BarnOwl

Tip of the Month – 3 step approach to ‘rolling-over’ your risk registers from one year to the next

24 April 2019

Did you know?

Many organisations, especially in the public sector, are required to view and report on what their risk universe looked like at the end of every financial year. Whilst most risks carry over from one year to the next, some risks need to be deleted and new risks added. In addition, the organisational structure changes over time with units coming and going and / or being split up into ‘child’ units or consolidated into a ‘parent’ unit. Risk categories and /or taxonomy also change over time.

BarnOwl’s Data Period and Risk Trend reporting functionality allows you to see which risks have been added and / or deleted as well as the movement (rating changes) of all risks and controls from one period to the next (e.g. monthly, quarterly or annually). While this goes some way to solving the problem, it will not enable you to generate risk reports ‘today’ as they looked at the end of any previous year.

BarnOwl has therefore come up with a solution for you to be able to view your risk universe as it was at the end of every year as well the movement / risk trends within each year by following the steps below:

  1. Setup data periods in BarnOwl

Data Periods allow you to track the movement of every risk. E.g. rating changes as well as which risks have been added and which risks have been deleted from one period to the next (monthly, quarterly, annually etc.). Data periods can be created manually in the Server Management Console or configured to run automatically. E.g. take a ‘snapshot’ of your risk and control registers on the 1st of every month.

Please see section 1 below on how to setup data periods.

  1. Executing the BarnOwl ‘Snapshot Database’ script

This script will make a ‘snapshot’ copy of your ‘live’ (production) database. The ‘snapshot’ database will be renamed showing the date the copy is made (e.g. Production_20190331) and will be available in the BarnOwl login form.  The ‘snapshot’ database will be set to read-only so that no changes can be made to the data, however you will be able to view your registers and generate reports as they were at the time of creating the ‘snapshot’ database. (e.g. year-end). Action plan notifications will be turned off in the ‘snapshot’ database.

You carry on working in your ‘live / production’ database as before to maintain and keep your current risk universe up to date.

Please see section 2 below on how to get assistance to run the ‘Snapshot Database’ script which makes a copy of your ‘live / production’ database.

  1. Viewing your risk universe from one year to the next

You can login to the relevant year’s ‘snapshot’ database/s  to view and generate reports of your risk universe as it was at the time of performing the snapshot e.g. year end (31 March 2019, 31 March 2020, 31 March 2021 etc.)

BarnOwl’s Data Period and Risk Trend reporting functionality will allow you to see which risks were added and / or deleted as well as the rating movement of all risks and controls for each of the snapshot databases as well as your current ‘live / production’ database.

Please see section 3 on how to login to a snapshot database and view risk trends etc.

You can also find more information on what not to do at: http://www.barnowl.co.za/tip-of-the-month/tip-of-the-month-using-barnowls-data-periods-to-roll-over-risks-from-one-year-to-the-next/

1. Setting up data periods in BarnOwl

1.1 Creating Data Periods Manually

You can create data periods manually in the Server Management Console General Setup tab.

image1

As you can see above, this administrator has not created any data periods, so the only data period is labelled “Current”. When you create a data period by entering a data period name (e.g.201901) and clicking on ‘Save’, all current data (risks and controls and their ratings at this point in time) will be saved to the named data period. The ‘current’ data period then continues to track all changes from this point in time onwards until the next data period is saved.

Note: Ideally, you should run data periods monthly and should come up with ‘data period’ naming convention such as 201901, 201902,201903 (monthly) so that it is easy to sort and find your data periods when comparing previous periods to one another and comparing them to the ‘current’ period.

image2

You can also specify which units in the Organisational Structure tree should be included in the Data Period. Click Included Units in the General Setup tree, and select the units you wish to include in the Data Period by selecting the units.

image3

The disadvantage of adding Data Periods manually is that you need to remember to create the new Data Periods when required. The alternative is to create Automatic Data Periods as per instructions below. (section 1.2)

1.2 Creating Automatic Data Periods

BarnOwl makes provision for automatic Data Periods, which must be specified on your BarnOwl Application server directly. You will therefore require assistance from BarnOwl Support (support@barnowl.co.za) or your IT department. The advantage of automatic Data Periods is that you do not have to manually update your Data Periods.

2. Executing the BarnOwl ‘Snapshot Database’ script

This script will make a ‘snapshot’ copy of your ‘live’ (production) database. The ‘snapshot’ database will be renamed showing the date the copy is made (e.g. Production_20190331) and will be available in the BarnOwl login form.  The ‘snapshot’ database will be set to read-only so that no changes can be made to the data, however you will be able to view your registers and generate reports as they were at the time of creating the ‘snapshot’ database. (e.g. year-end). Action plan notifications will be turned off in the ‘snapshot’ database.

The ‘snapshot database’ script must be run on your BarnOwl Application server directly. You will therefore need to log a request with BarnOwl Support (support@barnowl.co.za) for us to assist your IT department to run the script. You will need to log your request with support@barnowl.co.za well in advance of your year-end / period end in order for us to book a timeslot with your IT department on the last day of your specified period
(e.g. 31 March 2019) to guide them on how to run the ‘snapshot’ script.

3. Login to your databases (Live / Snapshot/s)

3.1 Select the relevant database and login

You can choose which database to view by selecting the relevant database in the drop-down box.

image4

3.2 Reporting on Data Periods

Data Periods enable you to report on the movement of your risk and control ratings between periods. The following standard reports show risk and control trends across data periods:

  • Reports > Trend > Control Trend report
  • Reports > Trend > Residual Risk Trend report
  • Reports > Trend>Risk Movement Trend report
  • Reports > Trend > Risk Trend report
  • View > Risks > RR versus RR Risk Movement Heatmap

These Reports and View provide you with a view of how your risk and control ratings have changed from period to period. In addition, these reports show you which risks have come and gone; for example, those risks which were added or deleted, and in which period they were added/ deleted.

This picture shows the Risk Trend report, with ratings per Data Period. The blank ratings for ‘Office working conditions’ in 2010 June and 2010 May indicate that this risk was added subsequent to these periods and now exists in the ‘Current’ period. Should a risk be marked with a “*”, this indicates that the risk has been deleted, however still shows with its ratings in the period when it still existed.

Fig 3.2.1 Reports>Trend>Risk Trend report

image5

You can view a residual risk trend heat-map by navigating to: View>Risks>RR versus RR Risk Movement Heatmap. Enter the periods (RR1 and RR2) you wish to compare. In the example below we are comparing ‘Current’ with ‘2017 March’. The line between each point shows you the risk rating movement from period 1 (RR1) to period 2 (RR2) for each risk.

Fig 3.2.2 View>Risks>RR versus RR Risk Movement Heatmap

image6

You can also export this heat-map to Microsoft Word by clicking on image11

Fig 3.2.3.1 View>Risks>RR versus RR Risk Movement Heatmap

You can also see the movement of your risks by risk category across multiple units by navigating to View>Risks>RR versus RR Risk Movement heat-map and selecting the buttons image7

In the example below we are looking at the average risk rating movement by risk category for the ‘Johannesburg’ unit and all units below ‘Johannesburg’ (toggle Show Local / Show Global):

image8

Fig 3.2.3.2 View>Risks>RR versus RR Risk Movement Heatmap

You can drill down to see the movement by risk sub-category by double clicking on the relevant category in the grid above. In the example below we double clicked on risk category ‘Employee’ in Fig 3.2.3.1 which drills down into the average risk rating movement by sub-category filtered by category ‘Employee’:

image9

Fig 3.2.3.3 View>Risks>RR versus RR Risk Movement Heatmap

You can drill down further to see the movement by risk by double clicking on the relevant sub-category in the grid above. In the example below we double clicked on risk sub-category ‘Recruitment & Retention’ in Fig 3.2.3.2 which drills down into the average risk rating movement by risk filtered by sub-category ‘Recruitment & Retention’:

image10

© 2019 IDI Technology (Pty) Ltd | PAIA | BBEE Certificate | Tax Clearance Certificate