Getting started with assurance for risk

Gather basic knowledge about how assurance works.

How it works

Assurance is a calculation-based process in Projects, with the final result that is represented by a value (a percentage).

Assurance allows you to benchmark how well an organization is doing in mitigating risk so that resources can be allocated appropriately.

Starting a new project or framework

When you start a new project or framework with assurance enabled, assurance is 0%, meaning that none of the organization's controls are effectively mitigating risk.

The lowest level of assurance is 0%.

Calculating assurance in real-time

As you execute procedures, or perform walkthroughs and tests, Projects automatically aggregates testing results and issues from active projects only, and calculates assurance in real-time.

As procedures or walkthroughs and tests pass, assurance increases. Any procedures, or walkthroughs and tests that fail are considered "failed", and decrease the assurance score.

The breakdown of assurance percentages and corresponding colors is as follows:

  • 0-50%
  • 51-75%
  • 76 - 100%

Assurance for risk

Scenario

You have one risk associated with two controls in a project. The project contains one walkthrough per control. You specify that each control has a weighting of 100%. When you test the controls, you note that Control 1 is operating effectively and Control 2 is not operating effectively.

Risk Control Control weight Walkthrough: Operating effectively?
Risk 1 Control 1 100% Yes
Control 2 100% No

Result

Overall assurance for the project is 0% because if any one walkthrough or testing round for a control fails, the control is marked as "failed". The control is taken into account as part of the residual risk score, and it is subtracted from the overall assurance score.

  • If Control 2 was not tested, overall assurance for the project still remains at 0% because a walkthrough must pass, OR at least one of the applicable testing rounds must pass while the other testing rounds have not been tested, to mark the control as "passed".
  • If Control 2 was marked as "operating effectively", overall assurance for the project becomes 100% because all walkthroughs have passed.
Tip

There are no partially effective controls in Projects — controls are either effective or ineffective. If you identify a low impact issue that, in your judgment, does not affect the effectiveness of the control, you can mark the control as still "effective", and log a minor issue.

Why should I display assurance?

Displaying assurance allows you to quantitatively assess risk for reporting purposes. Assurance scores are an important part of compliance review scoring, audit scoring, and risk assessments.

By displaying assurance, you can:

  • define a risk tolerance for your organization
  • make data-driven decisions and prioritize issues
  • assess inherent risk, residual risk, and overall assurance for an objective, a project, or a framework

Where assurance displays

Display assurance... Where it displays
per objective within a single project
  • Progress project management tab in Projects
  • Assurance tab within Strategy
for a single project
  • Results tab within a project in Projects
  • Assurance tab within Strategy
across all projects associated with a framework Assurance tab within a framework in Projects

Integrations of assurance and testing results

If your organization uses Strategy to manage enterprise-level risks, you can also visualize the impact of assurance scores and testing results across all projects and frameworks.

For more information, see Defining risk treatment.

Terms

Learn about the terms associated with assurance in Projects.

Notes

  • Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
  • If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.
Term Definition Remarks
Risk Scoring Factor Attributes that have an impact on the achievement of objectives within an organization Each risk scoring factor can have one name and assigned weight, and be associated with one scale.
Inherent Risk

The risk that an activity would pose if no controls or other mitigating factors were in place

Inherent Risk can also be referred to as the gross risk, or risks before controls, and can act as the baseline for your organization's risk tolerance or appetite.

Control Weight Expresses the percentage of the risk that is mitigated by the control.

 

Residual Risk

The risk that remains after controls are taken into account

Residual Risk can also be referred to as the net risk or risk after controls.

Assurance The level of assurance that the controls in place effectively mitigate risk to the business  

Next steps