This provides you the ability to have a Risk Approval process for all risks when they are created, to be approved upon submission before they are added to the main registers. This is enabled via the setting 'Enable Risk SignOff process (Risk Approvals)' accessed via Menu > Administration > Configurations > Settings area.
This will enable the organisation to have all risks being entered in the system sent through an approval workflow before they are shown in the application as open and active records.
Two kinds of approval workflows; Sequential and Concurrent can be setup. There is an option for the administrator to either enable one of the two or both for your organisation via the setting below accessed from the Settings area under Camms.Risk > Administration > Configuration area. Defaults to 'Select All' and would have both workflows enabled.
The users need to be given Risk Submitter/Preparer and/or a Risk Approver permissions to create and submit risks for approvals and have them approved. These are two standard permissions available under Camms.Risk > Administration > Manage Users area.
- Risk Preparer: Risk Preparers/Submitters would be able to create risks and submit for approvals. Once submitted, the submitter will not be able to make any changes to the risk and it will be un-editable. The created and submitted risks will be saved as 'Draft' in the Draft status until approved upon which the status changes from draft to 'Approved'. Till the risk is approved, it will only be shown to the Submitter user in their registers. If the risk is not approved, the status will be 'Rejected' and the submitter will then able to edit and resubmit for approval or discard the record. If it is resubmitted, the status will be changed to 'Resubmitted'.Notes:
- This permission should NOT be given with any other permission other than the Operational User or Strategic Viewer permissions. (I.e. should not be associated with Editor, Risk Manager, Administrator or higher permissions, as these users can create risks on their own.)
- When users with the Risk Manager and Risk Preparer permission submits a risk for approval, it will remain as 'Draft' until approved. Only risks which are not submitted for approvals and ‘Saved’ will be ‘Open’.
- If an Administrator has been given the Risk Preparer permission as well, the risks that are created by these users, are created as 'Open' risks, surpassing the approval process.
- Risk Approver: Risk Approvers would be able to approve the risks submitted for their approvals upon which the risks are made active and will show in your registers. When risks are received for an approvers approval, they will be shown under his/her Quick Update area under 'Approvals' section where they can either Approve/Reject the risks. Once approved/rejected, the risk will be removed from their Quick update and unless they are assigned to the risks, they will not be able to view the records again. Only once the records are approved, they will be shown for all other users in the application.
Note: These two permissions are applicable only if the static security structure is enabled for you. If the flexible permission structure is enabled, please refer to what the permissions are and how to enable them under the Permissions and Staff Management article. How the feature and permissions function would be the same as outlined here.
The items to be approved will be shown in the approver's 'My Quick Update' page under the 'My Approvals' section. Approvers can both approve from the quick update as well as within the risk created itself after making changes to the risk if required during approval.
The approval process can either be set up as Concurrent or Sequential. For each risk, a choice of whether it should be concurrent or sequential can selected. This can be done via the approvals area within the risk via the 'Approval Process' dropdown which will be the two options below to choose from. The 'Approval Authority' dropdown will list all users with the permission provided and the submitter can select one/many from the list and send for their approval.
- Concurrent: Concurrent approval workflow would allow the preparer to select multiple approval authorities and submit. The new risk created would be approved and made active when either one of the selected approvers approve. The approvals will be pending till all of the approvers either reject the risk or at least one of them approves.
- Sequential: Sequential approval workflow would allow the preparer to select multiple approval authorities and submit, The new risk created would be approved and made active only when all of the approvers approve. The order in which the approval authority staff were picked for the risk via the 'Approval Authority' dropdown for the risk will determine the order in which the risk is sent for approvals between the approver list. The risk will first be sent to the first approver staff and be shown only in their quick update. If this is approved by the first approver, then this will be sent to the second approver and subsequently to all approvers in that order in the list. If any of the approvers end up rejecting the risk, it will change the status to 'Rejected' and will be available for the submitter again to resubmit/discard.
Note: Once the first approver submits their approval, an email will be triggered to the next approver. And once the next approver submits their approval, an email will be triggered to the next approver, till all approvers have approved the risk record. This will occur if emails have been configured under Menu > Risk Administration > Email. See article Administration – Risk Administration under title 'Email' for more details.
A summary of the signoff process status will be available within each risk showing the date/time, user name, status and comment for any approval/rejection within the workflow.
See article Risk Assessment under title 'Creating a Risk as a Draft for Approval' for details on how this will be displayed in a Risk Assessment and within the Risk Register.
Note: It is important to make sure that if this setting is enabled, all users who are expected to create/add a risk will be given the adequate submitter permissions for this feature to work as expected.
There are associated email notifications for the risk approvals. Please refer the article on email mortifications under Risk Administration for more details.