Heads of various organisations always face a range of risks and pay a lot of attention to risk management in decision-making process. The problem of risk management is therefore of great importance for IT developers. The need for information that would allow for timely risk management has led to the development of a new sphere - risk management. Experts working worldwide in various spheres of human activity managed to develop an internationally recognised risk management standard [ 1 ] (further referred to as ISO/IEC 31010).

The need to produce quality goods that would meet consumers’ requirements resulted in the introduction of quality management systems (QMS) in organisations. The design and introduction of such systems, in turn, led to the development of quality standards. International standards for quality management systems were elaborated over time to meet the requirements of people. It therefore became necessary to assess and manage risks [ 2 ].

A specific feature of ISO/IEC 31010 is that it takes into account various criteria applicable to risk management. On the one hand, the standard recommends using clear and consistent risk assessment techniques. On the other hand, it also suggests the most effective risk assessment methods for enterprises. The standard provides a unified description of such methods, their specifics, strengths, and limitations. ISO/IEC 31010 also lists the requirements to the risk assessment methods that must be met when designing a risk management system (RMS). According to the standard, RMSs must regard the following parameters: 1) applicability of the methods at various stages of risk assessment and 2) factors influencing the choice of the assessment methods. The applicability of risk assessment methods (Table A) [ 1 ] is strictly determined as “strongly applicable” (SA), “applicable” (A), and “not applicable” (NA). Using this information, developers of a RMS can determine a range of risk assessment methods they should use when designing the system. However, the recommendations provided by the standard also determine a strictly limited set of risk assessment methods that can be employed in specific circumstances. This may result in the ambiguity of the results of the risk assessment process. It also and makes it much more difficult to design a RMS and causes confusion for the developers.

Taking into account the factors determining the selection of risk assessment techniques (Table B) [ 1 ], such as “Resources and Capabilities”, “Uncertainty”, and “Complexity”, allows to evaluate their relevance as “Low”, “Medium”, and “High”. ISO/IEC 31010 also provides information regarding the quantitative output of each technique. The necessity to account for the listed factors when selecting the assessment techniques results in the same ambiguity as the necessity to account for their applicability (Table A) [ 1 ]. This means that there are two overlapping uncertainties in selecting the assessment methods.

Another issue that should be regarded when selecting risk assessment methods is the fact that ISO/IEC 31010 also focuses on the level of expertise in various spheres. It should be noted that the standard is general in nature - it reflects good practices of selecting risk assessment techniques and provides guidance across various industries and types of organisations.

Corollary. In order to develop a functional RMS, the recommendations of ISO/IEC 31010 [ 1 ] should be adapted to the specific parameters of the organisation. In this paper we suggest a methodology and a BI system for risk assessment and management that has the following benefits. • On the development stage it is possible to: – – – select risk assessment methods suggested in ISO/IEC 31010 [ 1 ] regarding the specifics of a certain organisation; create a risks register of a certain type; generate a graphic representation of the risk level, both for individual risks and ranges of risks. • On the production stage it is possible to: – – – evaluate the current values of various parameters of risks; monitor the risks and create graphic representations of their level; take risk prevention measures

When designing a RMS, the developers should take into account the recommendations of ISO/IEC 31010 [ 1 ] as well as the inner parameters of the organisation where the RMS will be employed [ 3 ]. The suggested methodology of selection of risk assessment techniques is based on the analytic hierarchy process (AHP), heuristic logical actions of the experts, and the decisions of the decision maker. The following decision making algorithm is suggested (Fig. 1): Strengths and limitations of every risk assessment technique were analysed. At the first stage of the analysis we divided the assessment techniques into 20 groups based on their strengths and limitations. Each group includes techniques with equal characteristics. As a result we obtained two sets of groups (strengths / limitations) with each group including its own set of techniques. Some techniques can be included into several different groups [ 3 ]. Each group is ranked by the experts of the organisation, using the expert scale.

At the second stage, the criteria relevant for certain activities of the organisation are determined. and ranked by the organisation’s experts. The criteria are universal, i.e. applicable to any group of risk assessment techniques.

As a result, we obtain a hierarchy where the top level is the target (selection of the best group of assessment techniques), the second level contains the criteria for the selection of groups of assessment techniques, and the third level contains the groups of assessment techniques. The third stage includes selecting groups of techniques (alternatives) using the analytic hierarchy process (AHP).

The selection of risk assessment techniques is performed by means of VBA - a programming language used in Microsoft Excel. The selection process is demonstrated in Fig. 2. The selection process is demonstrated in Fig. 3.

The fourth stage includes graphic selection of risk assessment methods. The selection process is based on the relevance of the groups of methods of both sets. The fifth stage includes the analysis of the selected techniques regarding the recommendations of ISO/IEC 31010 (Table A, B) [ 3 ]. If the results are not satisfactory, it is possible to repeat the above listed stages correcting the process of expert ranking, the criteria, and the sets of selected risk assessment methods.

Corollary. Development of a RMS includes the following. • It is necessary and possible to take into account inner and outer parameters of the organisation when selecting risk assessment methods. • Parameter-based selection process allows the developers to broaden or narrow the search area based on the relevance of the groups of methods.

The process of RMS design involves experts working at the organisation. Risk assessment methods help to identify the risk, its category, level, and type, the probability of risk and its consequences.

The suggested programme for selecting risk assessment methods is a subsystem of the BI system “System for Prevention and Management of Process-Related Risks” (SPMR). 3

The development stage starts with “Risk Identification” [ 1 ]. The interface of the programme is demonstrated in Fig. 4. The ranking chart is generated step-by-step, and is thus completed with the data obtained during the “Risk Analysis” (P - probability of risk, I - impact, R - rank of the risk). Each element (P, I, R) of the BI system SPMR has its own graphic representation. The last part of the development stage is the “Comparative Analysis of Risks”. Risks are first analysed separately with regard to the relevant areas. Then they are analysed all together with regard to a specific area (Fig. 5). • Administrators - members of the IT service. They develop the organisational structure of the system's users: lists if employees and their status, passwords, and directories of personal RISK REGISTERs. • Status 1 employees - Managers / Executives who can work with subsystems of the risk assessment process and certain RISK REGISTERs. • Status 2 employees - Managers who can work with subsystem “Risk Assessment METHODS”, subsystems of the risk assessment process, and certain RISK REGISTERs of executives. To assess the dynamics of risks, the following parameters are used that allow for monitoring risk generation (Fig. 4):