Camms.Risk | December 2021

Camms is pleased to bring you the Quarterly Product Release Note for Camms.Risk.

This quarter we've got a number of exciting new features and enhancements to improve your user experience within the system, which will be available in your Test environment on 4th December 2021 and will be available in your Live instance on 18th December 2021.

1. Aggregating risks across the enterprise

This feature will enable organisations to identify and aggregate risks of individual business units across the enterprise. This will simplify the process for the same risk to be assessed in different departments and will be rolled up to parent organisation units. Additionally you will be able to copy risks to a different risk register and display the aggregated risk rating for the parent risks, based on the linked child’s risk rating.

1.1 Risk aggregation capability

How do you configure this?

  • A new setting is introduced within Risk Settings called ‘Aggregation Settings’ containing a toggle ‘Enable Risk Aggregation’, enabling you to either enable or disable the functionality (accessed via Camms.Risk Menu > Framework > Risk Settings > Aggregation Settings). 

Figure 1.1.1: Aggregation settings
  • The following dropdown values will let you select the appropriate aggregation calculation method. The aggregation rating in Risk Assessment details will be based on the following options:

    • Average of all linked risk ratings (you can include the risk rating of the parent within the aggregation risk calculation)

    • Highest rating amongst all linked risks

    • Count based, most common rating amongst all linked risks

  • To enable the risk aggregate rating to be visible in the registers, under the Register Configuration page (accessed via Camms.Risk Menu > Framework > Register Configuration), select the risk type register (Strategic, Project, Operational, Corporate, or EIS) via the 'Register Type dropdown you wish to display the aggregate risk rating, and select the below three fields as ‘Visible’ to display the aggregate risk rating in the configured risk register. To be searchable as a register filter, select the ‘Searchable’ option for these three fields.

    • Initial Aggregate Risk Rating

    • Revised Aggregate Risk Rating

    • Future Aggregate Risk Rating

Note: These fields currently cannot be configured within the Risk Dashboard popup and will be introduced in a future sprint.

  • The risk’s ‘Aggregate Risk Rating’ and the ‘Parent’s Risk Rating’ will be visible within the Risk Details page of each Risk Assessment, based on the Field Configuration setup of the ‘Risk Assessment’ field (accessed via Camms.Risk Menu > Framework > Field Configuration). The 'Risk Assessment' field under the required Risk Type and Risk Assessment tab (e.g. Strategic Risk type > Initial risk assessment tab) must be ticked as ‘Visible’. To be displayed under the My Quick Update page, the 'Risk Assessment' field under the same area must be ticked as ‘Quick Update’. If unticked, both the 'Aggregated Risk Rating' and the 'Risk Rating' will not be displayed.

How will this work?

  • Enabling this setting will include the Risk Aggregation Rating within risk details of a parent risk (for which child risk linkages are available). Within the risk, the aggregation rating will be an additional component to the parent risk’s own risk rating.

  • If the parent risk is also a child risk to another parent risk, then that parent’s risk rating will be visible too.

  • You will be able to view the breakdown of the risk rating of each child risk, within risk assessment details.

  • The risk assessment details will additionally contain a horizontal heatmap bar based on the risk ratings of the child risks as per the colours configured for risk rating types under Risk Settings > Risk Rating, in a descending order (highest to lowest).

Note: This will not be visible within the My Quick Update expand view section.

  • The Aggregated Risk Rating will appear as a column in all of the risk registers as well as under the EIS, based on the configurations mentioned above. The rating will display only for risks which are parent risks. The column will display 'N/A' for risks which do not have an aggregate risk rating.

  • The risk registers and the EIS can be filtered by the aggregate risk rating, based on the configurations mentioned above.

Note: The Dashboard widgets and the Risk Analysis widgets will not depict risks based on the aggregate risk rating.

1.2 Cascading risk between different risk registers

How do you configure this?

  • The risk aggregation must be enabled within Risk Settings to access this feature (accessed via Camms.Risk Menu > Framework > Risk Settings > Risk Aggregation). 

  • You will require to have permission to ‘Add’/’Edit’ a risk for each risk type in the parent risk (source risk) and ‘Add’ permission in the child risk (destination risk) in order to move risks.

a. For Static Hierarchy users: Any user permission other than ‘Operational User’ or ‘Viewer’ (accessed via Camms.Risk Menu > Administration > Manager Users).

b. For Flexible Hierarchy users: Any user with 'Add' permission for each risk type or ‘Edit’ permission for each assessment for each risk type in the parent risk (assessed via Camms.Risk Menu > Administration > Role Management > Risk Type > Details).

How will this work?

  • A new button Copy & Move will be visible in Risk Assessment Details for users with the above access. Selecting the button will display a popup, and via the copy tab, you can select the relevant Risk Register to copy the risk.

  • A risk can be copied between one risk type register to another risk type register or within the same risk type register.

  • When copying a risk to the Operational Risk Register, the selection of an organisation hierarchy node is  mandatory.

  • When copying a risk to the Project Risk Register, an 'Action or Project' along with a Risk Owner requires to be selected.

  • When copying the risk, you can copy additional information from the source risk such as: Controls, Actions, Documents, and Links.
    To copy these components, the ‘Add’ or ‘Edit’ permissions will be required for each of these components in the destination risk type settings (assessed via Camms.Risk Menu > Administration > Role Management for Flexible Hierarchy users OR Camms.Risk Menu > Administration > Manage Users for Static Hierarchy users). The tick boxes will be disabled if the required permission is not available.

  • Additionally, you will be able to link the original risk as the parent when performing the copying functionality, by selecting the ‘Link to Parent’ option. This is ticked by default and once the risk is copied it will create parent-child relationships visible in the ‘Links’ tab of both parent and child risks. If you want to copy the risk without any parent linkages, then this must be left unticked.

  • By selecting ‘Copy Risk without rating’ within the Copy popup window, the risk rating will not get copied and the Risk Owner will need to go to the copied risk and complete a risk assessment. If it is unticked, then the source risk’s risk rating will get copied to the child risk.

  • You can copy a risk to a particular organisation node, by selecting it from the organisation hierarchy tree. Each node selection will create a copy of the source risk. The nodes visible here would be based on the permission given to you.

  • You will be prompted at the time of copy, if the destination risk type register does not have all of the fields configured as per the source risk. If you wish to continue to copy the risk, that information will be lost.

  • The copied risk will take the next sequence number within the destination risk type register as per the configurations setup within the ‘Sequence’ under the Risk Settings (accessed via Camms.Risk Menu > Framework > Risk Settings).

  • The copied risk will not include the history of the source risk. But the risk history popup will display an information icon stating the source risk ID and risk title.

  • When risk approvals is turned on, the copy feature will not be available until after a risk is ‘Saved as Draft’ or ‘Saved’. You are able to select and save the copy details, but the copy will occur only after the risk has been approved. The copied risk will get created as a draft, and the risk owner of the copied risk will need to submit the risk for approval.

  • If the source risk is confidential, then the copied risks will also be confidential.

  • When a risk is copied, the Risk Creation and Risk Assignment emails will be triggered.

  • A parent risk can be deleted, however, this will then remove all parent-child linkages.

  • An inactive risk cannot be copied.

1.3 Creating parent-child relationships for existing risks

How do you configure this?

  • The Risk Aggregation is required to be enabled within Risk Settings to access this feature (accessed via Camms.Risk  Menu > Framework > Risk Settings > Risk Aggregation).

  • You will require to have ‘Editor’ or higher permission for the respective risk for Static Hierarchy permissions (accessed via Camms.Risk Menu > Administration > Manage Users) or ‘Links’ tab permission for the respective risk type for Flexible Hierarchy permissions (accessed via Camms.Risk Menu > Administration > Role Management).

How will this work?

  • In the ‘Links’ tab, when a new risk linkage is created, the grid which depicts all risks for the selected risk type, will now have an additional column ‘Link as Child’.

  • When you select the risk to Link, the tick box for ‘Link as Child’ will be enabled, and upon selection and clicking Save, the linked risk will become a child risk of the source risk.

  • This tick box will remain disabled if the risk is inactive or if the risk already has a parent risk.

  • Once the risk is linked as child, it will display within the Linked Grid. A new column is introduced as ‘Linked Type’.

a. If the linked risk is a child risk, then the link icon will display the tree icon, where the child nodes are blue in colour and the root node is colourless. 

b. In the linked risk grid of the child risk, the parent risk will display the tree icon, where the child nodes are colourless, but the root node is in blue colour. 

c. If the risk is an independent linkage, then the link icon will display as below. 

d. When a risk is copied with parent-child linkages, then this grid will denote the parent icon within the child risk, and the child icon within the parent risk. In the event a risk is a parent and a child, then both linkage types will display with the respective icons. The independent linkages are for those risks which are linked without any parent-child linkages.

2. Moving risks between different risk register types

With the introduction of this feature, you will now be able to transfer a risk to the organisation from one risk type register to another, based on the impact of the risk within the organisation. For example, an Operational Risk can be moved as a Strategic Risk if it was to cause an impact to the entire organisation.

How do you configure this?

  • The risk aggregation setting must be enabled within Risk Settings to access this feature (accessed via Camms.Risk Menu > Framework > Risk Settings > Aggregation Settings). 

  • You must have permission to ‘Add/Edit’ a risk for each risk type in the parent risk (source risk) and ‘Add’ permission in the child risk (destination risk), to move a risk.

a. For Static Hierarchy users: Any user permission other than ‘Operational User’ or ‘Viewer’ (accessed via Camms.Risk > Administration > Manager Users).

b. For Flexible Hierarchy users: Any user with 'Add' permission for each risk type or ‘Edit’ permission for each assessment for each risk type in the parent risk (assessed via Camms.Risk Menu > Administration > Role Management > Risk Type > Details).

How will this work?

  • A new button with the label Copy & Move will be visible under Risk Assessment details for users with the above access. Selecting the button will display a two tab popup with the Move tab in which you will be able to move risks between different risk registers. You will be able to move the risk from one register to another type, but not within the same risk register type.

  • When moving a risk, the ‘Primary Risk Category’ must be selected for the destination risk register type. This is mandatory.

  • When moving a risk into a Project Risk Register, an ‘Action or Project’  must be selected along with a Risk Owner.

  • By selecting on ‘Move Risk without rating’ within the Move popup window, the risk rating will not get copied and the risk owner will need to go into the moved risk and complete a risk assessment. If it is unticked, the source risk’s risk rating will get copied to the moved risk.

  • You can select multiple hierarchy nodes to move a risk. Hierarchy linkages will automatically be created for each of the selected hierarchy nodes, which will display within the 'Links' tab of the moved risk. The nodes visible within the organisation hierarchy tree would be based on the permission given to you.

  • You will be prompted at the time of moving a risk, if the destination risk type register does not have all of the fields configured as per the source risk. If you continue to move the risk, that information will be lost.

  • Once a risk is moved, the risk will be inactive within the source register and will be active in the new register with a new ID in a draft status. The inactive risk cannot be made active again.

  • All linkages, controls, and actions of the source risk will automatically move to the moved risk and will not exist within the inactive source risk.

  • The moved risk will take the next sequence number within the destination risk type register as per the configuration’s setup within ‘Sequence’ under Risk Settings (accessed via Camms.Risk Menu > Framework > Risk Settings).

  • The moved risk will not include the history of the source risk. But the risk history popup will display an information icon stating the source risk ID and risk title.

  • When Risk Approvals is turned ON, only the approved risks can be moved.

  • The My Quick Update page will change to reflect the moved risk under the moved risk type grouping.

  • An inactive risk cannot be moved.

3. Populating consequence descriptors based on hierarchy linkages