1.External Internal Context Definition
It allows the definition of the internal and external context in which the organization operates, the Vision, the Mission, the Code of Ethics, the needs and expectations of the parties involved. Manages the ISO 9004:2009 Business Strategy Checklist: manage an organization for lasting success.
2.Strategic Plan and Objectives
It allows you to manage the Strategic Plan and the entire management cycle of the objectives, from the definition of the program, to the feasibility analysis of the single objective, to the assignment and management of activities with attendance and related responsibility, the schedule with reporting of notice and alert, the upload of documentation, the closure and the final balance, is input to the Risk assessment process. Enables management of approval and information workflows.
3.Definition of the Risk Model
It allows to select from a library of Risk Models divided by Product Sector and by type of Company (Large Private, SME, Multinational Branch, Listed on the stock exchange) the Risk Model, current and emerging, from which to start the phase of customization. The Model makes it possible to predict events that can compromise the achievement of company objectives or that can create new opportunities.
4.Methodologies and Criteria
It allows to select from a library of methodologies and criteria, the parameters that allow the determination of levels and related classes of Risk, the types of Qualitative and/or Quantitative assessment and the levels of risk acceptance (Risk Tollerance).
5.Identification, Analysis and Evaluation of Risk Events
The Risk Identification phase consists in collecting in a systematic way and through a special risk event sheet all the details of the event and the mitigations currently underway. This phase completes the association with the Risk Owner as well as a strategic objective / project.
The Analysis phase is characterized by the definition of the different impact areas on which the evaluation exercise will have to be carried out (for example the same event in different geographical areas, Business Units, Processes, Customers, Suppliers etc.). There is also the possibility, through the import of the budget / budget, to associate the risk event with one or more balance sheet items, assigning a minimum and maximum impact%.
The Risk Assessment phase consists in defining the probability of occurrence, which can be integrated by the start of a Montecarlo statistical routine, in the choice of the evaluation criteria (qualitative and quantitative), in the insertion of the data for the calculation of the impact on Ebit, Cash Flow, reputational, etc.
The treatment phase (Residual Risk) allows the Treatment Strategy to be activated (also for insurance purposes) and the related Plans with allocation of responsibilities. It allows the management of both manual and automated controls in order to evaluate their effectiveness and efficiency.
It allows the targeted management of the communication and information process to both internal and external stakeholders on the management results obtained and the evolutions of the Risk Model. Through the information gathered by the information system, it controls and measures the effects of the application of the adopted strategy.
Introducing an Enterprise Risk Management (ERM) system means to provide the Senior Management with a control system that can support strategic decisions through risk assessments about risks that can potentially compromise the achievement of business goals.
The introduction of a ERM process into the enterprise also involves the spread of all resources of a culture and a so-called "risk-based" thinking, which is essential to ensure the functioning of the entire Risk Management system, consolidation and the company's development in line with the requirements of the new standards.
KRC® applies the Risk Management process to the ISO 31000:2018 standard that is powered by the Knowledge Management process that enables you to systemise your business and people knowledge.
Corporate Governance Code, Borsa Italiana, July 2015
7.P.1. “Each issuer adopts an internal control and risk management system consisting of a set of rules, procedures and organizational structures aimed at identifying, measuring, managing and monitoring the main risks. This system is integrated into the more general organizational and corporate governance structures adopted by the issuer and takes into due consideration the reference models and the best practices existing at national and international level." (Article 7 - Internal control and management system of Risks)