Open

Camms is pleased to bring you the Quarterly Product Update Notification for the Camms.Risk

This quarter we've got exciting enhancements to improve your user experience within the system, which will be available in your Test environment on 29 April 2024 and will be available in your Live environment on 20th May 2024.

Open

This feature introduces an approval process for Risk Reviews. When enabled, Risk Owners and Risk Creators can send Risk Reviews to Risk Managers for approval upon completion. Phase 2 expands the flexibility of configuration and introduces a concurrent approval process for risk reviews. 

• A new setting has been introduced in the Administration > Configuration area. 

• To turn on the Risk Review Approval process, the System Administrator should tick the setting for 'Enable the Risk Review Approval process'. Please note that the user should have Administrator permission to turn on this setting.

• The Risk Review Approval can then be turned on via Risk Settings > Approvals > Risk Review Approvals > Enable Risk Review Approvals. Toggle the setting in ON position to activate the Risk Review Approval.

• Upon toggling ON the above setting, you now have the flexibility to configure the risk review approval process per risk type.

• Per Risk Type you will now have the flexibility to configure by clicking on the 'Edit' button against the required risk type. And the following configuration pop up will appear to configure as required.

1. Select the Approval Processes that needs to be present for the risk owner/risk creator to submit the risk for review.

2. Configure the 'Editable Objects' where the approval authorities will be able to make the changes as required.

3. Status must be turned ON for the risk review approval process to take place.

How does this work?

• This enhancement facilitates a new 'Concurrent' approval process along with Sequential for this quarter for all risk types which is configurable for your liking. Users now have the capability to designate risk review approval authorities for the comprehensive risk review approval process and subsequent approval or rejection of the risk reviews. Risk Review Approvers can conveniently approve/reject the risk reviews assigned to them either from their MQU page or on the Risk Review tab from within the risk workflow. 

This allows you to assess the risk rating by taking the average of all the selected consequences. It distributes all possible outcomes of the consequence values, rather than relying solely on the highest selected consequence value for the overall risk rating of the risk.

This will be a new setting page introduced in the Risk settings called Multiple Consequence setting allowing the system to take either Highest or Average value of the multiple consequences selected by the end user, and this consequence can be used to calculate the Risk rating.

How do you configure this? 

• A new setting has been introduced in the Framework > Risk Settings > Multiple Consequences Settings area.  

• For organisations who are already using Multiple Consequences (Highest Consequence Value): 

  • This setting will be already turned on and “Max” will be selected by default. Hence the existing configurations will already be preset without any impacts to the system.
    
    

• For organizations who wants to turn on this Multiple Consequences feature newly:

• Step 1: To turn on the Multiple Consequence Setting, its toggle button should be turned on and then from the dropdown, the preferred consequence type can be selected which can be Max or Average.

• Step 2: If you select ‘Max’ from the above dropdown.

  • The system will consider the highest consequence value from the multiple consequences selected by the user.
    
    

• Step 3: If you select ‘Average’ from the above dropdown.

  • The system will consider the average consequence value from the multiple consequences selected by the user.

  • Within Risk Settings > Criteria > Criteria Configuration you should be able to see two new columns as, Min range and Max range. This is a mandatory configuration that MUST be configured properly for your Average consequence to be reflected as expected.

How does this work?

• This enhancement facilitates the system to take the max/average consequence value to derive the Risk rating score if the system uses the Consequence value (Impact value) for their Risk rating calculation formulas.

• If this setting is configured to be Average Consequence, the multiple consequence values that are selected will be summed and divided by the selected consequences to get the average consequence value. And it will be rounded up/down to the nearest whole number.

• Example: Selected consequence values will be Consequence Value 1 = 2, Consequence Value 2 = 4 and Consequence Value 3 = 5.

  • Total Consequence Value = 2+4+5 = 11

  • Average Consequence Value = 11/3 = 3.66 ≈ 4 (Rounded)

• The risk rating derived from the above average consequence & selected likelihood will be plotted accordingly on the heatmap as a result for your visualization. 

Important Points/Disclaimers 

• If you need to shift from max to average, or from average to max, this requirement must be logged as a service request to Camms so they will do the needful as requested.

  • Please take a look at the below example where the User X has their Camms.risk environment setup to use Maximum Consequence value for the risk ratings. And now this user expects to switch to Average Consequence for their risk rating with this enhancement. This user will be experiencing the below phases during this change.

    1. Turning on the Multiple consequence setting and switching from max to average along with the administration of Camms.

    2. As the next step, setting up the Criteria configuration of Consequence tab, and setting up consequence min-max values.

    3. Upon the above configuration change, all the existing risks will be recalculated automatically considering the average consequence, which resulting all the risk ratings to be changed by default. 

    4. Then from here onwards, the user will be seeing the updated new risk rating scores in the Camms.risk system.

• Apart from the above configuration change, if any change is made to Consequence values or Likelihood values in Criteria configurations, the existing risks will be recalculated automatically as well.

• Disclaimer: As per the current design of the system, when there is any change made to this setting configuration, criteria values, criteria ranges (such as Consequence/Likelihood etc.) it won’t be captured in the history of the risk. Therefore, that’s why we have made this setting to be a onetime configuration explicitly for organisations. So, Changes are not recommended to be done from time to time to switch between the consequence type.

This feature introduces an approval process for risk actions at the point of creation, ensuring that they are reviewed before being added to the risk mitigation plan. In Phase 2, additional flexibility is provided in configuration, including a super action approver permission. General users also gain the ability to view pending actions for approvals, and a concurrent approval process for risk actions is introduced.

How do you configure this?  

• A new section has been introduced in Risk Settings > Approvals > Risk Action Creation Approvals.

1. You need to 'Enable Risk Action Creation Approvals' first and foremost.
   
   

2. 'Enable Information Description' is optional if you want to see the information as a ribbon on top of the risk action details pop up always to be aware of the status at a glance.
   
   

3. 'Enable Approvals Tab' will present the audit summary grid in a new 'Approvals' tab. If this is OFF, it will show underneath the Submission/Approval section of the action details page by default.
   
   

4. You now have the option to configure any approval process such as 'Concurrent' and 'Sequential' both or either of them to be picked by default.
   
   

    

• We have further introduced two new permissions within role management of the risk product under the risk solution node.

1. Super Action Approver - Any user who has been granted with the super action approver permission has superseding permissions in terms of approval. This user will be able to approve/reject an action fully with this permission by resolving any obstacles in terms of approving/rejecting risk actions for the risks. 

2. Show Actions Prior to the Approved Stage - With this permission users are allowed to see any pending actions from anyone in their respective risks which they are managing so they are aware of the actions pending for their risk mitigation plan.

Approval Process: Sequential and Concurrent

How does this work?

• This enhancement facilitates a new 'Concurrent' approval process along with Sequential for this quarter for all risk actions which is configurable for your liking. Users now have the capability to designate risk action approval authorities for your risk action approval process and subsequent approval or rejection of the risk actions. Risk Action Approvers can conveniently approve/reject the risk actions assigned to them either from their MQU page or on the risk details within the risk workflow.

This modification will mimic the behavior of the Risk application, capturing only 'Open' and 'Approved' Actions within the following Standard Reports. However, it will not include any changes to the Report content or Filters.

• Risk Heatmap Report

• Executive Risk report

• Bow Tie Report

• Risk Register Report

• Risk Management Report

• Risk Attention Report

• Control Summary Report

• Action Summary Report

This enhancement will replace the existing single-select filter available within the standard Bow Tie and Risk Register Reports with a new a multi-select hierarchy filter which will enable the cross-filtering capability cross multiple hierarchy level.

How does this work? 

• If two or more hierarchy nodes are selected from the same hierarchy structure, a union (OR) of selections within the hierarchy will be considered. 

• If hierarchy nodes belonging to more than one hierarchy structure are selected, an intersection (AND) between the hierarchy node selections will be considered. 

• If a user wishes to filter only based on the selected hierarchy node (without rollup), they can do so by ticking the 'Show risks of the selected hierarchy only' tick box. 

• By default, all nodes will be 'unticked', meaning the report will run for the 'Show all' scenario. Consequently, all records will be retrieved for the report regardless of their Hierarchy linkage, subject to other applied filters and user permissions.