Risk Assessment – Initial (Inherent) Risk Assessment
1. Initial (Inherent) Risk Assessment |
Once you have clicked on the New button to create a new risk assessment (either Strategic, Operational, or Corporate), the initial risk assessment can be carried out simultaneously.
Note: Project Risks go through an extra step when creating a new risk. Refer Step 2 for more details.
STEP 1: Select the relevant risk register tab accessed via Menu > Risk Management > [e.g. Strategic Risk Register], and click the New button at the top-right corner of the page. Or click on the + new icon from the left-hand Navigation Panel > Risk > [Click on the Register].
The screen will refresh, and the new risk template will be displayed for you to start entering the details to the first Initial/Inherent Risk Assessment tab.
All fields that are mandatory (as setup by your administrator) will be flagged with a red indicator at the left corner of the field.
Note: The visibility of some fields can be controlled by the Risk Manager from Framework > Risk Settings > Field Configuration area.
STEP 2: When creating a project risk assessment, you must select a project which the risk directly links to first. Therefore there is an extra step that is needed to be taken when creating project risks, compared to the other risk registers.
Once you have clicked on the New option to create a new project risk, a window will popup allowing you to search for your project using several filters (Business Unit, Service Profile, and/or Responsible Person). From these filters, the Project dropdown will reduce to show the projects that have been inputted from your Administration area.
Note: For organisations that do not have Camms.Strategy integration, the projects are created and filtered through this section under the Administration section of the Navigation Menu. Please refer to the Administration > Projects section for more information on creating projects if you don’t use our Camms.Strategy software.
For those who do use Camms.Strategy, the actions/projects will come directly from your business planning area.
Once a project has been selected, the fields will display for you to create a new project risk. Fill out the Risk Title and Responsible Person and then click on the Add button. You may add as many risks as you like under the one project from this pop up window.
Once you have added your risks, close the window by clicking on the close icon. From here you will be taken back to the Project Risk Register, where you should now see your risks that you have just entered against your project. Click on the Title (hyperlinked) to enter the risk assessment details and complete the initial risk assessment.
STEP 3: Specify the following details.
Field | Description/Instructions | Mandatory/Optional | Strategic | Operational | Project | Corporate |
Risk Details | ||||||
Active | Sets the Risk as Active or Inactive. Defaults to Active. Once this is saved, if you require to make this Inactive, a user with edit permissions will be able to make this change. | N/A |
|
| ||
Risk Code | Enter a code to identify the risk. The risk code along with the risk title will be displayed in the header section of a risk record when accessed. | Mandatory |
|
|
|
|
Apply Template* | *If Applicable Allows users to select and apply a Risk Template which auto-populates several fields within the assessment which enables speedy addition of similar risks. | Optional |
|
|
|
|
Confidential | Tick box to define the risk as being confidential. | Optional |
|
|
|
|
Risk Description | Enter a short title to identify the risk by. This title along with the risk code will be displayed in the header section of a risk record when accessed. | Mandatory |
|
|
|
|
Responsibility Centre | Select a Service Profile added by an admin here. This field requires to be enabled for Strategic/ Operational/ Project/ Corporate Risks to show the Service Profiles linked with the relevant Business Units. | Optional |
|
|
|
|
Responsible Officer | Assign a Responsible Person who will be responsible for monitoring and reporting on the status of the risk. This will enable a link to this Risk Assessment to display on the designated person’s homepage. | Mandatory |
|
|
|
|
Secondary Responsible Officers | Select a Secondary Responsible Person and click Add to add him/her to the list of Secondary Responsible Officers. Multiple staff members can be selected. | Optional The Risk Manager can activate this area from within Risk Settings. If deactivated, this grid will not show. |
|
|
|
|
Primary Risk Category | Select one category as the Primary Risk Category. | Mandatory |
|
|
|
|
Primary Risk Sub Categories | Select Risk Sub Categories (based on the primary category). | Optional |
|
|
|
|
Secondary Risk Categories | Select Secondary Risk Categories here. | Optional |
|
|
|
|
Causes | Any Causes that contribute to this risk can be noted here. A Risk Manager can toggle the visibility of this field to make it appear in the Initial, Current, and/or Future Risk Assessments via Risk Settings. | The Risk Manager can decide if this field is mandatory or optional based on the configurations in the Field Configuration area. This can be either set to be a grid or a text field. Please contact CAMMS to change the current set up if required. |
|
|
|
|
Consequences | Any Impact/Consequences that arise from this risk can be noted here. A Risk Manager can toggle the visibility of this field to make it appear in the Initial, Current, and/or Future Risk Assessments via Risk Settings. |
|
|
|
| |
Consequences Criteria Selection | Select a consequence rating by clicking the Select button. This will allow a pop up window to show for you to select the consequences based on the category description. This is called the consequence table to help you identify ‘consequence of the risk’. | Mandatory |
|
|
|
|
Likelihood Criteria Selection | Select a Likelihood by clicking on the Select button. This will allow a pop up window to show allowing you to select a likelihood based on a description to help you identify it. | Mandatory |
|
|
|
|
Organisation Links | Create linkages for the risk with hierarchies (Organisation hierarchy only) | Optional The Risk Manager can decide if this field is visible or not and mandatory or optional based on the configurations in the Field Configuration area. |
|
|
|
|
Add/Edit Links | Create linkages for the risk with other entities (risks, hierarchies, incidents, audits, findings, recommendations. KPI/KRIs, compliance requirements, authority documents and policies). This list will be based on the modules enabled for you in the database. | Optional The Risk Manager can decide if this field is visible or not and mandatory or optional based on the configurations in the Field Configuration area. |
|
|
|
|
Add to Business/Strategic Plan | Create linkages between the risks with organisation and planning hierarchies and create new actions in Camms.Strategy via risk. This will be activated via a setting. | Optional The button Add to Business/ Strategic Plan will be shown to all users with access | ||||
1.1 Heatmap within Assessment Tabs
A heatmap will be displayed within all three assessment tabs based on the the criteria selection.
The bubbles within the heatmap will denote the assessment ratings (Black: Future, White: Residual/Current, xGrey: Inherent/Initial).
When hovered over a square, each square's represented likelihood, consequence, and rating will be displayed as a tooltip text.
1.2 Primary Risk Sub Categories
This multi-select dropdown will let you select sub risk categories of the selected primary risk category in the risk assessment tab.
This dropdown can be made visible with the below configuration:
For all risk types, set as 'Visible' in the Field Configuration page (accessed via Menu > Framework > Risk Settings > Field Configuration > Sub Categories and Secondary Categories).
If the field is made visible for the Revised/Current and Future assessment tabs, the categories will display as an un-editable label.
1.3 Secondary Risk Categories
This multi-select dropdown will let you select secondary risk categories in the risk assessment tab.
1.4 Controls
Controls can be accessed within a Risk record in the Risk Assessment tab, click the Add New button in the under the section where Controls are listed. This will direct you to the 'Controls Record Detail' page in a popup window.
STEP 4: Click the Save button to save the initial risk assessment.
Every risk created will automatically default to ‘Active’. You can deselect this if required. After saving, an image will appear which shows the Calculated Risk Rating.
1.5 Copy & Move
When Risk Aggregation is enabled in Risk Settings, this button allows users to efficiently duplicate or relocate risk-related information.
Choose the Risk Type and Category for the copied risk. The selected Categories and hierarchy nodes will populate in the copied risk. You can select multiple hierarchy nodes, resulting in a copy of the risk for each selected node. Additionally, an automated linkage will be established, visible within the 'Links' tab of the copied risk.
1.6 Creating a Risk as a Draft for Approval
You can configure a risk to be created as a draft and submitted for approval to the responsible person, prior to it being active. To do so:
STEP 1: The setting 'Enable Risk SignOff process (Risk Approvals)' requires to be enabled via Administration > Configuration > Enable Risk SignOff process (Risk Approvals).
STEP 2: In the risk assessment tab, once completed filling the risk details, click on the Under Review button at the top of the page.
STEP 3: Once the risk is created, it will be in a 'Draft' approval status. And once a 'Draft' risk is submitted, it will display a 'Submitted' approval status, and will be assigned to the Responsible Person, in the Risk Register.
STEP 4: If the submitted risk is rejected by the responsible person, the approval status will be 'Rejected' and go back to a 'Draft' state when edited.
STEP 5: If the submitted risk was approved by the responsible person, the approval status will be 'Approved'.
1.7 Add to Business/Strategic Plan
This allows a risk to be either linked to the planning or organisation hierarchy. Depending on the risk type, the hierarchies available for linking would be determined. For strategic and corporate risks, only the planning (strategic) hierarchy will be available for linking whereas for operational risks both planning and organisation hierarchies are available. Only the organisation hierarchy will be available for project risks.
The list of hierarchies will be shown on the left hand side with a list of all risks, risk treatment actions and control solutions on the right hand side. Control solutions will be marked by a red super scripted 'c' against the solution title for easy identification. A linkage can be made simply by dragging the risk/risk treatment action or control solution you wish to link with a hierarchy node from the list on to the node name. Once a linkage is made successfully, clicking on either the node or the linked item will show all linkages in the area in the middle of the screen. The linkages can be deleted as well by a user with the edit permissions to the area.
You can also expand the hierarchy tree up to the action/task level and link a risk treatment action with a Camms.Strategy action/task as well from here. If there is no existing planning action, you can add the risk treatment action as a new action/task as well.
When this is done, a new action/task with the same details as the treatment action will be created on Camms.Strategy product. The two actions will behave independently despite the linkage but the progress information can be made to synchronise if required as well. The latter is enabled via a setting. Please contact Camms support if you wish to enable this feature.
When you have completed entering and saved all the information for your Initial Assessment you can go on to assess the Current Risk by clicking on Next. Or click the Current/Residual Risk Assessment tab on top. Note that these buttons will only be active once you have saved the Initial/Inherent Risk Assessment.
Initial Assessments for all four types of risks are conducted in the same way.
View other articles under this section: |