Risk Approval

1. Risk Creation Approvals Tab

This provides you the ability to have a Risk Approval process for all risks when they are created, to be approved upon submission before they are added to the main registers. This is enabled via the setting 'Enable Risk Creation Approvals)' accessed via Menu > Risk Settings > Approvals.

image-20240723-092904.png
Figure 1.1

This will enable the organisation to have all risks being entered in the system sent through an approval workflow before they are shown in the application as open and active records. 

Two kinds of approval workflows; Sequential and Concurrent can be setup. There is an option for the administrator to either enable one of the two or both for your organisation via the setting below accessed from the Settings area under Camms.Risk > Risk Settings> Approvals. Defaults to 'Select All' and would have both workflows enabled.

2. Risk Action Creation Approvals Tab

2. Risk Action Creation Approvals Tab

This provides the user with the ability to have a Risk Actions Approval process for all risk actions when they are created, to be approved upon submission before they are added to a risk record. This is enabled via the setting 'Enable Risk Action Creation Approvals' accessed via Menu > Risk Settings > Approvals > Risk Action Creation Approvals.

image-20240723-100654.png
Figure 2.1

To Set Up a Risk Action Creation Approvals:

  • STEP 1: Navigate to Menu > Risk Settings > Approvals > Risk Action Creation Approvals.

  • STEP 2: Click the Enable Risk Action Creation Approvals toggle.

Note: If any risk action has an approval status of ‘Draft’, ‘Submitted’, ‘Resubmitted’, or ‘Rejected’, the Enable Risk Action Creation Approvals toggle will be disabled.

  • If the ‘Enable Risk Action Creation Approval’ toggle within Risk Settings > Approvals > Risk Action Creation Approvals has been enabled, the following permissions should appear within the ‘Risk Solutions/Actions’ node in all risk type nodes:

    • Super Action Approver: Anyone with this permission will be able to approve/reject unapproved actions within this risk type.

    • Show Actions Prior to the Approved Stage: With this permission users are allowed to see any pending actions from anyone in their respective risks which they are managing so they are aware of the actions pending for their risk mitigation plan.

Note: These permissions should be placed as the last three nodes below the ‘History’ permission node within the ‘Risk Solution’ permission node. They will be unticked by default when enabling risk action creation approvals, and an Admin user must assign the relevant permissions.

  • STEP 3: Once the toggle is switched ON, the following fields will be displayed to configure the risk action creation approval process:

  • Enable Information Description: When enabled, the information description detailing the phase of approval will be shown to the users as an information ribbon.

Note: When enabled, the indicator provides users with 'View' permission with contextual details about the approval process, adapting based on the current approval stage. If the toggle is disabled, the information indicator will not be shown.

  • Enable Approvals Tab: When enabled, the approval summary grid will be shown to the users in the 'Approvals' tab. This tab displays details such as date/time stamps, usernames, approval statuses, and comments. It is visible only if the approvals process has been configured and is applicable to actions that have been saved as a draft or submitted for approval for the first time. If disabled, the approval summary grid will be displayed in the 'Details' tab instead.

  • Approval Process: A mandatory field with the following processes
    1. Sequential: Approval must be obtained from each approver in a defined sequence.
    2. Concurrent: Approval can be obtained from multiple approvers simultaneously.

The approval process selected will dictate the workflow followed for risk action approvals and cannot be changed for actions already in the ‘Submitted’ or ‘Resubmitted’ states.

  • STEP 4: Click the Save button to apply your configuration changes.

3. Static Hierarchy Permissions

For users in the Static Hierarchy, the Risk Submitter/Preparer and/or a Risk Approver permissions need to be given, to create and submit risks for approvals and have it approved. These are two standard permissions available under Camms.Risk > Administration > Manage Users area.

4. Flex Hierarchy Permissions

For users in the Flex Hierarchy, the Risk Preparer and/or Risk Approver permissions need to be given, to create and submit risks for approvals and have it approved. These two flex permissions are available under Camms.Risk Menu > Role Management > [Product = 'CAMMSRISK'] > [Permission = 'Risk Preparer' / 'Risk Approver'].

5. Risk Preparing and Approving

To submit a Risk for approval by a Risk Preparer:

  • STEP 1: In the Risk Assessment page, select the Approval Process from sequential or concurrent (see below for details on each of these processes).

  • STEP 2: Select the Approval Authority from the Risk Approver staff dropdown.

    • For Static Users: All users with the Risk Approver permission will be listed in the staff dropdown.

    • For Flex Users: The staff dropdown will only list users if their Register View permissions permit it.

  • STEP 3: Click the Submit for Approval button at the bottom to submit the risk for approval to the Approver(s).

  • Risk Preparer: Risk Preparers/Submitters would be able to create risks and submit for approvals. Once submitted, the submitter will not be able to make any changes to the risk and it will be un-editable. The created and submitted risks will be saved as 'Draft' in the Draft status until approved upon which the status changes from draft to 'Approved'. Till the risk is approved, it will only be shown to the Submitter user in their registers. If the risk is not approved, the status will be 'Rejected' and the submitter will then able to edit and resubmit for approval or discard the record. If it is resubmitted, the status will be changed to 'Resubmitted'.

  • Risk Approver: Risk Approvers would be able to approve the risks submitted for their approvals upon which the risks are made active and will show in your registers. When risks are received for an approvers approval, they will be shown under his/her Quick Update area under 'Approvals' section where they can either Approve/Reject the risks. Once approved/rejected, the risk will be removed from their Quick update and unless they are assigned to the risks, they will not be able to view the records again. Only once the records are approved, they will be shown for all other users in the application. 

The items to be approved will be shown in the approver's 'My Quick Update' page under the 'My Approvals' section. Approvers can both approve from the quick update as well as within the risk created itself after making changes to the risk if required during approval.

The approval process can either be set up as Concurrent or Sequential. For each risk, a choice of whether it should be concurrent or sequential can selected. This can be done via the approvals area within the risk via the 'Approval Process' dropdown which will be the two options below to choose from. The 'Approval Authority' dropdown will list all users with the permission provided and the submitter can select one/many from the list and send for their approval.

  • Concurrent: Concurrent approval workflow would allow the preparer to select multiple approval authorities and submit. The new risk created would be approved and made active when either one of the selected approvers approve. The approvals will be pending till all of the approvers either reject the risk or at least one of them approves. 

  • Sequential: Sequential approval workflow would allow the preparer to select multiple approval authorities and submit, the new risk created would be approved and made active only when all of the approvers approve. The order in which the approval authority staff were picked for the risk via the 'Approval Authority' dropdown for the risk will determine the order in which the risk is sent for approvals between the approver list. The risk will first be sent to the first approver staff and be shown only in their quick update. If this is approved by the first approver, then this will be sent to the second approver and subsequently to all approvers in that order in the list. If any of the approvers end up rejecting the risk, it will change the status to 'Rejected' and will be available for the submitter again to resubmit/discard.

A summary of the signoff process status will be available within each risk showing the date/time, user name, status and comment for any approval/rejection within the workflow.

See article Risk Assessment under title 'Creating a Risk as a Draft for Approval' for details on how this will be displayed in a Risk Assessment and within the Risk Register.

There are associated email notifications for the risk approvals. Please refer the article on email mortifications under Risk Administration for more details.