The Risk Model can be defined flexibly and according to a tree structure (family, macro-area, area and risk). The risk, already in the definition phase, can be associated with several attributes including that of being classifiable as ESG.


It allows the configuration of the internal context, the external one and the specific one related to the erm-esg risk management system.

With reference to the internal context, it is possible to configure elements of corporate governance (Legal Entity, Processes, Roles, procedural system, stakeholders), business elements (mission, values, objectives, sector of activity, business model, types of products offered and markets served) and organizational elements (organization chart, number of employees, type of contract for macro classes).

With reference to the external context, it is possible to configure corporate partners and companies belonging to the value chain, as well as any other company directly connected to business operations. Specifically, for each of them it is possible to define, among other information, the type of relationship (e.g. suppliers, joint ventures), the type of activities performed (e.g. manufacturing, packaging), the geographical areas in which the activities are carried out.

With reference to the specific erm-esg context, through the platform it is possible to manage the reference legislation on the subject (ISO31000 guidelines, COSO Framework, Self-Regulatory Code, Business Crisis Code, Legislative Decree 254/2016), the of erm-esg risks (see specific paragraph for details), and any other element useful for managing the entire risk management process. For what concerns the management of the indicators and the risk assessment criteria, please refer to the specific paragraphs.


It allows you to manage the entire management cycle of business and sustainability objectives, from the definition of the program, to the feasibility analysis of the individual objective, to the assignment and management of activities with the frequency and related responsibilities, the schedule with notification of notice and alert, the upload of the documentation, the closure and the final balance, is an input to the risk assessment process. It allows you to manage approval and information Work Flows.


It allows you to select from a library of methodologies and criteria, the parameters that allow the determination of the levels and related classes of risk, the types of Qualitative and/or Quantitative evaluation and the levels of risk acceptability (Risk Tollerance). As regards risks classified as ESG, the platform proposes an ad hoc methodology.


The Risk Identification phase consists in collecting all the details of the event and the mitigations currently in progress in a systemised way and through a specific risk form. This phase is completed by the association with the Risk Owner as well as with a strategic objective/project or certain processes.

The Analysis phase is characterized by the definition of the different areas of impact (actual/potential and positive/negative) on which the evaluation exercise will have to be carried out (for example the same event in different geographical areas, Business Units, Processes, Customers, Suppliers etc.). There is also the possibility of using specific checklists for risk analysis, some of which are made available in the library made available to the platform. The analysis, with reference to ESG risks, is accompanied by further elements such as, for example, the assessment of the impacts on components falling within the following areas: social, personnel, respect for human rights, the environment and corruption

The Risk Assessment phase allows you to carry out qualitative and quantitative "scenario analyses" (Monte Carlo method), comparing the results obtained with the company's risk appetite. KRC® uses the R library (statistical programming language) for the analyzes and this allows ample possibilities in terms of choice of distributions (normal, lognormal, exponential) and statistical models. The assessment can be carried out at the level of inherent risk and residual risk, taking into account the controls and mitigation measures in place.


The Treatment phase allows you to activate the Treatment Strategy (also for insurance purposes) and the related Plans with allocation of responsibilities.

The Risk Manager will be able to follow all the progress of the planned actions through specific dashboards on his home page.

Upon completion of the activities envisaged in the action plan, the "to be" mitigation automatically becomes "as is" and the Risk Manager will be invited, through specific system notifications, to re-assess the risks impacted by the new mitigation.


In KRC® it is possible to configure and manage indicators to be used in the monitoring phase.

These indicators can be:

  • defined with maximum possibility of customization (type, unit of measure, target, tolerance, frequency, ownership)
  • associated with the corporate risk appetite framework, with the possibility of associating them with strategic, operational or sustainability objectives
  • consulted online through special dashboards or made available in specific reports

In KRC® it is possible to generate and manage reports containing the most significant information (which can be defined in advance) following the risk assessment. The various reports generated over time can be consulted by accessing a special control panel.

The platform provides dashboards and interactive heat maps that respond dynamically to special filters that query the entire database.

For example, it is possible to have specific heat maps for ESG risks or heat maps that compare the results of the assessments between two different dates.