ISO 31000 (2009) / ISO Guide 73:2002 definition of risk is the 'effect of uncertainty on objectives'. Therefore, risk has the potential of gaining or losing something of value. There is normally an initial risk (inherent) before controls are applied. After application, risk should reduce or remain to an acceptable risk (residual) value.
Risk can also be defined as the intentional interaction with uncertainty. Uncertainty is a potential, unpredictable, and uncontrollable outcome; risk is a consequence of action taken in spite of uncertainty.
In proper risk management, a prioritization process is followed whereby the risks with the greatest possible loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability and loss are dealt with later. In practice the process of assessing risk can be difficult as well as balancing of resources to mitigate between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence.
Risk management also faces difficulties in allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending (or manpower or other resources) and also minimizes the negative effects of risks.
Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materializes. Relationship risk appears when ineffective collaboration occurs; hence the approach to manage risk inside Dynamics 365 ERP.
Operational risk is defined as an uncertainty or hazard associated with the delivery of specific project, program, job or operational objectives, and includes risks inherent to the day to day operation of an enterprise. It can include internal risk method statement and external events such as an incident.
The settings for the heat map on the Risk page will display in the Risk register form and on all relevant forms where “risk assessments” are done from:
Go to: GRC > Setup > Governance, Risk and Compliance parameters and open the Risk tab
The scale of risk is proposed to categorize risks along a multidimensional ranking, based on a comparative evaluation of the consequences, probability, and source of a given risk. A risk is ranked higher on the scale the larger the consequences, the greater the probability, and the more morally culpable the source.
In the Maximum value field, enter the maximum value on the scale (Total = Severity X Frequency X Exposure)
By moving the slider for a risks class to Yes, risk assessments for that class will be done using a scale as opposed to the risk matrix as setup under the Matrix setup Fast tab
Below is an example of what the scale will look like:
A risk matrix is a tool that is normally used to assess the level of risk and assist the decision-making process. It takes into consideration the category of probability, or likelihood, against the category of consequence severity.
Under the Size Field group:
Select the size of the matrix by selecting the relevant values in the Likelihood and Impact fields
Under the Level of color Field group:
Select the relevant color for each level
Under the Heat map Field group:
Assigned colors to the matrix, considering the Likelihood and Impact values selected under Size field group
It is imperative that a default hazard, as well as an aspect value is selected under the Risk lines Fast tab
To view the result of the Risk matrix setup:
Go to: GRC > Risk > Operational risk assessments
Users can also set up a 2nd risk matrix for Level of investigation under the Investigation tab on the Parameters.
Likelihood is the chance that something might happen. Likelihood can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively (using mathematics).
Click on the Likelihood tab
Click New
Select the Score from the dropdown list and enter a brief Description
Enter the lower percentage value of the score range
Enter the upper percentage value of the score range
Mitigation is the action and effort entered into, with the objective to reduce loss of life and property by lessening the impact of risk. These actions and efforts must be assessed for effectiveness. At this point users must define effectiveness factors with a percentage rating. These setups are used by the Control measures, having available the Effectiveness factors and Rating % as per setup done here.
Click on the Mitigation effectiveness tab
Click New
Select the Effectiveness factor from the dropdown list
Enter a brief description of the Qualification criteria
Enter the Rating percentage
Select the relevant Color rating for the effectiveness factor
Click Save and refresh the screen to apply the selected colours
The above setup is used on the Risk register, Mitigation Fast tab
Risk exposure is the quantified potential loss from business activities currently underway or planned. The level of exposure is usually calculated by multiplying the probability of a risk incident occurring by the amount of its potential losses.
Click on the Exposure tab
Click New
Enter the Exposure ID
Enter a brief Description for the exposure
In the Multiplier field, enter the relevant frequency value
A Risk register is a collection of risks. Each Risk register consists of a header and lines. The headers (registers) are listed in a list page with Risk register numbers. The lines are the multiple risks (Hazard records) listed under each Risk register header. To create, view or edit the lines, users have to work on the risk detail form.
Go to: GRC > Risk > Registers > All operational risk registers
Click on the Edit button, or on the Risk register ID
It is noteworthy that the risk register and individual risk lines (hazard lines), both have life cycles
The Reset line statuses button gives the user the option to reset the line statuses of all associated risk lines in this risk register, in mass, back to Draft
¶ Step 6.1: Buttons on the Risk register list page:
An existing risk register can be Deleted (Risk registers cannot be deleted if risk/hazard lines exist) – this is not advisable since the Risk register number sequence will be interrupted, containing missing records.
A new Oprational risk register can be created by doing a risk assessment (Refer to step 9, illustrating the risk assessment functionality)
An existing risk register can be Edited
One can close a Risk register. Use the Close button to mark a register as completed. All lines will be closed.
Archive:A risk register can be archived and locked. The user has the option to keep an active copy of the archived risk register. All archived risk registers can be viewed on the All archived registers list page.
Change RACI: The Responsibility matrix can be setup by selecting responsible employees’ data from HR setup data.
Please note that if no values are filled in, the record will be updated with blank values. If Cancel is clicked, no changes will be made to the existing records.
Change: Details of the selected risk register can be changed under this option. When the (details of a risk register) have been changed, the status of the risk register will be set to Changed. This Changed status can be used for filtering purposes and can be changed back to a “normal” Risk status.
Please note that if no values are filled in, the record will be updated with blank values. If Cancel is clicked, no changes will be made to the existing records.
It is possible to create a complete hierarchy by marking a specific Risk register as the parent of another Risk register. To add this parent to another parent (thus creating multiple levels), select the parent the “child” belongs to from the Parent dropdown list on the Hierarchy setup form.
Hierarchy: The Risk register hierarchy setup form
The Parent field indicates a header record (Parent) to the current Risk register line (The Parent field contains a list of header (Parent) type risk registers)
Select the relevant “Parent” to assign to the current “Child” Risk register
Enter a description in the Hierarchy description field
Copy: Make a copy of the selected Risk register and attached risks. All attachments will also be copied to the copied Risk register
Send email notification: Email the highlighted risk notification to all stakeholders
The Send email notification button is on the Risk register list page as well as the Risk register detail form. The first three email options are defined on the parameters form.
Status – Update the status of the risk register by selecting the relevant status from the drop down list when clicking on the Status button
Status:
Created
The user can submit the risk register
Submitted
The user can Reexamine, Approve or Reject the risk register
Re-examine
The user can Approve or Reject the risk register
Approved
No changes can be made to the status
Rejected
No changes can be made to the status
Changed
The user can Reexamine, Approve or Reject the risk register
Print the Risk register report
Print the Risk register detail report
Create risk report: Using the selected baseline/template this will create a risk management report with applicable clauses
List children: Shows the records (risks/hazards) that belong to the current/selected header record family
Refresh: to update the form and display any latest changes/updates made in previous steps
Export to Microsoft Excel:
Attachments (document handling): this functionality displays and carries relevant documents, notes and files which can be attached to the selected Risk register
Archive: An existing risk register can be archived
Risk assessment: Create a new risk assessment
Send email notification: Send an email notification to the selected worker on the parameters
Create a non-conformance: Create a non-conformance on the selected risk line. A record will be created under the Associations Fast tab
Status: Change the status of the selected risk line
Print the Risk register detail report
To edit a risk register, or to add lines (risks/hazards) to a risk register, select the relevant register and click the Edit button on the Action pane. Open the Header view.
The General Fast tab:
The Baseline slider indicates whether this Risk register is a baseline type Risk register. If this slider is moved to Yes, this risk register can be used as a template for creating other risk registers.
Risk register ID – a unique number assigned to the Risk register
Description displays a brief description of the Risk register
Select the relevant Site from the dropdown list
Select the relevant Department from the dropdown list
In the Class field, select the risk classification from the dropdown list
Select the relevant Risk type from the dropdown list
Select the relevant Project from the dropdown list (If required)
In the Recorded by field, select the worker who created the Risk register
Select the date on which the risk register was Created
When the Created date is changed, a message will pop up asking the user if the lines need to be updated with the same date or not
The default Created date is the system date when the Risk register is created
The next Review date for the Risk register can be selected – this is beneficial for reporting purposes
The Status field indicates the Risk register status – all the risk lines need to conform to this status in order to contribute to the status on the Header
The Closed slider indicates whether the Risk register is closed. The user can also close the Risk register from here.
The Closed date indicates the date on which the risk register was closed
When a Parent risk register is closed, all its Child risk registers will be closed as well
The Jobs and work Fast tab:
Select the Job plan group from the dropdown list
Select the Permit to work type group from the dropdown list
Select the Process from the dropdown list
Select the Activity from the dropdown list
The COSHH selection slider indicates whether the risk register is COSHH compliant
The list of Job plans that are linked to the selected Job plan group will be displayed in the related information pane.
The list of Permit to work types that are linked to the selected Permit to work type group will be displayed in the Related information pane.
The Applicable areas Fast tab:
Select the Object relevant to the risk register, from the dropdown list
Select the Location relevant to the risk register, from the dropdown list
Select the Job plan relevant to the risk register, from the dropdown list
The RACI Fast tab:
Select the Employee responsible from the dropdown list
Select the Employee accountable from the dropdown list
Select the Employee consulted from the dropdown list
Select the Employee informed from the dropdown list
When using the Send email notification button on the Action pane, the Employee accountable will receive an email notification
Emails can be sent to the selected workers by clicking on the email icon next to the relevant name
The selected worker must have a primary email address
The Hierarchy Fast tab:
Move the Parent slider to Yes if this is a parent risk register
If this register has a Parent risk register, select the relevant Parent from the dropdown list
Move the Use for consolidation slider to Yes if you want to use the Risk register for consolidation
Enter Consolidation notes in the note box provided
If this risk register was created from a baseline register, the risk register ID will be displayed in the Baseline used field
When Use for consolidation = Yes:
The Parent slider will be moved to Yes
On the Risk register lines, the following buttons will be disabled:
Add
Remove
Bowtie focus
On the Risk register Action pane, the Consolidate child lines button will be enabled
The Review and follow up Fast tab:
Move the Enable for review slider to Yes
Select the relevant Review frequency from the dropdown list
Enter additional notes in the Review instruction note box provided
In the Due days field, enter the number of days before the review action is due to be completed
In the To be reviewed by field, select the name of the person who is going to review the Risk line
Click on the Yes button on the pop-up to create a Planned GRC action
A blue line will appear confirming that a Planned action has been created for the follow up.
From here users can click on Reviews button in the Action pane to see all open reviews. Alternatively users can close a review directly from the Risk register by using the Close review button.
The Default line values Fast tab:
Select whether the Site and/or Department from the Header should be used on the Lines
Use header site and department dropdown selection:
None – When neither site nor department from the header should be used on the lines
Site only – Only the site from the header should be used on the lines
Department only - Only the department from the header should be used on the lines
Both – Both site and department from the header should be used on the lines
The user also has the option to use the Risk type selected on the Header under the General Fast tab, as the default for Risk lines (assessments)
Select whether the Object or Location or Job plan or All threefrom the Header should be used on the Lines
Enter a Risk assessment instruction in the note box provided
The Continuity and disaster recovery Fast tab:
In the Button strip, click on the Add button
Select the relevant Date
Select the relevant BC/DR ID (Continuity and disaster recovery plan ID) from the dropdown list
The values for the other fields are populated with the values entered on the selected Continuity and disaster recovery plan
For details on the setup for Disaster recovery, please refer to the GRC page on Business Continuity Management
The Approval history Fast tab:
The Approval history of the risk register can be viewed. The following is displayed:
User ID – Name of the user who changed the status of the risk register
Date time stamp – When the Status was changed
Reason code – The user can enter the reason for changing the status of the risk register
Status– The updated/new status of the risk register
Users can view a plotting of the inherent risk on the Risk matrix by means of a black block indicating the Likelihood x Impact Risk rating
Likelihood - Select the value of the Likelihood of the recurrence from the dropdown list
Impact - Select the consequence/Impact rating from the dropdown list
Enter additional Notes on the initial risk
Risk rating - Displays the risk rating
Risk matrix - The X by Y matrix displays the matrix as it is setup on the parameters form
Inherent risk (also known as initial risk) is current risk levels given the existing set of controls (or in the absence of any controls)
Residual risk would then be whatever risk level remains after additional (or new) controls are applied.
Thus, residual risk is the amount of risk or danger associated with an action or event remaining after inherent risks have been reduced by mitigating controls.
Residual risk displays the Likelihood and Impact values after controls have been applied. The mitigation effectiveness percentages on likelihood and impact applied in the above tab drive the Likelihood and Impact scores displayed under this tab.
The user can overwrite the Likelihood and Impact scores if the Mitigation effectiveness percentages are to be side-lined.
The Residual Likelihood x Residual Impact risk rating is displayed on the Risk matrix:
Likelihood - Select a value to for the Likelihood of recurrence from the dropdown list
Impact - Select a value for consequence/Impact from the dropdown list
Enter additional - Notes on the residual risk
Risk rating - This field displays the rating
Risk matrix - The X by Y matrix displays the matrix as it is setup on the parameters form
Risk response is the process of developing strategic options and determining actions to enhance opportunities and reduce threats to the organization’s objectives. An enterprise team member is assigned to take responsibility for each risk response.
Expand the Strategy and response Fast tab
Select the relevant Strategic pillar from the dropdown list
Enter the Control strategy
Enter the Responsibility
Select the relevant Risk response from the dropdown list
It is important for risk assessments to be carried out regularly so that employers can identify any substance or thing that may pose a danger to health and safety and ensure that the necessary preventative control measures are implemented. The risk assessment should include information on all present hazards in the organization, their necessary control measures, all the safe systems of work and monitoring procedures in place.
If required, select a Baseline risk from the dropdown list. This functionality will display and bring forward all the risk/hazard data captured on the baseline entity, into the new risk assessment form.
Users can override the default values from the baseline risk
Additional hazard details can be entered
Update the new information to an existing risk register
OR
Click on the Create new register button to create a new Risk register
To ensure that only operational related Risk assessments can be done from the following forms, the Class field on the Risk assessment dialog is un-editable and the value defaults to Safety:
Permit to work, Incidents, Investigations
When a risk assessment is done:
The values that are entered in the Site and Department fields will populate the Site and Department fields on the new Risk register header under the General Fast tab
Under the Default line values Fast tab of the detail Risk register form, the Use header site and department field will automatically be selected as Both.This will now default through to the Risk lines
On the All operational risk registers list page, on the action pane, in the New group, click on the Operational risk button
Manually enter the following details:
Update the Description of the risk register
Select the relevant Class from the dropdown list
Select the risk Type from the dropdown list
Add more Hazards if required
If the new details that were entered are not related to an existing register, click on the Create new register button
OR
Select an Existing risk register which currently exists in D365
Click on the Add to existing register button
If an “Add to existing register” transaction has to be done, Dynamics 365 will check if a similar hazard already exists. The criteria for the duplicate check is:
Existing hazard record under the existing Risk register
A message will appear to warn the user that a similar risk already exists
Operational risk management (ORM) is defined as a continual cyclic process which includes risk assessment of hazards with a health safety impact, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk.
Financial risk management (FRM) is the practice of mitigating loss to economic value in a firm by using financial instruments to manage exposures, such as credit risk ;and market risk, foreign exchange risk, volatility risk, liquidity risk, inflation risk and commodity risk. (Reserved for future version)
Enterprise risk management (ERM) is a plan-based business strategy that identifies, assesses, and prepares for any potential non health & safety related risks that may interfere with an organization's operations and objectives.
Step 2: Baseline and Hazards
Under the Template Field group, the user has the option to select a Baseline risk
Under the Header detail Field group:
Enter a description for the Register
Select the unique Process ID from the dropdown list
Select the unique Activity ID from the dropdown list
The Class field will by default be Safety
In the Type field, select the Risk type from the dropdown list
Under the Line defaults Field group:
Select the relevant Site from the dropdown list
Select the relevant Department from the dropdown list
Enter a detailed Description of the risk
Select the relevant Location from the dropdown list
Select the relevant Object from the dropdown list
Select the relevant Job plan from the dropdown list
In the Risk owner field, indicate the owner of the risk (Employee/Department)
Under the Risk lines Field group:
Click on the Add button
Select the relevant Hazard from the dropdown list
Click on the Next button
In order to ensure that the information entered from Step 3 to Step 7 is applied to each hazard (line) selected on Step 1, click on the Apply these values to every risk line from step 2 button
Step 3: Who or what might be harmed
Click on the Add button
Select Who or what affected from the dropdown list
Click Next
Step 4: Possible consequences
Click in the Add button
Select the relevant Consequences from the dropdown list
Click Next
Step 5: Inherent risk rating
Select the Likelihood and Impact ratings
Click Next
Step 6: Mitigation
Select the relevant Mitigation effectiveness on likelihood
Select the relevant Mitigation effectiveness on impact
Click on the Add button and select the relevant Preventative and corrective controls
Click Next
Step 7: Residual risk rating
Select the Likelihood and Impact ratings
Click Next
Step 8: Completion
On the Completion form, click on the Finish button
In order to go to the previous screen, the user can choose to click on the Back button at any stage.
When the Cancel button is clicked a warning will pop up to warn the user that all data that has been entered, will be lost.
¶ Step 11: Using Risk assessments with Project WBS
Go to: Project management and accounting > Projects > All projects
Select the relevant project
Under the General Fast tab, in the Risk register field, select the relevant Risk register from the dropdown list
On the Action pane, click on the Plan tab
On the Action pane, in the Activities group, click on the Work breakdown structure button
On the Work breakdown structure, select the relevant WBS ID
Click on the Details button
On the Line details for000185, in the Risk line field, select the relevant Risk line from the dropdown list
Click on the OK button
¶ Step 12: Using Risk assessments with Maintenance
Go to: Asset management > Work orders > All work orders
Select the relevant Work order
Open the Lines view
Under the Line details Fast tab, select the relevant Risk register from the dropdown list
The asset (selected on the Work order line) and it's functional location, must be the same as the object and location selected on the Risk register header.
The Bowtie method is a risk evaluation method that can be used to analyze and demonstrate causal relationships in high-risk scenarios. The method takes its name from the shape of the diagram that you create, which looks like a men’s bowtie. A Bowtie diagram does two things. First of all, a Bowtie gives a visual summary of all plausible accident scenarios that could exist around a certain Hazard. Second, by identifying control measures the Bowtie displays what a company does to control those scenarios.
The Bowtie method includes at least four major steps: Identify, Assess, Control and Recover and start with a hazard.
Go to: GRC > Risk > Operational risk assessment
If required, select a Baseline risk from the dropdown list. This functionality will display and bring forward all the risk/hazard data captured on the baseline entity, into the new risk assessment form.
To indicate that you are doing a Bowtie risk assessment, move the Bowtie slider to Yes
Users can override the default values from the baseline risk
Additional hazard details can be entered
Update the new information to an existing risk register
OR
Click on the Create new register button to create a new Risk register
Only the FIRST Hazard in the grid will be recorded for the Bowtie risk
The relevant Risk register will open in the Lines view
Under the Bowtie analysis Fast tab, in the IDENTIFY -> THREATS field group, click on the Add button and add the relevant Threats
Select the Threat that you want to add the Barrier to, then click on the Barriers button
On the Control – Barriers dialog, click on the relevant Control measure Index tab
Click on the Add button and select the relevant Barriers from the dropdown lists
Under the Bowtie analysis Fast tab, in the ASSESS -> CONSEQUENCES field group, click on the Add button and add the relevant Consequences
Select the Consequence that you want to add the Measure to, then click on the Measures button
On the Recovery – Measures dialog, click on the relevant Control measure Index tab
Click on the Add button and select the relevant Measurements from the dropdown lists
Expand the Mitigation Fast tab (Not Bowtie view)
The Action due date = Planned end date
Only the selectedThreat or Consequence lines will be displayed under the Mitigation Fast tab
Complete the Risk register Header view as described in Step 5 above
To view the list page displaying all Bowtie registers:
Go to: GRC > Risk > Registers > All bowtie registers
Where risk assessments can be done from:
Incidents
Normally back-office staff will Interpret “all reported incidents” - On the Incident tab on the Action pane
Inspections
On the Inspection journal, on the header
Permit to work
On the header on the Action pane
Area of Compliance
On the Risk source fast tab of the Risk register lines, users can select the compliance standard
Projects
On the Manage tab on the Action pane
Investigations
On the Investigation tab on the Action pane
Activities
On the Activity tab on the Action pane (useful for COSHH)
Internal Audit RCM
Auditors can do a risk assessment on the Risk Control Matrix
Go to: GRC > Risk > Worksheets > Operational risk worksheet
The same information as per Risk register can be worked on via the Risk worksheet. The objective of the risk worksheet is to have all risks/hazards displayed in a flat list (regardless of which Risk register they belong to) and to manage these risks via controls.
Refer to the GRC page on Risk worksheet for a step-by-step guide.
All risks of class Finance and Enterprise are excluded from the above and from the Risk analysis
The risk management report is an important document in the risk management file and acts as a check or quality control which provides an assurance that the risk management plan has been implemented correctly, the overall residual risk is acceptable, and that mechanisms are in place for the compilation of production and post-production information.
Go to: GRC > Risk > Risk management reports
On the Action pane, click on the New button
On the New risk management report dialog:
Enter the Name of the report
Enter the Documentnumber
Enter a brief Description for the report
Select the Employee responsible for the report, from the dropdown list
Click on OK
On the Risk management report form, under the Content Fast tab, open the References Index tab
The user can add lines one by one manually by clicking on the Add button in the button strip
Enter a Reference ID
Enter a brief Description for the reference
In the Element relation type field, select the relevant type from the dropdown list
Select the relevant Element relation from the dropdown list
OR
Add Risk lines from the risk register linked to the Department selected under the Cover page Index tab
OR
Add clauses from the Legal register linked to the Department selected under the Cover page Index tab
The Bowtie report gives users the ability to evaluate the probability and severity of risks, document risk causes, quantify potential risk impacts, assign, and monitor risk controls, and systematically evaluate the full spectrum of factors that contribute to the organization’s overall risk exposure.
Go to: GRC > Risk > Registers > All bowtie registers
In the Action pane, in the Print group, click on the Bowtie report button
An unplanned event resulting in, or having potential for injury, ill health, damage or other loss. Incidents may involve actual or potential injury/illness, property/environment damage, motor vehicle accidents or near misses.
Hazard:
Any source or situation with a potential for harm in terms of injury/illness, damage to property/plant/equipment, or damage to the environment.
Risk:
A risk is the likelihood that exposure to a hazard will result in injury or disease.
Risk Assessment:
The process of analyzing all of the risks associated with hazards and evaluating them to determine steps for risk control and priorities. Risk Assessment considers two (2) main factors: -
The likelihood that the hazard will result in injury/illness, loss or damage to the environment, property, plant or equipment. This assessment of likelihood also needs to consider frequency or exposure to the hazard.
The potential severity of that injury, illness, loss or damage.
Risk Score:
The risk score is the number allocated following risk assessment, which describes the level of risk, ranging from H (very high risk) to L (very low risk). The risk score is also used to identify the priority and timeframe of response to the identified hazard.
Risk Control:
Risk Control is a method of managing the risk, which involves taking actions to eliminate &/or reduce the likelihood that exposure to a hazard will result in injury/disease. There is a hierarchy of control measures to be followed with the primary emphasis on controlling the hazards at source. Methods of Risk control in preferred priority order are:
Elimination
Substitution
Isolation – enclosing or isolating a hazard
Engineering controls/Redesign – changing processes, equipment, etc.
Administrative controls – changing work procedures
Personal Protective Equipment
COSHH:
Control of Substances Hazardous to Health Regulations. These Regulations require employers to control exposure to hazardous substances to prevent ill health.