Camms.Risk | December 2021

Camms is pleased to bring you the Quarterly Product Release Note for Camms.Risk.

This quarter we've got a number of exciting new features and enhancements to improve your user experience within the system, which will be available in your Test environment on 4th December 2021 and will be available in your Live instance on 18th December 2021.

1. Aggregating risks across the enterprise

This feature will enable organisations to identify and aggregate risks of individual business units across the enterprise. This will simplify the process for the same risk to be assessed in different departments and will be rolled up to parent organisation units. Additionally you will be able to copy risks to a different risk register and display the aggregated risk rating for the parent risks, based on the linked child’s risk rating.

1.1 Risk aggregation capability

How do you configure this?

  • A new setting is introduced within Risk Settings called ‘Aggregation Settings’ containing a toggle ‘Enable Risk Aggregation’, enabling you to either enable or disable the functionality (accessed via Camms.Risk Menu > Framework > Risk Settings > Aggregation Settings). 

Figure 1.1.1: Aggregation settings
  • The following dropdown values will let you select the appropriate aggregation calculation method. The aggregation rating in Risk Assessment details will be based on the following options:

    • Average of all linked risk ratings (you can include the risk rating of the parent within the aggregation risk calculation)

    • Highest rating amongst all linked risks

    • Count based, most common rating amongst all linked risks

  • To enable the risk aggregate rating to be visible in the registers, under the Register Configuration page (accessed via Camms.Risk Menu > Framework > Register Configuration), select the risk type register (Strategic, Project, Operational, Corporate, or EIS) via the 'Register Type dropdown you wish to display the aggregate risk rating, and select the below three fields as ‘Visible’ to display the aggregate risk rating in the configured risk register. To be searchable as a register filter, select the ‘Searchable’ option for these three fields.

    • Initial Aggregate Risk Rating

    • Revised Aggregate Risk Rating

    • Future Aggregate Risk Rating

Note: These fields currently cannot be configured within the Risk Dashboard popup and will be introduced in a future sprint.

  • The risk’s ‘Aggregate Risk Rating’ and the ‘Parent’s Risk Rating’ will be visible within the Risk Details page of each Risk Assessment, based on the Field Configuration setup of the ‘Risk Assessment’ field (accessed via Camms.Risk Menu > Framework > Field Configuration). The 'Risk Assessment' field under the required Risk Type and Risk Assessment tab (e.g. Strategic Risk type > Initial risk assessment tab) must be ticked as ‘Visible’. To be displayed under the My Quick Update page, the 'Risk Assessment' field under the same area must be ticked as ‘Quick Update’. If unticked, both the 'Aggregated Risk Rating' and the 'Risk Rating' will not be displayed.

How will this work?

  • Enabling this setting will include the Risk Aggregation Rating within risk details of a parent risk (for which child risk linkages are available). Within the risk, the aggregation rating will be an additional component to the parent risk’s own risk rating.

  • If the parent risk is also a child risk to another parent risk, then that parent’s risk rating will be visible too.

  • You will be able to view the breakdown of the risk rating of each child risk, within risk assessment details.

  • The risk assessment details will additionally contain a horizontal heatmap bar based on the risk ratings of the child risks as per the colours configured for risk rating types under Risk Settings > Risk Rating, in a descending order (highest to lowest).

Note: This will not be visible within the My Quick Update expand view section.

  • The Aggregated Risk Rating will appear as a column in all of the risk registers as well as under the EIS, based on the configurations mentioned above. The rating will display only for risks which are parent risks. The column will display 'N/A' for risks which do not have an aggregate risk rating.

  • The risk registers and the EIS can be filtered by the aggregate risk rating, based on the configurations mentioned above.

Note: The Dashboard widgets and the Risk Analysis widgets will not depict risks based on the aggregate risk rating.

1.2 Cascading risk between different risk registers

How do you configure this?

  • The risk aggregation must be enabled within Risk Settings to access this feature (accessed via Camms.Risk Menu > Framework > Risk Settings > Risk Aggregation). 

  • You will require to have permission to ‘Add’/’Edit’ a risk for each risk type in the parent risk (source risk) and ‘Add’ permission in the child risk (destination risk) in order to move risks.

a. For Static Hierarchy users: Any user permission other than ‘Operational User’ or ‘Viewer’ (accessed via Camms.Risk Menu > Administration > Manager Users).

b. For Flexible Hierarchy users: Any user with 'Add' permission for each risk type or ‘Edit’ permission for each assessment for each risk type in the parent risk (assessed via Camms.Risk Menu > Administration > Role Management > Risk Type > Details).

How will this work?

  • A new button Copy & Move will be visible in Risk Assessment Details for users with the above access. Selecting the button will display a popup, and via the copy tab, you can select the relevant Risk Register to copy the risk.

  • A risk can be copied between one risk type register to another risk type register or within the same risk type register.

  • When copying a risk to the Operational Risk Register, the selection of an organisation hierarchy node is  mandatory.

  • When copying a risk to the Project Risk Register, an 'Action or Project' along with a Risk Owner requires to be selected.

  • When copying the risk, you can copy additional information from the source risk such as: Controls, Actions, Documents, and Links.
    To copy these components, the ‘Add’ or ‘Edit’ permissions will be required for each of these components in the destination risk type settings (assessed via Camms.Risk Menu > Administration > Role Management for Flexible Hierarchy users OR Camms.Risk Menu > Administration > Manage Users for Static Hierarchy users). The tick boxes will be disabled if the required permission is not available.

  • Additionally, you will be able to link the original risk as the parent when performing the copying functionality, by selecting the ‘Link to Parent’ option. This is ticked by default and once the risk is copied it will create parent-child relationships visible in the ‘Links’ tab of both parent and child risks. If you want to copy the risk without any parent linkages, then this must be left unticked.

  • By selecting ‘Copy Risk without rating’ within the Copy popup window, the risk rating will not get copied and the Risk Owner will need to go to the copied risk and complete a risk assessment. If it is unticked, then the source risk’s risk rating will get copied to the child risk.

  • You can copy a risk to a particular organisation node, by selecting it from the organisation hierarchy tree. Each node selection will create a copy of the source risk. The nodes visible here would be based on the permission given to you.

  • You will be prompted at the time of copy, if the destination risk type register does not have all of the fields configured as per the source risk. If you wish to continue to copy the risk, that information will be lost.

  • The copied risk will take the next sequence number within the destination risk type register as per the configurations setup within the ‘Sequence’ under the Risk Settings (accessed via Camms.Risk Menu > Framework > Risk Settings).

  • The copied risk will not include the history of the source risk. But the risk history popup will display an information icon stating the source risk ID and risk title.

  • When risk approvals is turned on, the copy feature will not be available until after a risk is ‘Saved as Draft’ or ‘Saved’. You are able to select and save the copy details, but the copy will occur only after the risk has been approved. The copied risk will get created as a draft, and the risk owner of the copied risk will need to submit the risk for approval.

  • If the source risk is confidential, then the copied risks will also be confidential.

  • When a risk is copied, the Risk Creation and Risk Assignment emails will be triggered.

  • A parent risk can be deleted, however, this will then remove all parent-child linkages.

  • An inactive risk cannot be copied.

1.3 Creating parent-child relationships for existing risks

How do you configure this?

  • The Risk Aggregation is required to be enabled within Risk Settings to access this feature (accessed via Camms.Risk  Menu > Framework > Risk Settings > Risk Aggregation).

  • You will require to have ‘Editor’ or higher permission for the respective risk for Static Hierarchy permissions (accessed via Camms.Risk Menu > Administration > Manage Users) or ‘Links’ tab permission for the respective risk type for Flexible Hierarchy permissions (accessed via Camms.Risk Menu > Administration > Role Management).

How will this work?

  • In the ‘Links’ tab, when a new risk linkage is created, the grid which depicts all risks for the selected risk type, will now have an additional column ‘Link as Child’.

  • When you select the risk to Link, the tick box for ‘Link as Child’ will be enabled, and upon selection and clicking Save, the linked risk will become a child risk of the source risk.

  • This tick box will remain disabled if the risk is inactive or if the risk already has a parent risk.

  • Once the risk is linked as child, it will display within the Linked Grid. A new column is introduced as ‘Linked Type’.

a. If the linked risk is a child risk, then the link icon will display the tree icon, where the child nodes are blue in colour and the root node is colourless. 

b. In the linked risk grid of the child risk, the parent risk will display the tree icon, where the child nodes are colourless, but the root node is in blue colour. 

c. If the risk is an independent linkage, then the link icon will display as below. 

d. When a risk is copied with parent-child linkages, then this grid will denote the parent icon within the child risk, and the child icon within the parent risk. In the event a risk is a parent and a child, then both linkage types will display with the respective icons. The independent linkages are for those risks which are linked without any parent-child linkages.

2. Moving risks between different risk register types

With the introduction of this feature, you will now be able to transfer a risk to the organisation from one risk type register to another, based on the impact of the risk within the organisation. For example, an Operational Risk can be moved as a Strategic Risk if it was to cause an impact to the entire organisation.

How do you configure this?

  • The risk aggregation setting must be enabled within Risk Settings to access this feature (accessed via Camms.Risk Menu > Framework > Risk Settings > Aggregation Settings). 

  • You must have permission to ‘Add/Edit’ a risk for each risk type in the parent risk (source risk) and ‘Add’ permission in the child risk (destination risk), to move a risk.

a. For Static Hierarchy users: Any user permission other than ‘Operational User’ or ‘Viewer’ (accessed via Camms.Risk > Administration > Manager Users).

b. For Flexible Hierarchy users: Any user with 'Add' permission for each risk type or ‘Edit’ permission for each assessment for each risk type in the parent risk (assessed via Camms.Risk Menu > Administration > Role Management > Risk Type > Details).

How will this work?

  • A new button with the label Copy & Move will be visible under Risk Assessment details for users with the above access. Selecting the button will display a two tab popup with the Move tab in which you will be able to move risks between different risk registers. You will be able to move the risk from one register to another type, but not within the same risk register type.

  • When moving a risk, the ‘Primary Risk Category’ must be selected for the destination risk register type. This is mandatory.

  • When moving a risk into a Project Risk Register, an ‘Action or Project’  must be selected along with a Risk Owner.

  • By selecting on ‘Move Risk without rating’ within the Move popup window, the risk rating will not get copied and the risk owner will need to go into the moved risk and complete a risk assessment. If it is unticked, the source risk’s risk rating will get copied to the moved risk.

  • You can select multiple hierarchy nodes to move a risk. Hierarchy linkages will automatically be created for each of the selected hierarchy nodes, which will display within the 'Links' tab of the moved risk. The nodes visible within the organisation hierarchy tree would be based on the permission given to you.

  • You will be prompted at the time of moving a risk, if the destination risk type register does not have all of the fields configured as per the source risk. If you continue to move the risk, that information will be lost.

  • Once a risk is moved, the risk will be inactive within the source register and will be active in the new register with a new ID in a draft status. The inactive risk cannot be made active again.

  • All linkages, controls, and actions of the source risk will automatically move to the moved risk and will not exist within the inactive source risk.

  • The moved risk will take the next sequence number within the destination risk type register as per the configuration’s setup within ‘Sequence’ under Risk Settings (accessed via Camms.Risk Menu > Framework > Risk Settings).

  • The moved risk will not include the history of the source risk. But the risk history popup will display an information icon stating the source risk ID and risk title.

  • When Risk Approvals is turned ON, only the approved risks can be moved.

  • The My Quick Update page will change to reflect the moved risk under the moved risk type grouping.

  • An inactive risk cannot be moved.

3. Populating consequence descriptors based on hierarchy linkages

With this enhancement, you will now be able to link risk categories to hierarchy nodes; thereby providing unique descriptors for each consequence against a hierarchy node. This will allow the risk user to filter the consequence popup based on hierarchy linkages and view unique descriptors for each impact scale.

How do you configure this?

  • Enable the external setting ‘Enable unique consequence descriptors based on hierarchy linkages’ (accessed via Camms.Risk Menu  > Administration > Configurations).

  • Upon enabling this setting, the ‘Category’ settings page within Risk Settings will display a new column as ‘Hierarchy Links’. This will depict a Links button which will allow you to link a category to an organisation hierarchy node. You can then select one or more hierarchy nodes.

  • If you wish to have unique descriptors for a risk category for different hierarchy nodes, then the category must be duplicated with unique organisation linkages being made for each duplicated category.

  • Once the category is linked to organisational hierarchy nodes, you must provide unique descriptors for the consequence scales against each category within the ‘Consequence Table’ in Risk Settings, where a new 3-tier hierarchy filter is introduced.

  • By default, the ‘Consequence Table’ will list all categories. You will be able to filter the categories based on the linked hierarchy node from the hierarchy filter. Once an organisation node is selected, the categories linked to that node for that risk type will be displayed.

  • In the event there are no linked categories for the filtered hierarchy node, a message ‘No records available’ will be displayed.

  • You will be able to add consequence descriptions against the filtered hierarchy nodes and click ‘Save’.

How will this work?

  • A risk should be linked to an organisation hierarchy node via the ‘Organisational hierarchy’ fields, the ‘Links’ tab, or the ‘Links’ field.

  • The Consequence popup window will then automatically filter the categories with its unique descriptors, based on the risk’s organisational hierarchy linkages for the first time.

  • The Consequence popup can be filtered by different organisation hierarchy linkages. To do so, you must click the ‘Change Filter’ button, which will open a 3-tier hierarchy filter.

  • The Consequence popup must filter the categories and display the description, based on at least one or more linkages.

Example:
Category A – Finance & Marketing
Category  B – Marketing
Category  C – Finance
Category D – Technology
If the risk is linked to Finance, then show Category A and Category C.
If the risk is linked to Finance and Marketing, then show Category A, Category B, and Category C.
If the risk is linked to Finance and Technology then show Category A, Category C, and Category D.

  • You are able to unselect the risk’s linkages and select a different linkage from the ‘Change Filter’ dropdown. If the consequence selection is based on this different linkage filters and you click Select, this would then confirm your changed filter criteria and selection.

  • The consequence popup will display the filters for which the consequence value was selected as a breadcrumb path.

  • If you select different hierarchy nodes from the filter or you clear filters but do not select a value, and close the popup, then the popup will retain the previously saved value against its  hierarchy filter selections.

  • If the organisation nodes linked to a category has been changed by an admin user, then the filter criteria within the consequence popup will not be valid. You will then need to refresh the selection.

4. Permitting any staff member to be the primary responsible person for project risks

You will now have the option to set any staff member in your organisation to be the Primary Risk Owner for Project Risks. Previously, the primary risk owner was limited to the project board and team members.

How do you configure this?

  • As an administrator, navigate to the Project Settings > System Settings page and switch OFF the 'Restrict the primary responsible person of project risks to the project board and team', to let any staff member (who is not a part of the project board and team), to be the Primary Risk Owner for project risks.

How will this work?

  • When this setting is turned OFF, the Responsible Person dropdown in the below mentioned areas, will show all staff members in the organisation, allowing users to select a person outside the project board as the Primary Risk Owner, if required.

    • When creating a new project risk

    • Within the Initial assessment details page of a project risk

    • Within the Copy/Move popup when copying a risk and/or moving a risk

5. Introducing a new Executive Risk Report

This new Executive Risk Report will provide key details around Risks, Controls, and Treatment Actions. It will further provide a summary view of Risks by Hierarchy Structure (e.g. view risks by Business Unit or Department) and by Risk Category, along with a detailed view of each individual Risk captured in the report.

This report consists of the below filters which will enable you to filter and display the required content. In addition, controls are available to specify the visibility of certain report sections and fields.

  • The first page of the report consists of a summary page which will include the following details:

    • A heatmap depicting the count of Risks against each Residual Risk Rating

    • A column chart to display the count of Overdue Actions during the past 12 months, segregated based on the Residual Risk Rating of the Risk associated with the Action

    • A donut chart to display Risk Actions by Action Status

    • A donut chart to display Controls by Control Effectiveness

  • The next page of the report will display the breakdown of Risks based on the Hierarchy structure. For each selected Hierarchy node, a separate chart will be generated, displaying a count of Risks against the underlying nodes. By default, the report will display the count of Risks per Business Unit, for each Directorate in the Organisation.

  • In the next section, the report will display a detailed breakdown of the Risks included in each Organisational unit. This section will display the breakdown of Risks based on five (5) different criteria in a tabular view, as shown below. Moreover, the count of Controls and Actions associated with the Risks linked to each Organisational unit, will be displayed in the last two columns, segregated based on Control Effectiveness and Action Status respectively.

  • The next section of the report will display the breakdown of Risks based on the Risk Categories. A bar chart on top will display the breakdown of Risks per Primary Category, followed by individual bar charts for each Primary Category, displaying the count of Risks per Sub Category. 

  • The report will display a detailed breakdown of the Risks included in each Primary/Sub Category in the next section. This section will display the breakdown of Risks based on five (5) different criteria in a tabular view, as shown below. Moreover, the count of Controls and Actions associated with the Risks of each Primary/Sub Category, will be displayed in the last two columns, segregated based on Control Effectiveness and Action Status respectively. 

  • The last part of the report will display a detailed view of each individual Risk captured in the report in a grid as shown below. This section will display the basic details of the Risk along with the trend of Residual Risk Rating, compared to the previous period.

6. Incorporating Risk Aggregate Rating fields in the Risk Heatmap report

The Risk Heatmap Report will be enhanced to display the Aggregated Risk Rating under all three Risk Assessments (Inherent, Residual, Future) for each Risk within the Risk Overview section. All linked risks will now depict a Link icon under the Link Type column. Additionally, the Aggregated Risk Rating will be shown for each linked risk.

6.1 Aggregated Rating grid in the Risk Overview section

  • This new grid will indicate the Aggregated Risk Rating associated with the Risk for each Assessment Level (Inherent, Residual, and Future).

  • It will be positioned underneath the legend of the Individual Risk Heatmap.

6.2 Aggregated Residual and Link Type columns in the Linked Risks grid

  • Two new columns ‘Aggregated Residual' and ‘Link Type’ have been introduced to the Linked Risk grid within the Risk Overview section.

  • The Link Type column will be positioned at the end of the Linked Risks Grid and will assist in identifying the Child Risks.

a. If the Linked Risk is a Child Risk, then the link icon will display the tree icon, where the Child Nodes are blue in colour and Root Node is colourless.

b. If the Linked Risk is a Parent Risk, the link icon will display the tree icon where the Child Nodes are colourless, but the Root Node is in blue colour.

c. If the Risk is an Independent Linkage, then the link icon will display as below.

7. Incorporating Risk Aggregate Rating fields in the Risk Register report

With this enhancement, the Risk Register Report will display the Aggregated Risk Rating Score and Aggregated Risk Rating for all three risk assessments (Inherent, Residual, and Future).

  • In an instance when there is no Risk Rating available for a Risk Assessment pertaining to a Risk, it will be displayed as blank.

  • These Aggregated Risk Ratings are controlled via the new filters 'Aggregated Risk Rating' and 'Aggregated Risk Rating Type Name' under each assessment level, within the Assessments Detail filter grouping, in the ‘Show Fields’ filter.

8. Viewing the number of days since last log in

This enhancement will let users with Administrator permission view the number of days since the last log in of each user.

How does this work?

  • Two new columns called 'Last Login Date/Time' and ‘Days since Last Login’ will be introduced in a grid in the ‘User List’ page (accessed via Camms.Risk Menu > Administration > Users > User List).

  • The ‘Last Login Date/Time’ column will display the last logged in date and time of each user.

  • The ‘Days since Last Login’ column will display the number of days that has passed since each user’s last log in attempt. The number of days will be counted from the ‘Last login date’ of each user, to the current date. 

  • If you have not logged in even once, the value will be displayed as ‘N/A’ and you log in, this value will be changed to 0.

Â