Risk Approval

1. Overview

This provides you the ability to have a Risk Approval process for all risks when they are created, to be approved upon submission before they are added to the main registers. This is enabled via the setting 'Enable Risk Creation Approvals)' accessed via Menu > Risk Settings > Approvals.

Figure 1.1

This will enable the organisation to have all risks being entered in the system sent through an approval workflow before they are shown in the application as open and active records. 

Two kinds of approval workflows; Sequential and Concurrent can be setup. There is an option for the administrator to either enable one of the two or both for your organisation via the setting below accessed from the Settings area under Camms.Risk > Risk Settings> Approvals. Defaults to 'Select All' and would have both workflows enabled.

2. Static Hierarchy Permissions

For users in the Static Hierarchy, the Risk Submitter/Preparer and/or a Risk Approver permissions need to be given, to create and submit risks for approvals and have it approved. These are two standard permissions available under Camms.Risk > Administration > Manage Users area.

Figure 2.1

3. Flex Hierarchy Permissions

For users in the Flex Hierarchy, the Risk Preparer and/or Risk Approver permissions need to be given, to create and submit risks for approvals and have it approved. These two flex permissions are available under Camms.Risk Menu > Role Management > [Product = 'CAMMSRISK'] > [Permission = 'Risk Preparer' / 'Risk Approver'].

4. Risk Preparing and Approving

To submit a Risk for approval by a Risk Preparer:

  • STEP 1: In the Risk Assessment page, select the Approval Process from sequential or concurrent (see below for details on each of these processes).

  • STEP 2: Select the Approval Authority from the Risk Approver staff dropdown.

    • For Static Users: All users with the Risk Approver permission will be listed in the staff dropdown.

    • For Flex Users: The staff dropdown will only list users if their Register View permissions permit it.

Example for Flex Users
If under Role Management > [Product = 'CAMMSRISK'] > [Permission = 'Register > View Node Only'] is selected for staff member Tom, Tom's name will be listed under the 'Approval Authority' staff dropdown, only if this Risk is listed under a node (organisation hierarchy), Tom is part of. 
If 'View All' is selected as the 'Register' permission, then Tom's name will be listed regardless of the linked hierarchy he is part of.

  • STEP 3: Click the Submit for Approval button at the bottom to submit the risk for approval to the Approver(s).

  • Risk Preparer: Risk Preparers/Submitters would be able to create risks and submit for approvals. Once submitted, the submitter will not be able to make any changes to the risk and it will be un-editable. The created and submitted risks will be saved as 'Draft' in the Draft status until approved upon which the status changes from draft to 'Approved'. Till the risk is approved, it will only be shown to the Submitter user in their registers. If the risk is not approved, the status will be 'Rejected' and the submitter will then able to edit and resubmit for approval or discard the record. If it is resubmitted, the status will be changed to 'Resubmitted'.

Notes for Static Hierarchy Users:

  • This permission should NOT be given with any other permission other than the Operational User or Strategic Viewer permissions. (I.e. should not be associated with Editor, Risk Manager, Administrator or higher permissions, as these users can create risks on their own.)

  • If an Administrator has been given the Risk Preparer permission as well, the risks that are created by these users, are created as 'Open' risks, surpassing the approval process.

  • Risk Approver: Risk Approvers would be able to approve the risks submitted for their approvals upon which the risks are made active and will show in your registers. When risks are received for an approvers approval, they will be shown under his/her Quick Update area under 'Approvals' section where they can either Approve/Reject the risks. Once approved/rejected, the risk will be removed from their Quick update and unless they are assigned to the risks, they will not be able to view the records again. Only once the records are approved, they will be shown for all other users in the application. 

The items to be approved will be shown in the approver's 'My Quick Update' page under the 'My Approvals' section. Approvers can both approve from the quick update as well as within the risk created itself after making changes to the risk if required during approval.

The approval process can either be set up as Concurrent or Sequential. For each risk, a choice of whether it should be concurrent or sequential can selected. This can be done via the approvals area within the risk via the 'Approval Process' dropdown which will be the two options below to choose from. The 'Approval Authority' dropdown will list all users with the permission provided and the submitter can select one/many from the list and send for their approval.

  • Concurrent: Concurrent approval workflow would allow the preparer to select multiple approval authorities and submit. The new risk created would be approved and made active when either one of the selected approvers approve. The approvals will be pending till all of the approvers either reject the risk or at least one of them approves. 

  • Sequential: Sequential approval workflow would allow the preparer to select multiple approval authorities and submit, The new risk created would be approved and made active only when all of the approvers approve. The order in which the approval authority staff were picked for the risk via the 'Approval Authority' dropdown for the risk will determine the order in which the risk is sent for approvals between the approver list. The risk will first be sent to the first approver staff and be shown only in their quick update. If this is approved by the first approver, then this will be sent to the second approver and subsequently to all approvers in that order in the list. If any of the approvers end up rejecting the risk, it will change the status to 'Rejected' and will be available for the submitter again to resubmit/discard.

Note: Once the first approver submits their approval, an email will be triggered to the next approver. And once the next approver submits their approval, an email will be triggered to the next approver, till all approvers have approved the risk record. This will occur if emails have been configured under Menu > Risk Administration > Email. See article Administration – Risk Administration under title 'Email' for more details.

A summary of the signoff process status will be available within each risk showing the date/time, user name, status and comment for any approval/rejection within the workflow.

See article Risk Assessment under title 'Creating a Risk as a Draft for Approval' for details on how this will be displayed in a Risk Assessment and within the Risk Register.

There are associated email notifications for the risk approvals. Please refer the article on email mortifications under Risk Administration for more details.