Initial (Inherent) Risk Assessment

Once you have clicked on the ‘New’ button to create a new risk assessment (either Strategic, Operational, or Corporate), the initial risk assessment can be carried out simultaneously.

Note: Project Risks go through an extra step when creating a new risk. Refer Step 2 for more details.

  • STEP 1: Select the relevant risk register tab accessed via Menu > Risk Management > [e.g. Strategic Risk Register], and click the 'New' button at the top-right corner of the page. Or click on the + 'Add New' icon from the left-hand navigation panel > Risk > [click on the Register].  

The screen will refresh and the new risk template will be displayed for you to start entering the details to the first Initial/Inherent Risk Assessment tab.

All fields that are mandatory (as setup by your administrator) will be flagged with a red indicator at the left corner of the field.

Note: The visibility of some fields can be controlled by the Risk Manager from Framework > Risk Settings > Field Configuration  area.
  • STEP 2: When creating a project risk assessment, you must select a project which the risk directly links to first. Therefore there is an extra step that is needed to be taken when creating project risks, compared to the other risk registers.

Once you have clicked on the 'New' option to create a new project risk, a window will popup allowing you to search for your project using several filters (Business Unit, Service Profile, and/or Responsible Person). From these filters, the Project dropdown will reduce to show the projects that have been inputted from your Administration area.

Note: For organisations that do not have Camms.Strategy integration, the projects are created and filtered through this section under the Administration section of the Navigation Menu. Please refer to the Administration > Projects section for more information on creating projects if you don’t use our Camms.Strategy software.

For those who do use Camms.Strategy, the actions/projects will come directly from your business planning area.

Once a project has been selected, the fields will display for you to create a new project risk. Fill out the Risk title and Responsible person and then click on the 'Add' button. You may add as many risks as you like under the one project from this pop up window.

Once you have added your risks, close the window by clicking on the close icon. From here you will be taken back to the Project Risk Register, where you should now see your risks that you have just entered against your project. Click on the title (hyperlinked) to enter the risk assessment details and complete the initial risk assessment.

  • STEP 3: Specify the following details.
Note: The Risk Manager/Administrator can activate/de-active these fields or make these fields mandatory/optional from within Risk Settings. If deactivated, these fields will not show.

 

FieldDescription/Instructions

Mandatory/Optional

Strategic

OperationalProjectCorporate
Risk Details

Active

Sets the Risk as Active or Inactive. Defaults to Active.

Once this is saved, if you require to make this Inactive, a user with edit permissions will be able to make this change.

N/A
Note: If an internal setting has been set by Camms Support for editing this risk, only Admins and Risk Managers will be allowed to edit.
Note: If you are on the flexible permission structure, this will be governed by a separate permission configuration.
Risk Code

Enter a code to identify the risk. The risk code along with the risk title will be displayed in the header section of a risk record when accessed.

Note: The Risk Manager can set automatic numbering for this field via Risk Settings and therefore if this is done, it will appear as greyed out.

Mandatory

Apply Template*

*If Applicable

Allows users to select and apply a Risk Template which auto-populates several fields within the assessment which enables speedy addition of similar risks.

Note: Templates are defined and maintained by the Risk Manager from within the Risk Settings area.

Optional

ConfidentialTick box to define the risk as being confidential.
Note: Once this tick box is checked, a dropdown will display to select which users you wish to mark this risk as confidential.
Optional
Risk Description

Enter a short title to identify the Risk by. This title along with the risk code will be displayed in the header section of a risk record when accessed.

Mandatory

Responsibility Centre

Select a Service Profile added by an admin here. This field requires to be enabled for Strategic/ Operational/ Project/ Corporate Risks to show the Service Profiles linked with the relevant Business Units.
Note: This field can be enabled by Camms Support via an internal setting once it has been requested. 

Optional

Responsible OfficerAssign a Responsible Person who will be responsible for monitoring and reporting on the status of the risk. This will enable a link to this Risk Assessment to display on the designated person’s homepage.
Dropdown shows staff list for selection.
Mandatory
Secondary Responsible OfficersSelect a Secondary Responsible Person and click ‘Add’ to add him/her to the list of Secondary Responsible Officers. Multiple staff members can be selected.
Dropdown shows staff list for selection.

Optional

The Risk Manager can activate this area from within Risk Settings. If deactivated, this grid will not show.

Primary Risk Category

Select one category as the primary risk category.
Note: Categories are defined by a Risk Manager within the Risk Settings page.

Mandatory

Primary Risk Sub Categories

Select risk sub categories (based on the primary category).
See title Primary Risk Sub Categories below for more details.

Optional

Secondary Risk Categories

Select secondary risk categories here.
See title Secondary Risk Categories below for more details.

Optional

Causes

Any Causes that contribute to this risk can be noted here. A 
Risk Manager can toggle the visibility of this field to make it appear in the Initial, Current, and/or Future Risk Assessments via Risk Settings.
Note: Causes will be ordered chronologically in an ascending order (i.e. oldest item first and recent item last).

The Risk Manager can decide if this field is mandatory or optional based on the configurations in the Field Configuration  area.

This can be either set to be a grid or a text field. Please contact CAMMS to change the current set up if required.


 

 

Consequences

Any Impact/ Consequences that arise from this risk can be noted here. A Risk Manager can toggle the visibility of this field to make it appear in the Initial, Current, and/or Future Risk Assessments via Risk Settings.
Note: Consequences will be ordered chronologically in an ascending order (i.e. oldest item first and recent item last).

 
Consequences criteria selectionSelect a consequence rating by clicking the ‘Select’ button. This will allow a pop up window to show for you to select the consequences based on the category description. This is called the consequence table to help you identify ‘consequence of the risk’.
Users can simply click the relevant cell to select a consequence. This grid is defined and maintained by the Risk Manager from within Risk Settings.

Mandatory

Likelihood criteria selectionSelect a Likelihood by clicking on the ‘select’ button. This will allow a pop up window to show allowing you to select a likelihood based on a description to help you identify it.
Note: The Likelihood list is defined by the Risk Manager within Risk Settings.
Users can simply click the relevant cell to select a Likelihood. This grid is defined and maintained by the Risk Manager from within Risk Settings.

Mandatory

Organisation LinksCreate linkages for the risk with hierarchies (Organisation hierarchy only)Optional

The Risk Manager can decide if this field is visible or not and mandatory or optional based on the configurations in the Field Configuration  area.
Add/Edit LinksCreate linkages for the risk with other entities (risks, hierarchies, incidents, audits, findings, recommendations. KPI/KRIs, compliance requirements, authority documents and policies). This list will be based on the modules enabled for you in the database. Optional

The Risk Manager can decide if this field is visible or not and mandatory or optional based on the configurations in the Field Configuration area.

 

 
Add to Business/Strategic PlanCreate linkages between the risks with organisation and planning hierarchies and create new actions in Camms.Strategy via risk. This will be activated via a setting.Optional

The button 'Add to Business/Strategic Plan' will be shown to all users with access
Can only link to the Planning hierarchyCan link to both Organisation and Planning hierarchiesCan only link to the Organisation hierarchyCan only link to the Planning hierarchy

Heatmap within Assessment Tabs

A heatmap will be displayed within all three assessment tabs based on the the criteria selection. 

  • The bubbles within the heatmap will denote the assessment ratings (black: Future, white: Residual/Current, grey: Inherent/Initial).
  • When hovered over a square, each square's represented likelihood, consequence, and rating will be displayed as a tooltip text.
Note: The X and Y coordinates displayed in the heatmap will not be editable and will not be considered from the sort order in the Risk Settings > Criteria page as of now. 

Primary Risk Sub Categories

This multi-select dropdown will let you select sub risk categories of the selected primary risk category in the risk assessment tab.

This dropdown can be made visible with the below configuration:

  • For all risk types, set as 'Visible' in the Field Configuration page (accessed via Menu > Framework > Risk Settings > Field Configuration > Sub Categories and Secondary Categories).
  • If the field is made visible for the Revised/Current and Future assessment tabs, the categories will display as an un-editable label.

Secondary Risk Categories

This multi-select dropdown will let you select secondary risk categories in the risk assessment tab.


Controls

Controls can be accessed within a Risk record in the Risk Assessment tab, click the ‘Add New’ button in the under the section where Controls are listed. This will direct you to the 'Controls Record Detail' page in a popup window.

Note: See article Control Management under title 'Control Record Details' for more information on this area.

  • STEP 4: Click the ‘Save’ button to save the initial risk assessment.

Every risk created will automatically default to ‘Active’. You can deselect this if required. After saving, an image will appear which shows the Calculated Risk Rating.

Note: The highlighted Risk Rating is auto generated once you have saved the initial/inherent risk assessment. The rating is calculated based on the calculations set by your administrator.


Creating a Risk as a Draft for Approval

You can configure a risk to be created as a draft and submitted for approval to the responsible person, prior to it being active. To do so:

  • STEP 1: The setting 'Enable Risk SignOff process (Risk Approvals)' requires to be enabled via Administration > Configuration > Enable Risk SignOff process (Risk Approvals).
  • STEP 2: In the risk assessment tab, once completed filling the risk details, click on the 'Under Review' button at the top of the page.
  • STEP 3: Once the risk is created, it will be in a 'Draft' approval status. And once a 'Draft' risk is submitted, it will display a 'Submitted' approval status, and will be assigned to the Responsible Person, in the Risk Register.
  • STEP 4: If the submitted risk is rejected by the responsible person, the approval status will be 'Rejected' and go back to a 'Draft' state when edited.

  • STEP 5: If the submitted risk was approved by the responsible person, the approval status will be 'Approved'.



    Note: See article Risk Approval for more details on the administrative side and workflow of an approval process.


Add to Business/Strategic Plan

This allows a risk to be either linked to the planning or organisation hierarchy. Depending on the risk type, the hierarchies available for linking would be determined. For strategic and corporate risks, only the planning (strategic) hierarchy will be available for linking whereas for operational risks both planning and organisation hierarchies are available. Only the organisation hierarchy will be available for project risks. 

The list of hierarchies will be shown on the left hand side with a list of all risks, risk treatment actions and control solutions on the right hand side. Control solutions will be marked by a red super scripted 'c' against the solution title for easy identification. A linkage can be made simply by dragging the risk/risk treatment action or control solution you wish to link with a hierarchy node from the list on to the node name. Once a linkage is made successfully, clicking on either the node or the linked item will show all linkages in the area in the middle of the screen. The linkages can be deleted as well by a user with the edit permissions to the area.

You can also expand the hierarchy tree up to the action/task level and link a risk treatment action with a Camms.Strategy action/task as well from here. If there is no existing planning action, you can add the risk treatment action as a new action/task as well.

When this is done, a new action/task with the same details as the treatment action will be created on Camms.Strategy product. The two actions will behave independently despite the linkage but the progress information can be made to synchronise if required as well. The latter is enabled via a setting. Please contact Camms support if you wish to enable this feature. 

When you have completed entering and saved all the information for your Initial Assessment you can go on to assess the Current Risk by clicking on 'Next'. Or click the 'Current/Residual Risk Assessment' tab on top. Note that these buttons will only be active once you have saved the Initial/Inherent Risk Assessment.


Initial Assessments for all four types of risks are conducted in the same way.

Note: If you have set up all your criteria for the Initial Risk Assessment to be non-mandatory, you can navigate and carry out the next risk assessments even without filling out and completing the initial risk assessment. This applies to all risk assessments.


Current/Residual Risk Assessment

Current Assessments for all four types of risks are conducted in the same way. The Current Strategic Risk Assessment process is shown below, whereby selections of Current Likelihood, Consequence and Effectiveness of Controls generates a Current Risk Rating. However before completing the Assessment, the Risk Controls are defined so that you can confirm the Effectiveness of them in their current form.

Please refer to the ‘Risk Controls’ section for more information on creating and managing your Risk Controls.

  • STEP 1: Specify the following details when completing a Current Risk Assessment.

Note: The visibility of some fields can be controlled by the Risk Manager from Risk Framework > Risk Settings > Field Configuration area.


FieldDescription/InstructionsMandatory/OptionalStrategic

Operational

ProjectCorporate
Risk Details

Effectiveness of Controls

Select the Effectiveness of Controls Rating from the dropdown list provided.
Note: Effectiveness of Controls Ratings is defined by the Risk Manager within Risk Settings.

Mandatory

Note: The Risk Manager can activate this area from within Risk Settings. If deactivated, this field will not show.

 
ConsequenceSelect a consequence rating by clicking the ‘Select’   button. This will allow a pop up window to show for you to select the consequences based on the category description. This is called the consequence table to help you identify ‘consequence of the risk’.

Users can simply click the relevant cell to select a consequence. This grid is defined and maintained by the Risk Manager from within Risk Settings.






Likelihood

Select a Likelihood by clicking on the ‘select’ button. This will allow a pop up window to show allowing you to select a likelihood based on a description to help you identify it.

Note: The Likelihood list is defined by the Risk Manager within Risk Settings.

Users can simply click the relevant cell to select a Likelihood. This grid is defined and maintained by the Risk Manager from within Risk Settings.


Mandatory



 



Risk Treatment and Solutions
Risk Treatment Plan OptionsSelect whether you want to Accept, tolerate the risk. You can also select if the risk exceeds Tolerance limit.Optional
 
Risk ActionsAdd risk actions by simply typing the Risk Action title, linking it to a responsible officer, Business Unit, Start and end Date, Review frequency, giving it a Action Status and % complete. To save and add this to the table, click on the adjacent add icon.

See below for further details.

Optional


 


Risk Actions

Risk actions are entered against a risk if you are required to put other actions in place in order to mitigate the risk further (in addition to the current controls that you may have in place). If the effectiveness of the current controls is weak, then risk actions should be identified in order to action on reducing the risk or may feed into creating a new control. Adding risk actions are however optional when completing a current risk assessment.

Ensure you fill out the mandatory fields which are highlighted with a red asterisks.

  • STEP 1: Click on the ‘Add’ button to add your risk action to the table before you save.

See article Risk Actions for more details on this section.

  • STEP 2: Click on the 'Save' button once you have completed all required fields on the page.

After saving, an image will appear which shows the Calculated ‘Current’ Risk Rating.

Note: After the Current Risk Assessment is saved, the Impact and Likelihood and fields in the Initial Risk Assessment are locked and cannot be edited, unless changed within the Framework > System Settings. However, to alter the Impact and Likelihood fields in the risk assessment, further Current Risk Assessments can be conducted. Modifications to these assessments can be traced using the History icon.


Future Risk Assessment

The Future Assessment functionality enables the recording of a projected risk rating. If it is a part of your organisation’s risk management process, you may use this area to calculate a Future risk rating similar to the Initial and Current ratings.

  • STEP 1: Select the 'Future Risk Assessment' tab.
  • STEP 2: Specify the following detail.

Note: The visibility of some fields can be controlled by the Risk Manager from Framework > Risk Settings > Field Configuration area.


FieldDescription/InstructionsMandatory/OptionalStrategicOperationalProjectCorporate
Future Assessment

Consequence

Select a consequence rating by clicking the ‘Select’   button. This will allow a pop up window to show for you to select the consequences based on the category description. This is called the consequence table to help you identify ‘consequence of the risk’.

Users can simply click the relevant cell to select a consequence. This grid is defined and maintained by the Risk Manager from within Risk Settings.

Mandatory






Likelihood

Select a Likelihood by clicking on the ‘select’ button. This will allow a pop up window to show allowing you to select a likelihood based on a description to help you identify it.

Note:The Likelihood list is defined by the Risk Manager within Risk Settings.

Users can simply click the relevant cell to select a Likelihood. This grid is defined and maintained by the Risk Manager from within Risk Settings.

Mandatory





 


 
 
 


  • STEP 3: Click on the 'Save' button once you have completed all required fields on the page.

After saving, an image will appear which shows the Calculated ‘Future’ Risk Rating.


Quantitative Risk Analysis (Monte Carlo Analysis)

The financial impact that is tied in with the risk can be captured and the predicated impact can be calculated  using the Monte Carlo analysis feature. The related configurations to enable this feature in any/all of the three assessment tab scan be found in the 'Risk Settings' article. 

Based on the configurations set up by your administrator, the Monte Carlo analysis area will be displayed as below:

The information available for input and shown here are as follows:

FieldDescription

Best Case Scenario ($)

Used to capture the best case scenario of any financial impact linked with the risk
This is a numeric field where you can add details and save.
Most Likely Scenario ($)Used to capture the most likely scenario of any financial impact linked with the risk
This is a numeric field where you can add details and save.
Worst Case Scenario ($)Used to capture the worst case scenario of any financial impact linked with the risk
This is a numeric field where you can add details and save.
Show Quantitative Range AssumptionsUsed to show the quantitative range assumption values for the risk. This is a text field where the end user can input details on the assumptions made for entering the figures for best/most likely and worst case scenarios 
Likelihood (%)Used to capture the likelihood percentage for the above best/most likely and worst case scenario predictions 
This is a numeric data field which will allow the end users to enter a likelihood value between 0-100 as a percentage.
Information iconAn information icon is available against a field if the 'Description' for the field had been entered by your administrator via the 'Risk Settings' area. If yes, upon clicking on it, a pop up with instructional text as entered via settings will be shown for the user.


Based on the data inputs for the risk from the above fields, the 'Estimated Monetary value' for the risks as P10, P50 and P90 will be calculated and displayed. 

An 'S curve' based on these P 10, P 50 and P 90 projections will also be drawn with Probability in Y axis and the estimated monetary value ($) for each risk as well. The graph will display the P value at any level when you hover along the lines and points on the line graph indicting the projects with correspondence to the monetary value and the probability.

Below standard calculations are used when determining the Estimated Monetary value for the P10, P50 and P90 values for each risk.

P10:

(Best case + SQRT (Intended probability of achieving project objectives* (Worst case – Best case) *(Most Likely - Best Case))) * Likelihood

Note: Intended probability of achieving project objectives = 10

P50:

(Worst Case – SQRT (Intended probability of achieving project objectives*(Worst Case-Best Case) *(Worst Case – Most Likely)) * Likelihood

If difference of Worst Case and Most Likely is lesser than difference of Most Likely and Best Case

Best Case + SQRT (Intended probability of achieving project objectives* (Worst Case – Best Case) *(Most Likely - Best Case))) * Likelihood

Note: Intended probability of achieving project objectives = 50 

P90:

(Worst Case – SQRT (Intended probability of achieving project objective*(Worst Case - Best Case) *(Worst Case – Most Likely)) * Likelihood

Note: Intended probability of achieving project objectives = 100 - 90 = 10

When any of these fields are enabled in the risk registers via Camms.Risk > Framework > Risk Settings > Register Configurations, the same will be displayed in the registers as a project summary where each P value per each risk under a project is aggregated and summed up and show in a summary.


Risk Review

You can setup regular risk reviews which are scheduled frequencies at which you will review Current assessment ratings. This ensures they are up to date as per the progress made on risk solutions.

  • STEP 1: Click the 'Risk Review' tab from within the risk you want to set up a review for.

  • STEP 2: The Review Frequency will be based on the latest risk rating saved within the Current Risk Assessment (see below to see which rating will default to which frequency). However, you may edit this from the Risk Review page if you have the permission to do so.
    This can be defaulted to update frequency from rating via Menu > Administration > Configuration > Settings > [enable setting Update Frequency From Rating].
    A Risk Rating can be mapped to a Review Frequency via Menu > Risk Settings > Rating Type.

The Next Review Date will automatically pick up the next available date as per your specified frequency and next review date calculation logic, when it is next reviewed. However, you can modify the date using the calendar control.

Note: There is a system setting that you can switch on in order to lock this next review date for all users except Risk Managers and Administrators. This would be used if you do not want your risk owners to be able to edit the next risk review date, pushing out dates that they need to complete a review. 

The setting is located within the Administration > Configuration > Settings > Enable next review date field within risk area only to the administrations and risk managers

There are two logics that can be configured via Menu > Risk Settings > Review Frequency (see article Framework – Risk Settings under section 'Review Frequency' for setting this up), when determining the Next Review Date.

Next Review Date (NRD) calculation logic based on:
  • Review Due Date (default): This option will calculate the NRD as [Previous NRD + Review Frequency].
  • Actual Review Completion Date: This option will calculate the NRD as [Current Date + Review Frequency].
Example: The Previous NRD is populated as 20-May-2021 and Review Frequency is Monthly. You do the review on 05-Jul-21 and click 'Complete'.
  • Review Due Date logic: The new NRD will populate as 20-May-21 + 1 month = 20-Jun-21.
  • Actual Review Completion Date logic: The new NRD will populate as 05-Jul-21 + 1 month = 05-Aug-21.

A review is confirmed and completed by clicking on the 'Complete' button. You can still perform interim changes to your risk review tab and click the 'Save' button in the Review tab to update details. Only once a risk is reviewed, the below details for the risk will be updated.

  • Last Reviewed By: The staff by whom the risk was reviewed last along with the position. This will be a label field shown for reference purposes only.
  • Last Reviewed Date: The date on which the risk was last reviewed.
  • Next Reviewed Date: The next review date set forth for the risk based on the last review details as above.
Note: A 'risk review' is an update made on the 'risk review' tab or through the ‘My Quick Update’ page. When you are reviewing your risks from the quick update page, you can review the current risk assessment and enter in the comments which will synch across into the Risk review tab.

  • STEP 3: Click the 'Complete' button at the bottom of the page to apply any changes made within the 'Risk Review' tab and for the review cycle to be considered as completed. This will then update the 'Last Reviewed By', 'Last Reviewed Date', and 'Next Review Date' automatically.
    Please note that clicking the 'Save' button at the top of the page will not update these values automatically, and is used to only save the latest comments added by the user or to manually change the 'Next Review Date'.
Note: Next review date for your risks will be visible in My Quick Update page. Overdue reviews will show up with an 'Overdue' indication next to the review date.

You will receive an e-mail reminder for all overdue reviews of active risks which you are responsible person for. The reminder is triggered when the ‘Next Update Required’ date as per the Review Frequency specified by you in your last review has passed. The setup, frequency and content of your notifications are determined by your in-house Risk Administrator.


Attach Documents

In this area, documents and hyperlinks can be added so users are able to view documents associated with the risk.

  • STEP 1: Click on the Documents tab where you have two options for associating documents with the risk.

  • STEP 2: Click 'Browse' to select a document you wish to upload, and then once selected, click the 'Add' button to add it to the risk.

OR

  • STEP 3: To associate a URL with this Risk, simply type in the textbox provided and click the 'Add'.
  • STEP 4: Click the 'Save' button.
Notes: 
  • Please note the document to be uploaded must not be greater than 10MB.
  • File types permitted to be uploaded: .png, .jpg, .jpeg, .gif, .bmp, .pdf, .doc, .docx, .ppt, .pptx, .xls, .xlsx, .xlsm, .epub, .odt, .ods, .txt, .msg, .csv, .mpp, .vsd, .vsdx, .eml, .pub, .ecd, .tr5, .obr, .rar, .zip, .7z, .mp4, .mov, .avi, .wav, .mp3, .mpeg
  • File types not permitted to be uploaded: .exe, .bat, .cmd


Create Linkages 

In this area, linkages can be added that are associated with the risk.

Click on the Links tab where you have an option to add new linkages of these types. The types of linkages you can make here are based on the modules activated for the database.

To create a link, click on the 'New' button. and select the linkage from the 'Create a New Linkage' dropdown.

Note: When deleting a Risk that has linkages created for it, all linkages attached with the Risk record will be deleted with it too. The linked entity record will not be deleted, only the linkage will be deleted.
  • KPIs – The list of Key Performance/Risk Indicators available in the system will be available to select and link with the risk. If the Camms.Strategy product is not activated for the database, the list will be taken from the KRIs added from the Administration > Key Risk Indicators. Else, if Camms.Strategy is in use, the list will be taken from the KPI/KRI list added in there. Once linked, a grid will display all linked KRIs with the risk as below. 

The filters available atop the grid will allow further filtering of linked KRI/KPIs here. 

Period: 2 viewed as YTD and Period are available here. If YTD is selected, the month and the financial year can be selected. If Period is selected a Date range can be selected. The data (Actuals and Performance) for the KPIs will be filtered and shown in the grid based on the period view selected from here. The logics of showing the data will be similar to how KPI/KRI data are shown in the EIS area as well. 

Show Inactive KPIs: Unticked by default, the linkage grid will not show inactive KRIs that are linked to the risk.

For the linked KPI/KRIs, the title, unit, reporting period, actual, targets and the performance for the period the KPI is viewed for will be shown in the grid. The grid can be further searched based on these properties as well.


  • Incidents – The list of Open Incidents available in the system will be available to select and link with the risk. The list will be searchable by the Incident title to select the ones you want to link to your risk. Multiple incidents can be linked in one go and saved by clicking the 'Save' button at the top of the page. Once linked, a grid will display all linked Incidents with the risk as below.

For the linked Incidents, the title, type, description, reported date, responsible officer, status and investigation due date will be shown in the grid. The grid can be further searched based on these properties as well.


  • Risks – The list of active risks available in the system will be available to select and link with the risk. The list will be searchable by the risk type first and then by risk title to select the ones you want to link to your risk. Multiple risks can be linked in one go and saved by clicking the 'Save' button at the top of the page. Once linked, a grid will display all linked risks with the risk as below.

For the linked risks, the code, title, organisational links, risk type, risk officer, reporting period (review frequency), next review date and the current risk rating will be shown in the grid. The grid can be further searched based on these properties as well.

Notes: An Orgnisational Links column will be displayed to provide insight of the organisational nodes that are associated to the linked risks. 
  • The 'Organisational Links' column is currently applicable only for customers using the new 'Flexible Security' feature.
  • The 'Organisational Links' column will give you insight to the organisational nodes that are associated to the linked risks.
  • If a linked risk is linked to multiple hierarchy nodes, then the ‘Organisational Links’ column will display all nodes in a comma separated view. In the event, there are no linkages, this column will display as N/A. 


  • Audits – The list of audits available in the system will be available to select and link with the risk. The list will be searchable by the audit type, code, title and audit year to select the ones you want to link to your risk. Multiple audits can be linked in one go and saved by clicking the 'Save' button at the top of the page. Once linked, a grid will display all linked audits with the risk as below.

For the linked audits, the status, code, title, type, responsible officer, audit year and audit risk rating will be shown in the grid. The grid can be further searched based on these properties as well.

Notes: An Orgnisational Links column will be displayed to provide insight of the organisational nodes that are associated to the linked risks. 
  • The 'Organisational Links' column is currently applicable only for customers using the new 'Flexible Security' feature.
  • The 'Organisational Links' column will give you insight to the organisational nodes that are associated to the linked risks.
  • If a linked risk is linked to multiple hierarchy nodes, then the ‘Organisational Links’ column will display all nodes in a comma separated view. In the event, there are no linkages, this column will display as N/A. 


  • Audit Findings – The list of findings available in the system will be available to select and link with the risk. The list will be searchable by the linked audit number, finding code and title to select the ones you want to link to your risk. Multiple audit findings can be linked in one go and saved by clicking the 'Save' button at the top of the page. Once linked, a grid will display all linked audit findings with the risk as below.

For the linked audit findings, the linked audits' status, audit year, audit code, title, finding number, title and the finding risk rating will be shown in the grid. The grid can be further searched based on these properties as well.

Notes: An Orgnisational Links column will be displayed to provide insight of the organisational nodes that are associated to the linked risks. 
  • The 'Organisational Links' column is currently applicable only for customers using the new 'Flexible Security' feature.
  • The 'Organisational Links' column will give you insight to the organisational nodes that are associated to the linked risks.
  • If a linked risk is linked to multiple hierarchy nodes, then the ‘Organisational Links’ column will display all nodes in a comma separated view. In the event, there are no linkages, this column will display as N/A. 


  • Recommendation – The list of recommendations available in the system will be available to select and link with the risk. The list will be searchable by the recommendation code and title to select the ones you want to link to your risk. Multiple audit recommendations can be linked in one go and saved by clicking the 'Save' button at the top of the page. Once linked, a grid will display all linked audit recommendations with the risk as below.

For the linked audit recommendation, the linked audits' year, audit code, linked findings' code and title, recommendation code and title, responsible officer, recommendation risk rating and recommendation action status will be shown in the grid. The grid can be further searched based on these properties as well.

Notes: An Orgnisational Links column will be displayed to provide insight of the organisational nodes that are associated to the linked risks. 
  • The 'Organisational Links' column is currently applicable only for customers using the new 'Flexible Security' feature.
  • The 'Organisational Links' column will give you insight to the organisational nodes that are associated to the linked risks.
  • If a linked risk is linked to multiple hierarchy nodes, then the ‘Organisational Links’ column will display all nodes in a comma separated view. In the event, there are no linkages, this column will display as N/A. 


  • Hierarchy – Risks can be linked to any hierarchy from here. Organisation, Planning and other custom hierarchies available in the system will be shown here upon selecting one which a tree view of the hierarchy with multi select check boxes against the nodes will be displayed.

'Expand All' will expand the full hierarchy in one go and 'Collapse All' will collapse the full hierarchy in one go in a similar manner. Multiple nodes can be linked in one go and saved by clicking on the 'Link' button on the page. Once linked, a grid will display all linked hierarchy nodes with the risk as below.

For the linked nodes, the structure showing the breadcrumb of the linkage from the root node and the direct node with which the risk is linked to will be shown in the grid. 


  • Obligations – The list of obligations available in the system will be available to select and link with the risk. The list will be searchable by the obligation code and title to select the ones you want to link to your risk. Multiple records can be linked in one go and saved by clicking the 'Save' button at the top of the page. Once linked, a grid will display all linked obligations with the risk as below.

For the linked obligations, the code and title, responsible officer, next review date, priority and status will be shown in the grid. The grid can be further searched based on these properties as well.


  • Authority Document  The list of authority document records available in the system will be available to select and link with the risk. The list will be searchable by the authority document code and title to select the ones you want to link to your risk. Multiple records can be linked in one go and saved by clicking the 'Save' button at the top of the page. Once linked, a grid will display all linked authority document  with the risk as below. 

For the linked authority documents, the code and title, responsible officer and priority will be shown in the grid. The grid can be further searched based on these properties as well.


  • Policy – The list of policy records available in the system will be available to select and link with the risk. The list will be searchable by the policy code and title to select the ones you want to link to your risk. Multiple records can be linked in one go and saved by clicking the 'Save' button at the top of the page. Once linked, a grid will display all linked policies with the risk as below.

For the linked policy, the code and title and responsible officer will be shown in the grid. The grid can be further searched based on these properties as well.


  • Controls  The list of controls available in the system will be available to select and link with the risk. The list will be searchable by the control title, control owner, control owner rating, control authoriser, control authoriser rating to select the ones you want to link to your risk. Multiple records can be linked in one go and saved by clicking the 'Save' button at the top of the page. Once linked, a grid will display all linked authority document  with the risk as below. 


For the linked controls, the control title, control owner, control owner rating, control authoriser, and control authoriser rating  will be shown in the grid. The grid can be further searched based on these properties as well.