How to describe and asses a risk

What is Risk Management?

Risks affecting organisations can have consequences in terms of economic performance and professional reputation, as well as environmental, safety and societal outcomes. Therefore, managing risk effectively helps organisations to perform well in an environment full of uncertainty.

The LOGIQC Risk register enables organisations to manage and mitigate their risks.

Adding a Risk

  1. Click on registers and select Risk.
  2. Click add.
  3. Complete the required fields. (see below for more details)
  4. Click Save as Draft or Save.

add_risk.gif

How to complete the drafted Risk Details Form

Risk Identification

Risk1.png

Identified risk

Select a risk from the menu. Additional risks can be added by the administrator in system setup 

Risk dimension

Select a corresponding dimension. This menu can be edited by the administrator in system setup. 

Context/Additional description

Provide a detailed description of the actual risk including the context in which it can occur. This is important as it brings clarity to the context and parameters of the risk. 

Roles

Selecting a restriction level will mean that only users with those permission levels can see the Risk Details Form on the system.

To see the permission levels assigned to users, go to contacts/staff contacts and click export.

Enabling access supports transparency and accountability in the management of risks.   

Physical location

State the main locations where this risk could occur e.g. clinic, car park, admin etc. or NA

Potential consequences

Describe the consequences to the organisation, if the risk were to occur.

Cause/contributing factors

Describe the cause or contributing factors that would give rise to the risk occurring.

Existing controls

Risk3.png

Description

Describe any existing controls your organisation has in place to manage the risk 

Register items - Documents, Contracts, Audits, Compliance tasks, Training, Licencing, Suppliers, Records

Items in other LOGIQC registers (if activated in your system) can be linked to the risk as evidence of the controls that are in place to manage or mitigate the risk. Click into each field and select any relevant items. 

How to complete the risk assessment

risk_assesment.png

Each risk is given two ratings:

Uncontrolled risk rating

The uncontrolled risk rating is the rating of the risk without controls (e.g. policies, procedures, staff training etc.). The uncontrolled risk rating represents the “inherent” or “residual” risk to the organisation. The uncontrolled risk rating is equivalent to the natural level of the risk inherent in a process or activity without doing anything to reduce the likelihood or mitigate the severity of the risk occurring. Uncontrolled risks which are assessed as “extreme” or “high” should be closely monitored and have rigorous controls in place.

Controlled risk rating

The controlled risk rating is the rating for the risk after controls are put in place. Where the controlled risk rating remains “extreme” or is only downgraded to a “high”, consideration needs to be given as to what further mitigation action/s need to be taken in order for the risk rating to be downgraded to a “medium” or “low”.

How to add risk mitigation actions

Risk_treatment.png

If further controls or actions are needed to be put in place to manage a risk, e.g. strengthening policies or procedures, delegating responsibility for monitoring, formalising systems or processes, increasing frequency of monitoring or internal audit processes, providing staff with training, the mitigation actions can be entered here.

All mitigation actions will also be automatically listed on the Risk Mitigation Actions tab on the Risk Register, thereby providing a full list of all mitigation actions across all risks.

If there are items in the Improvement Register that relate to a risk, they can be linked to the risk via this menu. Linking related improvements provides valuable information on what processes or action has been taken in the past to strengthen the controls to mitigate a risk enabling the organisation to assess whether these improvements have been effective.

Attach any related records.

How to schedule the Risk for review

Risk_review.png

Risk review date

Date when the risk is to be reviewed. Reviewing a risk enables the organisation to assess to what extent the controls that are in place to mitigate the risk are effective and to identify if the organisation’s exposure to the risk is escalating.   

ISO 31000 recommends that risks are reviewed within a 12-month timeframe. Frequency of the review needs to be determined in consideration of each risk’s “controlled” risk rating, with those rated at the “extreme” or “high” being reviewed more frequently.

Risk occurrence threshold for current review period

Risks are multifaceted, that is they can be related to a range of adverse events.

To enable the organisation to monitor its exposure to a risk, adverse events that are likely to be an expression of each risk can be linked to the respective Risk Details Form. For example, needle stick injuries as an incident type can be linked to the risk “infection control mismanagement”.

When setting up the Risk Details Form, all related incident types and feedback categories can be linked to a risk. Further when a non-conformance is reported through the Improvement Register or a request for a repair is reported through the Repair Register, these events can be linked to an identified risk by the Approving Officer, as part of the “Approve for Action” task.

Each time an event is linked to an identified risk, LOGIQC will add the details to the Risk Management Plan. LOGIQC will also keep a count of the number of events that have been linked. When the number exceeds the Risk Occurrence Threshold which has been set on the RDF, LOGIQC will send a task to the risk manager notifying that the risk needs to be reviewed.

 

Risk2.1.png

Related work area

Select the work area that the risk most relates to. 

Meeting to monitor task

Select the meeting that has responsibility for oversight of the management of the risk. 

Risk Manager

Select the person who has responsibility for managing the risk. The Risk Manager will be notified when the risk is to be reviewed, which could result from the risk review date being reached or when the Risk Occurrence Threshold has been exceeded. 

Approval Officer

Select the person who has the authority to approve that the risk is published to the risk register.  

Comment

Enter any comment relevant to the risk. This field is optional. 

How to save the draft details form

Risk_save.png

Click “Save as Draft” to save the draft form to continue working on the form. Note: You cannot select any one to manage the risk, enter a review date or add mitigation actions when saving the risk as a draft.

Click “Save” to submit the draft form into the requirements tab and put the details form into the review workflow

Click “Save and Approve” to submit the draft form into the requirements tab approved. This form will come up for review based on the review date.

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.