it is<br />
necessary to remove this duplicated data. Clean Up Admin Lists will search for<br />
such data and automatically remove them. This should only be used when a<br />
large amount of data has become disordered.<br />
When clean up is selected, the system will keep the duplicated item in the higher<br />
tier, hence the item is available to the lower tiers without being duplicated.<br />
4.1.3. Companies Details<br />
This page allows a user to modify specific company details including:<br />
• Company Name<br />
• Trading Name<br />
• Business Number<br />
• Company Description<br />
• Phone<br />
• Address<br />
• State<br />
• Postcode<br />
• Country<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 15 -
4.1.4. Company Structure<br />
The company structure section allows for the creation of company tiers according<br />
to the structure that a company wants to follow. <strong>Risk</strong> <strong>Shield</strong> allows for an<br />
indefinite number of tiers and layers of tiers. This serves as the options in the<br />
drop-down list. The main screen shows a list of Company Tiers available within<br />
the system.<br />
4.1.5. Control Efficiencies<br />
Control efficiencies are a way of measuring the efficiency of a control or how<br />
good the control is. It defines the quality of controls.<br />
Examples: Unsatisfactory, Weak, Moderate, Good and Excellent.<br />
4.1.6. Control Mitigation Strategies<br />
Mitigation strategies are decisions to be taken with a risk, including strategies<br />
such as <strong>Risk</strong> Reduction, Transfer, Avoidance, etc.<br />
4.1.7. Deleted Entities History<br />
Deleted Entities History allows a user to view all items which have been deleted.<br />
The search tool allows searching for specific items within a specific module, or<br />
within a specific date period.<br />
4.1.8. External <strong>User</strong>s<br />
External <strong>User</strong>s (EU) are users that can be notified of pending Actions and control<br />
responsibilities. These users do no necessarily need to be registered users of<br />
<strong>Risk</strong> <strong>Shield</strong>.<br />
EU should be allocated to the ‘highest possible’ level in the organisation<br />
layers. i.e. If a EU is allocated to a Division, the child Department will be<br />
able to see and use the EU.<br />
However, if a EU is allocated to a lower level, say a Department level, the<br />
Division above will not be able to see and use that EU.<br />
4.1.9. Home Page<br />
This page allows you to make changes in the “Home Page” section. For<br />
example, users may re-order the appearance of the sections in the home page,<br />
or add, delete and make changes to Section names. In addition, you can adjust<br />
the required security level to view these sections.<br />
A System Administrator can create new sections to post notes, attach documents<br />
or indicate links of interest to users of <strong>Risk</strong> <strong>Shield</strong>. Each Section can have many<br />
items. The order of each item and each section can be determined by the<br />
Administrator by altering the order value on the left.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 16 -
Once a Section has been created, the Section Type (Post, Attachments,<br />
and Links) cannot be changed.<br />
4.1.10. Import Data<br />
This page allows you to import data from an excel or cvs file into <strong>Risk</strong> <strong>Shield</strong>. The<br />
CVS Expected Format should be followed when organising data within the file to<br />
ensure that all data is imported successfully.<br />
4.1.11. On Demand Account Details<br />
This page allows the user to login to their <strong>Risk</strong> <strong>Shield</strong> On Demand account to<br />
modify any account information regarding their company.<br />
4.1.12. <strong>User</strong> Administration<br />
This page allows for the creation of users in the system and assigning access<br />
levels to them. It also allows you to edit, delete and clone a user.<br />
A Search function is also available to user’s to save time in locating a particular<br />
user. <strong>User</strong>’s can be search by their first name, last name and email.<br />
4.1.13. <strong>User</strong> Rights<br />
System Administrator<br />
System Administrator can add, modify and delete Company Tiers, <strong>User</strong>s,<br />
<strong>User</strong> Rights, Alert Settings, Assets, Corporate Objectives, Control<br />
Efficiencies, Control Mitigation Strategies, the Home Page layout and its<br />
content, the <strong>Risk</strong> Matrix and Incident Severities.<br />
Enterprise Access Level<br />
Enterprise Access Level provides Manager Rights in <strong>Risk</strong> <strong>Shield</strong> across<br />
all Company Tiers.<br />
4.1.14. Access Rights<br />
Security Level<br />
None: Access to corresponding section is disallowed.<br />
View: <strong>User</strong> may only view items and entries made in the corresponding<br />
section.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 17 -
Edit: <strong>User</strong>: <strong>User</strong> may add, edit, delete, etc any items within the<br />
corresponding section but may not add new list items (e.g. adding a new<br />
control) while entering information.<br />
Manager: <strong>User</strong> may add, edit, delete, etc any items within the<br />
corresponding section, including list items.<br />
Reporting<br />
Reporting Security is set by using the Reporting Checkbox beside each<br />
module.<br />
4.1.15. Changing <strong>Risk</strong> <strong>Shield</strong> <strong>User</strong>s Password<br />
To change users’ password, click on the <strong>User</strong>name right next to the “Logoff”<br />
button as shown below.<br />
Enter new password and confirm, and click on<br />
changes made.<br />
icon when ready to save the<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 18 -
4.1.16. Searching for <strong>User</strong>s<br />
By default, <strong>Risk</strong> <strong>Shield</strong> displays all the users in the Enterprise.<br />
To search the lists of users saved in the system, simply enter the First Name,<br />
Last Name or Email in the search boxes as shown below.<br />
Click on the<br />
icon to begin the search.<br />
4.1.17. Work Flow States<br />
This page allows a user to add, edit or delete work flow states when a notification<br />
of a specific event has occurred.<br />
4.2. Administration – Register<br />
4.2.1. Categories<br />
A risk may be labelled as being a part of a certain category, and the category list<br />
may be defined in this section.<br />
4.2.2. Controls<br />
Define lists of controls that may be applied to any risk. Controls are the mitigation<br />
strategies defined to reduce the risk.<br />
<strong>Risk</strong> <strong>Shield</strong> Templates are preloaded with many Controls and other items<br />
that can save the user many hours of data entry. Below is a list of<br />
controls available.<br />
Controls should be allocated to the ‘highest possible’ level in the<br />
organisation layers. i.e. If a Control is allocated to a Country, the child<br />
State level will be able to see and use that Control.<br />
However, if a Control is allocated to a lower level, say a State level, the Country<br />
level above will not be able to see and use that Control.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 19 -
4.2.3. <strong>Risk</strong> Criteria<br />
Allows the user to add new <strong>Risk</strong> Criteria that can be applied to any risk. It also<br />
allows making changes in the <strong>Risk</strong> criteria that can be associated for each risk.<br />
You can also change the order of the risk criteria for viewing purposes.<br />
<strong>Risk</strong> Criteria are also known as Assessment Types, i.e. the dimensions under<br />
which each risk is assessed. For instance, REPUTATION could be one <strong>Risk</strong><br />
Criteria. SAFETY could be another.<br />
A risk assessed for Reputation could have a HIGH rating but a LOW rating from<br />
a Safety perspective.<br />
<strong>Risk</strong> Criteria should be allocated to the ‘highest possible’ level in the<br />
organisation layers. i.e. If a <strong>Risk</strong> Criteria is allocated to a Division, the<br />
child Department will be able to see and use that <strong>Risk</strong> Criteria.<br />
However, if a <strong>Risk</strong> Criteria is allocated to a lower level, say a Department level,<br />
the Division above will not be able to see and use that <strong>Risk</strong> Criteria.<br />
Care should be taken not to create duplication of <strong>Risk</strong> Criteria between tiers. The<br />
safest mechanism is to allocate the criteria to the highest possible Tier.<br />
The menu label “<strong>Risk</strong> Criteria” can be customized by the according to<br />
user preference.<br />
4.2.4. <strong>Risk</strong> Matrix Component<br />
This allows the user to make changes to the <strong>Risk</strong> Matrix, defining its own<br />
Probabilities, Consequences and Ratings. Each item can be defined as a word<br />
and a numeric value. The numeric values are used for the semi-quantitative<br />
analysis. Ratings can also have a colour associated to them.<br />
To start editing the risk matrix, click on the Admin tab, then <strong>Risk</strong> Matrix Axis.<br />
The drop-down menu near the top of this screen has three options:<br />
• Likelihood<br />
• Impact<br />
• <strong>Risk</strong> Rating<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 20 -
4.2.5. <strong>Risk</strong> Matrix Ratings<br />
This allows the user to make changes to the <strong>Risk</strong> Matrix Ratings used to assign<br />
each risk, overriding the value entered in the axis.<br />
Now we need to apply ratings to the matrix values. To do this, click on the Admin<br />
tab, then <strong>Risk</strong> Matrix Ratings. The matrix values you entered will now display in<br />
a matrix.<br />
4.2.6. <strong>Risk</strong> Status<br />
This allows the user to make changes to the risk status used to assign each <strong>Risk</strong><br />
entered in the system. It also allows the user to edit and delete existing risk<br />
status in the system.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 21 -
4.2.7. <strong>Risk</strong> Work Flow Settings<br />
This allows a user to specify certain settings to notify a user when a specific<br />
condition has occurred with regards to a risk.<br />
When adding a new <strong>Risk</strong> Work Flow Setting, there must be an existing<br />
user from the <strong>User</strong> Administration list in order for the External <strong>User</strong> list to<br />
populate.<br />
4.3. Administration – Hazards<br />
4.3.1. Hazard Categories<br />
This allows the user to create new categories which hazards may be assigned to.<br />
4.3.2. Locations<br />
This allows the user to create new hazard locations and input specific details<br />
concerning it, such as the region, and contact person(s) regarding a specific<br />
hazard location.<br />
4.4. Administration – Threat <strong>Risk</strong> Analysis (TRA)<br />
4.4.1. Threat Security Concerns<br />
This allows flexibility for the user to edit default threat security concerns in the<br />
system or make additions to the list.<br />
4.4.2. Threat Matrix Component<br />
The threat matrix component allows user to customise the contents and order of<br />
the listings under each component – Capability / Intent / Threat Rating (Labels).<br />
However, users are not allowed to amend the labels.<br />
Amendments made to this will be reflected in the following section 4.4.3.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 22 -
4.4.3. Threat Matrix Threat Ratings<br />
<strong>User</strong>s are able to customise the threat ratings in each dropdown list as shown<br />
above.<br />
4.4.4. Criticalities / Threats / Vulnerabilities & Asset/Threat/Threat Sub<br />
Types<br />
<strong>User</strong>s are able to populate data under individual sections which will be reflected<br />
in the TRA module for selection.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 23 -
4.5. Administration – Emissions<br />
4.5.1. Emissions Types and Factors<br />
<strong>User</strong>s are able to customise the Emissions Names, Descriptions, Order of the<br />
tables, Factors values and Input Units.<br />
Edit Name of table<br />
and description<br />
Change order of the table<br />
Edit Emissions<br />
Factor Value/Input<br />
Unit/Factor Unit<br />
Or<br />
Add additional<br />
Emissions Factor<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 24 -
4.5.2. Country / State<br />
<strong>User</strong>s are able to add or edit Country and (or) State.<br />
4.5.3. Thresholds<br />
<strong>User</strong>s are able to edit the values of Facility Emission Threshold and Company<br />
Emission Threshold.<br />
4.6. Administration – Advanced <strong>Risk</strong> Analysis (ARA)<br />
4.6.1. Casual Pathways<br />
These are pathways leading to a risk.<br />
In Admin, this item should be allocated at the highest possible tier so it<br />
can be used by the lower tiers.<br />
4.6.2. Categories<br />
A risk may be labelled as being a part of a certain category, and the category list<br />
may be defined in this section.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 25 -
4.6.3. Contributing Factors<br />
Contributing factors are the influencing factors that may take you to a particular<br />
pathway. Allows the user to add, edit and delete contributing factors that may<br />
lead to risks happening.<br />
In Admin, this item should be allocated at the highest possible tier so it<br />
can be used by the lower tiers.<br />
4.6.4. Controls<br />
This section is exactly the same as the Administration - <strong>Risk</strong> Register – Controls.<br />
Please refer to Section 4.2 (ii) for more details.<br />
In Admin, this item should be allocated at the highest possible tier so it<br />
can be used by the lower tiers.<br />
4.6.5. Emergency Responses<br />
Allows the user to add new emergency responses which can then be actioned<br />
when a particular risk occurs. It also allows the user to edit and delete existing<br />
emergency responses in the system.<br />
In Admin, this item should be allocated at the highest possible tier so it<br />
can be used by the lower tiers.<br />
4.6.6. Measures<br />
Allows the user to manage a risk by assigning a measure into it.<br />
In Admin, this item should be allocated at the highest possible tier so it<br />
can be used by the lower tiers.<br />
4.6.7. <strong>Risk</strong> Criteria<br />
This section is exactly the same as the Administration - <strong>Risk</strong> Register – <strong>Risk</strong><br />
Criteria. Please refer to Section 4.2 (iii) for more details.<br />
In Admin, this item should be allocated at the highest possible tier so it<br />
can be used by the lower tiers.<br />
4.7. Administration – Incidents<br />
4.7.1. Authority Reports<br />
Provides a list of external authority reports where different fields within that report<br />
may be defined. When an incident is reported and recorded and an authority<br />
report is required, the defined fields within that report are automatically filled.<br />
4.7.2. Consequences<br />
Provide lists of possible outcomes when an incident occurs.<br />
Examples: Customer loss, Death, Downtime, Financial loss, etc.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 26 -
4.7.3. Estimates<br />
Allows the user to determine the estimate cost and time or any impact when an<br />
incident occur.<br />
Examples: Annual Operating Cost, or Recurring Cost ($), Time lost due to injury<br />
(days), Time required to repair (days), etc.<br />
4.7.4. Incident Severities<br />
Allows the user to define severity levels that are used to determine the severity of<br />
an incident.<br />
Examples: Insignificant, Minor, Moderate, Major and Catastrophic<br />
4.7.5. Incident Types<br />
Provide you a list of different incident types that can be use to classify different<br />
incident.<br />
Examples: Environmental, Equipment failure, Illness, Injury, etc.<br />
4.7.6. Incident Work Flow Settings<br />
This allows a user to specify certain settings to notify a user when a specific<br />
condition has occurred with regards to an incident.<br />
4.7.7. Injured Body Parts<br />
Provide a list of all the possible body parts that can be associated with injuries as<br />
a result of an incident occurring.<br />
Examples: Ankle (L, R, Both), Arm (Upper, or Entire L, R, Both), etc.<br />
4.7.8. Injury Types<br />
Provide a list of different injury types that may occur. This list covers both<br />
possible physical and mental injuries that can be associated to the outcome of a<br />
risk.<br />
Examples: Back, External Effects, Multiple Injuries, Open Wounds, etc.<br />
4.7.9. Locations<br />
Define list of locations where incidents could occur.<br />
Example: Head Office Building, Street, Information Management Branch, etc.<br />
4.7.10. Root Contributing Factors<br />
Provide a list of contributing factors that may lead to an incident happening.<br />
Helps the company overcome future incident from occurring if they take these<br />
factors in consideration in the future.<br />
Example: Careless, Fire Allowed, Gas Available, etc.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 27 -
4.7.11. Signatories<br />
Provide a list of all the users who are authorized to sign off the investigation.<br />
Example: Manager, Supervisor, etc.<br />
4.7.12. Treatment Providers<br />
Provide a list of treatment providers available for the company to use in case an<br />
incident occurs.<br />
Example: Ambulance, Cardiac Rehabilitation, Dialysis Centre, etc.<br />
4.8. Administration – Business Continuity Plan<br />
4.8.1. BIA Templates<br />
This page allows an administrator to upload a selection of templates that will then<br />
be used by users to create their Business Impact Analysis. Help the company<br />
obtain all the necessary information when creating a Business Impact Analysis.<br />
<strong>Risk</strong> <strong>Shield</strong> templates provide at least three templates that a company<br />
could use, one for IT, one for a Service Unit of any company and one for<br />
Manufacturing.<br />
The Administrator may customize and reload these templates or add new ones.<br />
To create new BIA templates, use Excel and save the template in XML<br />
format, before uploading it to <strong>Risk</strong> <strong>Shield</strong>.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 28 -
5. <strong>Risk</strong> Register Module<br />
<strong>Risk</strong> Register is the base module in <strong>Risk</strong> <strong>Shield</strong>. At first it displays all the risks saved in<br />
the system as shown below. The user can add new risks to the system. <strong>Risk</strong> name and<br />
the person identified it are mandatory fields. The rest like, <strong>Risk</strong> Description, Person(s)<br />
Responsible and other fields are optional. It also allows the user to edit and delete any<br />
risks saved.<br />
5.1. Controls Sub Tab<br />
This tab provides a list of controls that could be applied to the risk. Controls are the<br />
mitigation strategies defined to reduce the risk.<br />
<strong>Risk</strong> <strong>Shield</strong> Templates are preloaded with many Controls and other items<br />
that can save the user many hours of data entry.<br />
5.2. Analysis Sub Tab<br />
This section is to analyse a risk within its “analysis context”. The context of the<br />
analysis is entered and the probability and consequence, for each risk criteria is<br />
selected, resulting on the risk rating as per the risk matrix. This analysis should be<br />
done for the inherent risk (current) and for the residual risk (after applying the<br />
controls).<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 29 -
5.3. Actions Sub Tab<br />
This tab provides a list of Actions or tasks needed to be done. It can be associated to<br />
any user and can set the status, priority and due date accordingly.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 30 -
5.4. Work Flow Sub Tab<br />
This section lists any previous and current work flow notifications for the current risk.<br />
Notifications may be accessed, edited and accepted or rejected here. All work flow<br />
notifications for the specific risk are retained even when completed.<br />
5.5. Attachment Sub Tab<br />
<strong>Risk</strong> <strong>Shield</strong> uses its own technique to attach files or URLs to its system. 1 The<br />
maximum size allowed by the standard <strong>Risk</strong> <strong>Shield</strong> configuration is 8 MB; the file can<br />
be of any type.<br />
URLs can be of any format addressable by your web browser. i.e. It can be<br />
an internal URL pointing to your intranet or an external URL of the format<br />
www.picnet.com.au (for example). The URL is not validated by <strong>Risk</strong> <strong>Shield</strong>. It<br />
is the user’s responsibility to check the validity of the URL loaded.<br />
1 This technique is known as DocFlex®, another trademark of <strong>PicNet</strong> Pty Ltd (<strong>Risk</strong> <strong>Shield</strong>’s<br />
parent company).<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 31 -
6. Hazard Module<br />
The Hazard Module allows the definition of all hazards and the risks associated with a<br />
particular hazard.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 32 -
7. Work Plan Module<br />
A Work Plan can be used for a Project, a Job Safety Statement, etc. It describes a<br />
number of steps. Each step has risks (that can be analysed) and controls for each risk. It<br />
needs the <strong>Risk</strong> Register Module to operate.<br />
The risks are automatically loaded into the register. At first it displays the entire work<br />
plan saved in the system as shown below. It allows the user to add new work plan to the<br />
system. Work Plan (Activity) name is a mandatory field. The rest like, Work Plan<br />
(Activity) Description, <strong>Version</strong> and other fields are optional. It also allows the user to edit<br />
and delete any work plan saved.<br />
7.1. Work Plan Sub Tab<br />
Here the user may enter specific details concerning a work plan.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 33 -
After saving the work plan, a new screen will be displayed as shown below, with<br />
additional tabs.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 34 -
8. Threat <strong>Risk</strong> Analysis Module<br />
Threat <strong>Risk</strong> Analysis is vital to ensure corporations identify and manage risk. The<br />
methodology of threat risk analysis begins with identifying your asset.<br />
8.1. Threats Sub Tab<br />
Once your asset has been recorded, <strong>Risk</strong> <strong>Shield</strong> allows you to assign threats to the<br />
asset, and classify them under threat types and subtypes of your choosing.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 35 -
8.2. Vulnerabilities Sub Tab<br />
Once the threats to the asset have been identified, <strong>Risk</strong> <strong>Shield</strong> allows you to identify<br />
and record the vulnerabilities to your asset with relation to the identified threat.<br />
8.3. <strong>Risk</strong>s Sub Tab<br />
After the asset, threats, and vulnerabilities have been recorded, <strong>Risk</strong> <strong>Shield</strong> then<br />
allows you to identify the risks that will emerge from the threats and vulnerabilities<br />
previously entered.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 36 -
9. Emissions Management Module<br />
With a greater focus in today's world on reducing CO2 emissions, companies are now<br />
required to monitor and report their own CO2 emissions. Having high emission levels<br />
may increase the risk of both polluting the environment as well as a loss of company<br />
reputation and penalties.<br />
Tick relevant<br />
emissions type<br />
relevant to this<br />
facility so as to<br />
reduce the tabs<br />
shown above.<br />
Under each Emissions Factor tab, users are able to add value and the system will have<br />
the Full Fuel Cycle calculated.<br />
In the main Facility tab, users are able to select, by ticking the boxes, the Emissions<br />
Type which is relevant to this facility so the irrelevant ones will not appear in the tabs<br />
above.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 37 -
9.1. Actions Sub Tab<br />
<strong>User</strong> can create actions and delegate an external user to follow up on the action.<br />
9.2. Attachments Sub Tab<br />
Allows user to attach additional document(s) that is(are) relevant to the facility.<br />
9.3. <strong>Risk</strong>s Sub Tab<br />
This section allows you to enter additional risks associated with the incident, and is<br />
exactly the same as the <strong>Risk</strong> Register – Section 5.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 38 -
10. Incidents Module<br />
As part of a risk management process, <strong>Risk</strong> <strong>Shield</strong> also helps organisations to track and<br />
manage incidents. At first it displays all the Incidents saved under which division,<br />
business unit and department the user is working on, as shown below.<br />
<strong>User</strong>s with the right access can record incidents, its witnesses, contributing factors,<br />
actions taken and requested as well as assessing its financial/non-financial implications.<br />
Effective incident management ensures appropriate preventive and corrective actions<br />
are adopted to minimise potential risks.<br />
10.1. Incidents Sub Tab<br />
This will bring the user to a new screen as shown below. Here the user can enter<br />
details about the incident. Name, severity, date/time occurred, date/time reported are<br />
mandatory fields and the rest are optional.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 39 -
After saving the incident, a new screen will be displayed as shown below, with<br />
additional tabs.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 40 -
11. Advanced <strong>Risk</strong> Analysis Module<br />
ARA (Advanced <strong>Risk</strong> Analysis) is suitable for users who require an advanced risk<br />
assessment tool and for the creation of Business Continuity Plans. Incorporated into<br />
Advanced <strong>Risk</strong> Analysis is the Bow Tie Diagram generator which allows risk managers<br />
to draw up complicated risks, its causal pathways, contributing factors, controls,<br />
outcome, emergency responses, etc. in a diagram in just seconds.<br />
The ARA is most suitable for low probability/high consequence risks.<br />
At first it displays all the risk saved in the system (As shown below). The user can add<br />
new risks to the system. <strong>Risk</strong> name is a mandatory field. The rest like, <strong>Risk</strong> Description,<br />
Asset(s) and other fields are optional. It also allows the user to edit and delete any risks<br />
saved.<br />
This will bring the user to a new screen as shown below. Here the user may enter<br />
specific details concerning a risk. After which, the user may continue to enter other<br />
details in the other sub tabs.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 41 -
11.1. Bow Tie Diagram<br />
To generate a Bow Tie Diagram, simply click on the<br />
button as shown below.<br />
Below is a sample Bow-Tie Diagram that can be generated through <strong>Risk</strong> <strong>Shield</strong>.<br />
You will need Microsoft Visio Professional 2003 or higher, and <strong>Risk</strong> <strong>Shield</strong><br />
Add-on to Visio to generate the Bow-Tie Diagram.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 42 -
12. Actions Module<br />
Action Management is a search feature that lets you search through all the actions<br />
saved in the system. At first it displays the entire actions saved in the system as shown<br />
below. It also allows the user to edit and delete any actions saved.<br />
Actions are entered for each risk, incident or BIA. The Action Management<br />
module is available to all users with rights to enter those actions.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 43 -
13. Reporting<br />
This module helps you to generate reports and graphs for the other modules. The report<br />
engine is created dynamically using the user-defined metrics created under the<br />
Administration module. These reports can be generated in both Excel format for<br />
download or simply display on your web browser for better interactivity.<br />
At first it displays lists of all the possible reports that can be generated through the<br />
system as shown below.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 44 -
In order to print the background colours and heat charts properly on the reports<br />
generated, make sure the “Print background colors and images” is ticked under Printing<br />
settings in Internet Explorer.<br />
To check this in Internet Explorer 6: Click on Tools –> Internet Options –> Advanced<br />
(tab) –> Printing.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 45 -
To check this in Internet Explorer 7: Click on Tools –> Internet Options –> Advanced<br />
(tab) –> Printing.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 46 -
The Target List<br />
The Target List allows you to select what part of the <strong>Risk</strong> or Incident you want to search.<br />
This may give options such as the name and description of the <strong>Risk</strong> or Incident. When<br />
the target list has many items it will always include the 'Any' choice. This means that the<br />
search is applied to any of the targets in the list.<br />
The Search Terms<br />
The Search Terms allowed in the <strong>Risk</strong> <strong>Shield</strong> Reporting Engine are quite flexible whilst<br />
being easy to use. These are:<br />
Phrase Search<br />
You can search for a phrase by using quotes ("). For Example: Searching <strong>Risk</strong><br />
Names for the terms - [Rope Burn] will match any risk with the word Rope or burn<br />
or both in their name. However Searching for the term ["Rope Burn"] will match<br />
risk with the phrase 'Rope Burn' in their name only.<br />
Must Match<br />
To include a term that must be matched use the plus (+) symbol prior to the word<br />
or phrase. For Example: Searching for [+Rope +Burn] will match all risks that<br />
have both the words Rope and Burn in their name.<br />
Excluding Words<br />
To exclude a word or a phrase from the results you can use the minus (-)<br />
symbol. For Example: Searching for [Rope -Burn] will match all risks that include<br />
the word 'Rope' but not the word 'Burn'.<br />
Capitalisation<br />
Capitalisation is always ignored in reporting searches.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 47 -
13.1. Integrated Analytics Reports<br />
This module allows the reporting and analysis of risk profile, repetitive risks and risk<br />
register by weighting.<br />
13.1.1. <strong>Risk</strong> Profile Summary (Monte Carlo)<br />
This report aims to present results to the analyst/manager in a clear and concise<br />
fashion by using graphical output wherever possible and keeping the statistical<br />
output to a minimum. This report can give the analyst/manager a profile of the<br />
consequence, probability and overall risk rating of the enterprise/organisation.<br />
This table shows the different statistical results from the just run simulation,<br />
contrasting results for profiling of existing controls vs new controls.<br />
Mean:<br />
This is the arithmetic mean / average of the sample population.<br />
Mode:<br />
Is the most frequent value occurred from the sampling.<br />
Measure of Spread: Standard Deviation<br />
This represents the deviation of the values from the mean, the greater the value<br />
the more spread the values are from the mean. Minimum, Maximum & Range are<br />
also measure of spread.<br />
Skewness<br />
Describes the asymmetry of the distribution relative to the mean. A positive<br />
skewness indicates that the distribution has a longer right-hand tail (skewed<br />
towards more positive values). A negative skewness indicates that the<br />
distribution is skewed to the left.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 48 -
Contour Charts:<br />
The contour chart shows in the Y-axis the number of times (Frequency Count) a<br />
single outcome was of a particular value. While the X-axis shows the estimated<br />
overall probability of a particular risk materialising. This probability rating is taken<br />
from your particular risk matrix. In this example min is 1 and max is 5. As an<br />
example, when the simulation is run for this risk, with the new controls, the value<br />
3.1 (representing the probability) was sampled 80 times.<br />
What is this chart telling me<br />
• Most values returned from the simulation run with the existing controls are<br />
well above "3.5", thus indicating a high overall probability of an undesired event<br />
happening.<br />
• The modal inherent probability is ~3.8 while the modal residual probability<br />
is around 3.65. Also the residual probability graph is shift to the left of the<br />
inherent so overall probability of a risk occurring is decreased after the<br />
implementation of the new controls.<br />
• The simulation tells me that when implementing the new controls a slight<br />
decrease in the probability of a risk materialising. The sampled distribution does<br />
not appear to follow that of a Normal Distribution.<br />
• The contour chart shows in the Y-axis the number of times (Frequency<br />
Count) a single outcome was of a particular value. While the X-axis shows the<br />
estimated overall probability of a particular risk materialising. This probability<br />
rating is taken from your particular risk matrix. In this example min is 1 and max<br />
is 5.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 49 -
As an example, when the simulation is run for this risk, with the new controls, the<br />
value 3.1 (representing the probability) was the output of the simulation on 60<br />
occasions.<br />
CDF: Cumulative Distribution Function:<br />
From the above graph we can say that inherently, 80% of risks have a probability<br />
of 3.9 or lower. After applying controls the 80% of the risks have a probability of<br />
3.7 or lower, there is a slight improvement (lowering of probabilities).<br />
The cumulative distribution function (cdf) is the probability that a given value on<br />
the Y-axis (percentage) to take on the corresponding value from the X-Axis or<br />
lower.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 50 -
13.1.2. Repetitive <strong>Risk</strong>s Analysis – Summary<br />
This report shows risks that occur more than once for the given selection. By<br />
default the report is sorted by the number of occurrences in descending order.<br />
The concept of this report is to inform management of the potential higher<br />
exposure of a risk identified by many within the organisation, however its rating.<br />
13.1.3. Register <strong>Risk</strong> Summary at a Glance (Weighted)<br />
Weighted reports are identical to the normal risk register reports, however, the<br />
weight defined to each company tier is applied in the rating calculation for those<br />
tiers.<br />
13.1.4. Register <strong>Risk</strong> Summary (Weighted)<br />
Weighted reports are identical to the normal risk register reports, however, the<br />
weight defined to each company tier is applied in the rating calculation for those<br />
tiers.<br />
13.1.5. Register <strong>Risk</strong> Detail<br />
Weighted reports are identical to the normal risk register reports, however, the<br />
weight defined to each company tier is applied in the rating calculation for those<br />
tiers.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 51 -
13.2. Register Reports<br />
<strong>User</strong>s can generate a summary or detailed report on <strong>Risk</strong>s recorded under the<br />
Company Tiers for which the user has access to in <strong>Risk</strong> Register module.<br />
The <strong>Risk</strong> Register can also be analysed using the optional External Analytics<br />
module. This gives OLAP (Online Analytical Processing) capabilities to the <strong>Risk</strong><br />
Register. Below is the criteria screen used to generate Register <strong>Risk</strong> Summary at a<br />
Glance, Register <strong>Risk</strong> Summary and Register <strong>Risk</strong> Detailed reports.<br />
13.2.1. Register Summary at a Glance<br />
Allows the user to generate an overview report on <strong>Risk</strong>s recorded under the<br />
Company Tiers for which the user has access to in <strong>Risk</strong> Register module.<br />
13.2.2. Register Summary<br />
Allows the user to generate a summary report on <strong>Risk</strong>s recorded under the<br />
Company Tiers for which the user has access to in <strong>Risk</strong> Register module.<br />
13.2.3. Register Detail<br />
Allows the user to generate a detailed report on <strong>Risk</strong>s recorded under the<br />
Company Tiers for which the user has access to in <strong>Risk</strong> Register module.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 52 -
13.2.4. Register Controls<br />
Allows the user to generate report on Register <strong>Risk</strong>s Controls recorded under the<br />
Company Tiers for which the user has access to in <strong>Risk</strong> Register module.<br />
Below is the criteria screen used to generate the Register <strong>Risk</strong> Controls report.<br />
13.3. Hazards Reports<br />
13.3.1. Hazards Summary<br />
Allows the user to generate a summary report on Hazards recorded under the<br />
Company Tiers for which the user has access to in Hazards module.<br />
13.3.2. Hazards Details<br />
Allows the user to generate a detailed report on Hazards recorded under the<br />
Company Tiers for which the user has access to in Hazards module.<br />
13.4. Work Plans Reports<br />
13.4.1. Work Plans Summary at a Glance<br />
Allows the user to generate an overview report of the risks entered under a work<br />
plan format.<br />
13.4.2. Work Plans Summary<br />
Allows the user to generate a summary report of the risks entered under a work<br />
plan format.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 53 -
13.5. TRA Reports<br />
13.5.1. TRA Summary at a Glance<br />
Allows the user to generate an overview report of the threats and vulnerabilities<br />
involving the Asset.<br />
13.5.2. TRA Asset List<br />
Allows the user to generate an overview report of the Assets.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 54 -
13.5.3. TRA Threat / Vulnerability List<br />
Allows user to generate a list of Threats / Vulnerabilities with options to filter<br />
fields such as Threat Type, Capability, Threat Rating, etc.<br />
13.5.4. TRA Detailed Report<br />
Allows the user to generate a detailed report on the TRA module.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 55 -
13.6. Emissions Reports<br />
13.6.1. Emissions Summary at a Glance<br />
Allows the user to generate an overview report of Facilities and its Full Fuel<br />
Cycle recorded under the Company Tier. Report shows amount of Facility<br />
Emission Threshold against Company Emission Threshold.<br />
13.6.2. Emissions Summary<br />
Allows the user to generate a summary report of the Emission Types within the<br />
Facilities recorded under Company Tier.<br />
13.6.3. Emissions Detailed Report<br />
Allows the user to generate a detailed report of the Emission Types within the<br />
Facilities recorded under Company Tier, including the breakdown of Scopes.<br />
13.7. Incidents Reports<br />
<strong>User</strong>s can generate a summary or detailed report on Incidents recorded under the<br />
Company Tiers for which the user has access to in Incident Management module.<br />
The Incident Management Module can also be analyzed using the optional External<br />
Analytics module. This gives OLAP capabilities to the Incident Management Module.<br />
13.7.1.Incidents Summary Report<br />
Allows the user to generate a summary report on Incidents recorded under the<br />
Company Tiers for which the user has access to in Incident Management module.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 56 -
13.7.2.Incidents Detailed Report<br />
Allows the user to generate detailed report on Incidents recorded under the<br />
Company Tiers for which the user has access to in Incident Management module.<br />
13.8. ARA Reports<br />
<strong>User</strong>s can generate a consolidated report on Actions Taken and Requested under<br />
the Company Tiers for which the user has access to across the <strong>Risk</strong> Register,<br />
Advanced <strong>Risk</strong> Analysis, Incident Management and Business Continuity Planning<br />
modules.<br />
13.8.1. ARA Summary Report<br />
Allows the user to generate a summary report on Actions Taken and Requested<br />
under the Company Tiers for which the user has access to across the <strong>Risk</strong><br />
Register, Advanced <strong>Risk</strong> Analysis, Incident Management and Business<br />
Continuity Planning modules.<br />
13.8.2. ARA Detailed Report<br />
Allows the user to generate a detailed consolidated report on Actions Taken and<br />
Requested under the Company Tiers for which the user has access to across the<br />
<strong>Risk</strong> Register, Advanced <strong>Risk</strong> Analysis, Incident Management and Business<br />
Continuity Planning modules.<br />
The Action Management reports are available to all users with rights to<br />
enter those actions.<br />
13.8.3. ARA Actions & Emergency Response Report<br />
Allows the user to generate Actions and Emergency Response for each ARA.<br />
13.9. Actions Reports<br />
<strong>User</strong>s can generate a consolidated report on Actions Taken and Requested under<br />
the Company Tiers for which the user has access to across the <strong>Risk</strong> Register,<br />
Advanced <strong>Risk</strong> Analysis, Incident Management and Business Continuity Planning<br />
modules.<br />
13.9.1. Actions Summary Report<br />
Allows the user to generate a summary report on Actions Taken and Requested<br />
under the Company Tiers for which the user has access to across the <strong>Risk</strong><br />
Register, Advanced <strong>Risk</strong> Analysis, Incident Management and Business<br />
Continuity Planning modules.<br />
13.9.2. Actions Management Detailed Report<br />
Allows the user to generate a summary report on Actions Taken and Requested<br />
under the Company Tiers for which the user has access to across the <strong>Risk</strong><br />
Register, Advanced <strong>Risk</strong> Analysis, Incident Management and Business<br />
Continuity Planning modules.<br />
The Action Management reports are available to all users with rights to<br />
enter those actions.<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 57 -
14. <strong>Risk</strong> Management Glossary<br />
Available on line at:<br />
http://www.riskshield.com.au/Portals/1/Glossary/GlossaryA.htm<br />
15. <strong>Risk</strong> <strong>Shield</strong> Introductory Videos<br />
High quality introductory videos of <strong>Risk</strong> <strong>Shield</strong> are available on line at:<br />
http://www.riskshield.com.au/Resources/<strong>Risk</strong><strong>Shield</strong>Videos/tabid/85/Default.aspx<br />
16. <strong>Risk</strong> <strong>Shield</strong> Pocket<br />
A basic version of <strong>Risk</strong> <strong>Shield</strong> <strong>Risk</strong> register for Pocket PC (Windows Mobile PDA) is<br />
available via:<br />
http://www.riskshield.com.au/Products/<strong>Risk</strong><strong>Shield</strong>Pocket/tabid/63/Default.aspx<br />
© 2008 <strong>PicNet</strong> Pty Ltd - All rights reserved www.<strong>Risk</strong><strong>Shield</strong>.net - 58 -