1. Manage Risks
1.1. Create Risks
1.1.1. Request Risk Identification
1.1.1.1. Send Risk Identification Questionnaire
1.1.1.1.1. Notify Risk Identification Questionnaire Participants
1.1.1.1.2. Send Risk Identification Questionnaire Directly
1.1.1.1.3. Plan Risk Identification Survey
1.1.1.2. Complete Risk identification Survey
1.1.2. Create Risks Directly
1.1.2.1. Create Unique Risk
1.1.2.2. Avoid Duplicate Naming
1.1.2.2.1. Offer Preview of Duplicate
1.1.2.3. Validate Risks
1.1.2.3.1. Submit Risk for Validation
1.1.2.3.2. Notify Risk Submitter of Validation
1.1.2.3.3. Notify Risk Submitter of Rejection
1.1.2.3.4. Notify Risk Validator of New Risk
1.2. Describe Risks
1.2.1. Search Risks
1.2.1.1. Search Risk by List Filters
1.2.1.2. Search Risk by Search bar
1.2.2. Specify Risk Strategic Importance
1.2.2.1. Specify Key Risks
1.2.2.2. Specify Objectives affected by Risk
1.2.2.3. Specify regulatory Requirements affected by Risks
1.2.3. Taxonomize Risks
1.2.3.1. Create Risk Typology
1.2.3.1.1. Import Risk Typology
1.2.3.1.2. Create Risk Typology Manually
1.2.3.2. Specify Risk Types for Risk
1.3. Contextualize Risks
1.3.1. Assign Risk Ownership Directly
1.3.1.1. Specify Responsible for whole Risk
1.3.2. Assign Risk Ownership Via Context
1.3.2.1. Specify Multiple Risk Context
1.3.2.2. Specify Unique Risk Context
1.3.2.3. Specify Responsible for Risk Context
1.4. Assess Risks
1.4.1. Assess Risks Directly
1.4.1.1. Assess Overall Risk Level Directly
1.4.1.2. Assess Risk Level for a Specific Context
1.4.2. Request Risk Assessment
1.4.2.1. Send Risk Assessment Questionnaire
1.4.2.1.1. Send Risk Assessment Questionnare Directly
1.4.2.1.2. Notify Risk Identification Questionnaire Participants
1.4.2.1.3. Plan Risk Assessment
1.4.3. Define Risk assessment conditions & criterias
1.4.3.1. Define Risk Assessment values
1.4.3.2. Define Information to present during Risk Assessment
1.4.3.2.1. Define which context description to display
1.4.3.2.2. Define which mitigation information to display
1.4.3.2.3. Prepopulate risk assessment with previous assessment values
1.4.3.3. Define if Risk assesment can be delegated
1.4.3.4. Define if risk assessment is overall or contextual
1.5. Treat Risks
1.5.1. Define Risk Treatment Method
1.5.1.1. Define Risk Mitigating Controls
1.5.1.1.1. Define Control Criticality In Risk Control System
1.5.1.2. Define Risk Reducing Action Plans
1.5.2. Set Risk Apetite
1.6. Analyze Risks
1.6.1. Analyze Risk Assessments
1.6.1.1. Analyze Overall Risk Assessment
1.6.1.1.1. Analyze Risk trend
1.6.1.1.2. Aggregate Risk Rating for multiple context
1.6.1.1.3. Risk Heatmap (based on aggregation or overall rating)
1.6.1.2. Analyze Contextual Risk Assessment
1.6.1.2.1. Aggregate Risk level by Context
1.6.1.3. Choose Risk Assessment criteria for analysis
1.6.2. Ensure Risks Are Under Control
1.6.3. Prioritize Risks
1.6.3.1. Analyze Root Cause
1.6.3.1.1. Specify Risk Causality
1.6.3.1.2. Specify Incident Materializing Risk
1.6.3.1.3. Analyze Root Cause mitigation efficiency
1.6.3.2. Analyze Risk Taxonomy
1.6.3.2.1. Analyze Risk Mitigation effectiveness by risk types
1.6.3.2.2. Analyze Incident distribution by risk types
1.6.3.3. Analyze Risk Strategic Importance
2. Manage Controls
2.1. Create Control
3. Manage Incidents
4. Perform Internal Audit
5. Achieve Regulatory Compliance
6. Manage IT Risks
7. IRM Audit Desktop Review
8. BPA Light
9. IRM Contributor Review
10. IRM offline
10.1. Audit offline
10.1.1. Workpapers
11. Assessment Aggregation Engine
11.1. ERM Risk level Indicator calculation
11.2. User level questionnaire builder
11.3. Metamodel inconsistencies
11.3.1. Risk Direct assessment
11.3.2. Control Direct assessment
11.3.3. Controls to Rsiks
11.3.4. Control level and criticality
11.3.5. Aggregation caculation of risk level
11.3.6. macro for calculation and storage of risk level values
11.3.7. calculation upon scheduler (log out) or upon closure of assessment campaign/direct assessment?