1. External Internal Context Definition

It allows the definition of the internal and external context in which the organization operates, the Vision, the Mission, the Code of Ethics, the needs and expectations of the parties involved. Manages the ISO 9004:2009 Business Strategy Checklist: manage an organization for lasting success.

2. Strategic Plan and Objectives

It allows you to manage the Strategic Plan and the entire management cycle of the objectives, from the definition of the program, to the feasibility analysis of the single objective, to the assignment and management of activities with attendance and related responsibility, the schedule with reporting of notice and alert, the upload of documentation, the closure and the final balance, is input to the Risk assessment process. Enables management of approval and information workflows.

3. Definition of the Risk Model

It allows to select from a library of Risk Models divided by Product Sector and by type of Company (Large Private, SME, Multinational Branch, Listed on the stock exchange) the Risk Model, current and emerging, from which to start the phase of customization. The Model makes it possible to predict events that can compromise the achievement of company objectives or that can create new opportunities.

4. Methodologies and Criteria

It allows to select from a library of methodologies and criteria, the parameters that allow the determination of levels and related classes of Risk, the types of Qualitative and/or Quantitative assessment and the levels of risk acceptance (Risk Tollerance).

5. Identification, Analysis and Evaluation of Risk Events

The Risk Identification phase consists in collecting in a systematic way and through a special risk event sheet all the details of the event and the mitigations currently underway. This phase completes the association with the Risk Owner as well as a strategic objective / project.

The Analysis phase is characterized by the definition of the different impact areas on which the evaluation exercise will have to be carried out (for example the same event in different geographical areas, Business Units, Processes, Customers, Suppliers etc.). There is also the possibility, through the import of the budget / budget, to associate the risk event with one or more balance sheet items, assigning a minimum and maximum impact%.

The Risk Assessment phase consists in defining the probability of occurrence, which can be integrated by the start of a Montecarlo statistical routine, in the choice of the evaluation criteria (qualitative and quantitative), in the insertion of the data for the calculation of the impact on Ebit, Cash Flow, reputational, etc.

6. Treatment

The treatment phase (Residual Risk) allows the Treatment Strategy to be activated (also for insurance purposes) and the related Plans with allocation of responsibilities. It allows the management of both manual and automated controls in order to evaluate their effectiveness and efficiency.

7. Communication 

It allows the targeted management of the communication and information process to both internal and external stakeholders on the management results obtained and the evolutions of the Risk Model. Through the information gathered by the information system, it controls and measures the effects of the application of the adopted strategy.


Enterprise Risk Management

Introducing an Enterprise Risk Management (ERM) system means to provide the Senior Management with a control system that can support strategic decisions through risk assessments about risks that can potentially compromise the achievement of business goals.

The introduction of a ERM process into the enterprise also involves the spread of all resources of a culture and a so-called "risk-based" thinking, which is essential to ensure the functioning of the entire Risk Management system, consolidation and the company's development in line with the requirements of the new standards.

KRC® applies the Risk Management process to the ISO 31000:2018 standard that is powered by the Knowledge Management process that enables you to systemise your business and people knowledge.


Corporate Governance Code, Borsa Italiana, July 2015

7.P.1.Each issuer adopts an internal control and risk management system consisting of a set of rules, procedures and organizational structures aimed at identifying, measuring, managing and monitoring the main risks. This system is integrated into the more general organizational and corporate governance structures adopted by the issuer and takes into due consideration the reference models and the best practices existing at national and international level." (Article 7 - Internal control and management system of Risks)



Integrated Areas and Flows

The processes of Audit, Targets, Operational Controls, Event Management and Non-Conformity and Re-examination are managed in integrated flows for the different Management Systems: Environment, Health and Safety, Quality, Energy, Privacy, Information Security, Anti-corr​uption, Social Responsibility.

Human Resources Area

  • Registry File Management: allows you to manage the integration between the corporate HR Database and the KRC HR Database. It allows the production of personal data sheets: it associates the job, the qualifications and the legal and corporate titles; it composes the training booklet from the training flow, the risk assessment form from the risk assessment flow, the health protocol from the health surveillance flow, the PPE per task and distributed by the PPE flow.
  • Organization charts: allows you to produce the corporate and legal organization chart.
  • Roles and Responsibilities: allows the Job Description to be produced with regard to activities and responsibilities from the Procedures and Instructions Management flow.  

Flow Norms and Laws for the Management of Legal Prescriptions

It allows to produce the regulatory framework, the systematization of the provisions contained in the provisions and to assess the legislative compliance by identifying methods of verification and control and those responsible. It generates the regulatory schedule with the sending of prescription notifications to the managers. The rules and laws and the provisions relating to the risk element will be displayed in the risk and environmental aspects forms.

Norms and Laws update service

KEISDATA provides the supply with a fortnightly update of the rules and laws characterized by Scope, Thematic, Sub-topic, Topic and Element of risk with relative upload of the legislative document. Generates the regulatory schedule with notifications to managers.

Autohorization management flow

It allows you to manage authorization from identification to assigning responsibilities. Create the authorization framework, manage the related activities and create the authorization register. Generates the schedule with notification of notice and registration of the successful completion with upload of the documentation.