Working with the risk register
      Back to home
      2. Risk management
      3. Working with the risk register

      Add a risk

      The Risk register aligns with with the processes outlined in the ISO 31000 Risk Management guidelines. After adding a risk it will move to the Manage stage for review prior to approval and publishing to the register.

      Quick steps to adding a risk:

      1. Go to the Risk register and click on the FAB and select Risk
      2. Complete the Risk details form
      3. Click Submit

      Form components

      Risk details Describes and categorises the risk.
      Risk controls Enables you to link the controls in the QMS to the identified risk.
      Risk assessment  Where you can make an assessment of the risks to the organisation.
      Risk treatment Where you delegate action to mitigate the risk. 
      Related adverse events Where you can set the organisation's alert threshold for related adverse events.
      Assign Where you can set the risk manager and owner. 
      Attach records Where you can upload associated records to the risk.
      System event history A chronological list maintained by the system of most entries, changes, and linkages made in the system in relation to this risk. 

      Workflow

      The Stage Navigation Bar displays the workflow stages that the risk will follow once added (subject to the decisions made along the way).

      Risk details

      This component allows you to categorise and describe the risk in terms of the contributing factors and potential consequences to the organisation if the risk occurred. 


      • Risk dimension - select the dimension the risk relates to. 

      • Risk category - select the category the risk relates to.

      • Risk name - add the risk name. Note: When you submit the Risk Details form, the Risk name will link automatically to the Risk category.

      If your platform has been setup with example risks, these will be in the Draft tab of the Risk register.

      • Contributing factors - describe the factors that are likely to contribute to the risk occurring.
      • Description of the risk - provide a description of the risk. 
      • Potential consequences - describe the outcome or impact if the risk occurred. 
      • Risk review date - select the date the risk is to be next reviewed.
      • Record physical location (optional) - select the location of the risk, if applicable.
      • Additional comments (optional) - add additional comments text field to add further comments.  For noting, all comments are recorded in the Action history of the risk.

      Risk Controls

      The Risk controls component describes and displays the current risk controls your organisation has in place to manage the identified risk.

      • Description of existing controls - describe the existing controls in place to manage the risk.
      • Related controls - for each register activated in the QMS, a dropdown menu will appear enabling you to link the relevant controls from all other Registers eg documents, contracts, records, assets, audits, compliances, maintenance, training, licensing, and suppliers. Select from each dropdown the related control/s in place to manage the identified risk. 

      Risk assessment

      The risk assessment matrix enables the risk to be assessed from three perspectives: as an uncontrolled (inherent) risk to the organisation; and as a controlled (actual) risk, and from the perspective of what would be an acceptable level of risk to the organisation, the target risk rating.

      The risk assessment matrix lists 3 risk ratings:

      • Uncontrolled/Inherent risk - refers to the initial assessment of the impact and likelihood of a risk prior to considering existing controls, ie. in the absence of controls; sometimes referred to as the inherent risk.
      • Controlled/Residual risk - refers to the assessment of the impact and likelihood of a risk taking into account existing controls; sometimes referred to as residual risk. Treatment might include avoiding, modifying, sharing or retaining the risk.
      • Target risk rating - refers to what is the level of risk the organisation would accept.

      The Uncontrolled, Controlled and Target ratings are required values so they must be completed before saving the form. 

      If controls are in place to manage a risk it is expected that the controlled risk rating would be lower than the uncontrolled risk rating. 

      Risk treatment (optional)

      The risk treatment component enables you to link current or past improvements that have been taken to mitigate the risk as well as delegate new risk mitigation actions. This component is optional. Risk mitigation actions can be added at anytime.  


      Related improvements (optional) - add past or current improvements that have or are being undertaken to mitigate the risk.

      Mitigation actions (optional) - click the Add icon to add actions to mitigate the risk.

      • Action - describe the action to be taken.
      • Action type - select the option that best describes the intended outcome of the action. eg. Change the consequences or Change the likelihood.
      • Assigned to - selection the person responsible for taking the action.
      • Due date - select the date the action is to be completed by.
      • Status - select Action open (the default when initially assigning the mitigation action task) or Action ongoing. Action complete can be selected in you are recording historical items. Otherwise this will be selected when the action is done.
      • Click OK to save.

      Each mitigation action task will appear in the Risk mitigation actions tab on the Risk register. They will also appear in My Tasks of the staff member assigned the risk mitigation action. 

      Risk review

      This component tracks the number of adverse events that have been linked to the identified risk. Adverse events can be set to automatically link to a risk or they can be linked when the adverse event is reported.

      The review of a risk will be activated either by a nominated review date or if the  value in the the Number of adverse events that can occur before the risk is automatically brought under review field has been exceeded, which ever occurs the first.

      • Incident types linked to the risk (optional) - select the incident types that are to be linked to the risk.  Each time the incident type is reported, the count on the Risk appetite will increase by 1. 
      • Feedback categories related to the risk (optional) - select the Feedback categories that are to be linked to the risk.  Each time the Feedback category is reported, the count on the Risk appetite will increase by 1. 
      • Number of adverse events that can occur before the risk is automatically brought under review -  'the amount and type of risk an organisation is willing to accept in pursuit of its business objectives' (ISO 31000). This component tracks the number of reported adverse events (incidents, complaints, non conformances, repairs) that have been linked to the risk. When the number of reported events linked to the risk exceeds the set value the risk will come under review.
      • Number of adverse events to date - This is the number of incidents, feedback, repairs, improvements that have been linked to the risk for All time.
      • Number of adverse events since the risk was last reviewed - This is the number of incidents, feedback, repairs, improvements that have been linked to the risk since the risk was last reviewed.

      Assign

      This component is where you will assign the Risk manager and the Risk owner to ensure delegations and communication relating to the management of the risk aligns with organisational requirements. 

      • Related business area - select the business area the Risk relates to.
      • Related meeting - select the meeting that has responsibility for oversight of the risk.
      • Risk manager - select the person who is responsible for managing the risk. 
      • Risk owner - select the person who is accountable for the risk.
      • Notify other users by email (optional) -  You can use this function to notify relevant personnel that the risk has been added to the QMS, thereby providing them with a link to the risk.  Note: users sent notifications relating to the risk will need to be included in Access control to see the risk.

      Access control

      The Access control component is where you define which users have access to view the item. You can grant access to a team or individual users, or both.

      All users can access Select this option if you would like all users to be able to view the item.
      Specify who can access Select this option to control which users can view this item.
      Teams  Select the team/s who need to view the item.
      Individual users Select specific users (if they are not included in the selected team/s) who need to view the item.
      Who can view?

      Click this button to see a list of users who can see the item based on your selection. The list will also include those users assigned to the item in the workflow.

      Note: Users with system level permissions to see all items will also be included.

      Attach records

      This component enables you to upload or link related records.

      • Record name - When naming the record ensure the description is meaningful and easily found when searching. For instance, 'Risk assessment report  - March 2022'.
      • File/Link - click on Choose file and navigate to the record on your computer.  If you have links enabled, toggle to change the control to add a URL to the record. The URL must be a in a web (http://) or Microsoft Sharepoint format (https://<company>.sharepoint.com/...).

      Submit/save the form

      The green Submit button will save the form and in most cases progress the item to the next stage of the workflow. The button label, however, will change depending on certain conditions to make it quicker to complete tasks. For example, if you assign the item to yourself to mange, the button label will change to 'Next' allowing you to manage the item without having to click through to another stage in the workflow.   

      • Create a related item - If you want to create a related/linked item after you submit the risk form, you can select the relevant register in the Create a related item component. When you press Submit, the platform will launch a new item in the register you selected. The platform will display a link between the two items in the System event history.
      • Save as draft - you can choose to save as a draft and continue working on the risk until you are ready to publish it.  The risk will remain in the Draft tab until it is published.
      • Quick publish - If you are the Risk owner, you can skip the Manage and Approve stages by selecting Quick publish.  The Quick publish option will immediately approve the risk and publish it to the Risk register.
      • Submit/Next - The green Submit button will save the form, upload the risk and move it to the Manage stage.