QualityOne Vaults help you manage the risk associated with enterprise, operational, product, project, and customer processes in your business using QualityOne’s Risk Management feature. Risk Management includes the ability to define risk levels using risk matrices, then assess related risks using risk registers. Risk Management supports creating and performing HAZOP (Hazard and Operability Studies) and P-FMEA (Process Failure Modes and Effects Analysis) types of risk studies. These tools help your organization remain compliant with the most up-to-date requirements for risk-based decision making, while preventing risks before they become a reality.
Depending on your Admin’s configuration, object, field, and section labels may appear differently than the labels mentioned in this article.
Note: Depending on your Admin’s configuration, Vault may not prompt you to define detectability when creating risk-related records. You may also be able to add detectability to existing two-dimensional matrices.
Risk Matrix
A Risk Matrix is a definition of risk, based on severity, likelihood of occurrence, and detectability. This allows your organization to assess, mitigate, and ultimately prevent risk.
How to Create a Risk Matrix
To create a Risk Matrix:
- Create a Risk Matrix record from a custom tab or from Admin > Business Admin.
- In the dialog, select a risk matrix type of qualitative or quantitative.
- Enter a Name for the matrix.
- Click Save to create the new Risk Matrix.
- In the new Risk Matrix record, create and define related Severity, Likelihood, and Detectability records.
- Define the color palette for your Risk Level records. These are the cells of your matrix chart.
Vault automatically creates Risk Matrix Setup records and populates fields with data from related Severity, Likelihood, Detectability, and Risk Level records.
Note: Manually creating Risk Matrix Setup records with duplicate combinations of Severity and Likelihood prevents the related Risk Matrix Visualization from displaying. Visualization is available for two-dimensional matrices only. Contact your Admin for more details.
Risk Registers
A Risk Register is a repository of risk-related events or opportunities that can potentially occur. These events or opportunities may require action to reduce their risk levels. The intent is to assess risks proactively and attempt to prevent them before they occur. Typically, a cross-functional team identifies potential risks and opportunities. This assessment typically takes place before, rather than after, a quality issue occurs. For example, a customer complaint, a hazardous incident, or a product nonconformance.
How to Create a Risk Register
To create a Risk Register:
- Create a Risk Register from the Risk Management > Risk Register tab or from Admin > Business Admin.
- Create Risk Events within the register. Link a matrix to this event using the Risk Matrix field. For example, you could link an event to the “Supplier Risk Matrix”, when assessing a supplier-related risk.
- Depending on your selection for Risk Response, you may be required to take mitigation actions.
Example Risk Register Setup
You can use the following example steps to help set up your Risk Register:
- You create the “Cholecap Risk Register” record to manage risk related to introducing your new Cholecap product to the market. You want to assess the risk related to the distribution of your product, so you create a risk event and select your “Supplier Risk Matrix” as your definition of risk. Your matrix determines the Risk Level Before as “Low”.
- Your organization’s risk response strategy is to mitigate all risk, so mitigation actions are necessary. You create a Mitigation Action record and use the Owner field to assign the action to a specific user.
- The assigned owner then completes the Mitigation Action task and describes the actions taken.
- In the Residual Risk lifecycle state of the Risk Event’s workflow, you then populate the Severity After field with “Slight Impact” and the Likelihood After field with “Rare” since the mitigation action helped reduce the severity of the risk as well as the likelihood the risk event will materialize. You also populate the Detectability After field with “Low Probability”. If the team agrees the risk has been reduced to an acceptable level, you can close the risk event. If not, additional risk treatment may be required where you can assign additional mitigation actions.
Your organization now has a Risk Event record of the risk assessment related to the identified risk event of this nature.
Risk Events
A Risk Event is an object record that describes a potential risk which may have a detrimental effect on the business should it occur on each Quality and HSE Event. Every risk event goes through a standard risk assessment whereby the risk is first identified, analyzed, and evaluated based on the definition of risk using a particular risk matrix. Then the risk is treated with mitigation activities, and any residual risk is assessed.
Critical Fields
Risk Events have several fields that help you describe the risk addressed through the risk assessment process:
- Severity Before, Likelihood Before, and Detectability Before: These fields represent how severe, how likely, and how detectable the risk event is before you complete any mitigation actions.
- Severity After, Likelihood After, and Detectability After: These fields represent how severe, how likely, and how detectable the risk event is after you complete mitigation actions. The effectiveness of the mitigating activities will help to assess residual (remaining) risk after the mitigation actions are fully executed.
- Risk Level Before and Risk Level After: Vault populates these fields based on the definition of the Risk Level cell from the selected risk matrix.
Mitigation Actions
The mitigation action object type helps you take steps to avoid, mitigate, or transfer identified risks. You can assign these mitigation actions to users in your Vault, provide due dates, and describe what the assignee must do to mitigate the risk.
You can create Mitigation Actions from Risk Event records.
After completing any mitigation actions, use the Actions Taken field to give specific details on the actions you took. This field is crucial for determining Severity After, Likelihood After, and Detectability After on the related Risk Event.
Quality & HSE Events
Quality Events and HSE Events capture quality issues and incidental hazards to help identify potential risks. You can associate NCR and HSE Events from Risk Event records to provide visibility and identification for risk assessment.
Risk Study
A Risk Study is an object record that captures risk methodologies such as HAZOP and P-FMEA . HAZOP is a risk study that identifies and analyzes potential hazards and operability issue nodes within the system, personnel, and equipment. P-FMEA is a risk study that identifies and analyzes potential process failure modes and their causes and effects on business processes. Using either of these types of risk studies allows you to detail and assess potential study risks. Each risk scenario you identify is assigned a score based on the Risk Matrix. Vault uses the score to calculate the RPN (Risk Priority Number), allowing you to easily decide to accept the risk or create a Mitigation Action for the risk analysis.
How to Copy a Risk Study
You can save time and effort starting a new Risk Study by copying the details from a completed Risk Study using the Copy Risk Study action; your action name may vary. This action differs from the Copy Record action as it is built to copy the hierarchy of a Risk Study and its related records by cloning the Risk Study, HAZOP Node, FMEA Process Step, and Risk Analysis records for Risk Study, HAZOP, and P-FMEA.
To copy a completed Risk Study, navigate to the appropriate Risk Study record and select Copy Risk Study from the All Actions menu. When the copy is complete, you’ll receive a notification that the Risk Study has been created with a link to the new record.
Note: Vault does not copy a Risk Study record when more than 1,000 records are available to copy from the Risk Study record.
Adding Detectability to Existing Matrices
If your Admin configures detectability after you created matrices with just severity and likelihood, you can update them to include detectability and convert them to a three-dimensional risk matrix. To do this:
- Add Detectability records to an existing Risk Matrix in the detectability section.
- Add values to the detectability fields on the applicable Risk Event records. Vault now calculates risk based on severity, detectability, and likelihood.
Once you define detectability and convert the matrix to three-dimensional, you cannot revert it to a two-dimensional matrix.