QualityOne Vaults allow you to manage the risk associated with enterprise, operational, product, project, and customer processes in your business using QualityOne’s Risk Management feature within the QMS and HSE applications. Risk Management includes the ability to define risk levels using risk matrices, then assess related risks using risk registers. Risk Management supports creating and performing HAZOP (Hazard and Operability Studies) and P-FMEA (Process Failure Modes and Effects Analysis) types of risk studies. These tools help your organization remain compliant with the most up-to-date requirements for risk-based decision making, allowing you to control risks before they become a reality.

Risk Management Objects

QualityOne uses the following objects and object types to support Risk Management:

Risk Matrix Objects

  • Risk Matrix: Stores the definition of risk based on severity, likelihood, and detectability (if enabled) used to calculate risk level (also known as criticality) for a given context such as a quality Risk Matrix. You can create two (2) types of risk matrices: qualitative and quantitative.
  • Severity: Defines various levels of risk if it materializes in a given matrix (for example, “Minor”, “Moderate”, or “Major”). These records represent the columns of a typical Risk Matrix chart.
  • Likelihood: Defines the probability that a risk event will happen (for example, “Rare”, “Likely”, or “Highly Likely”). These records represent the rows of a typical Risk Matrix chart.
  • Detectability: Defines the difficulty of noticing the issue. For example, “Unlikely” or “Likely” or “Highly Likely”. These records represent the third axis in a three-dimensional Risk Matrix.
  • Risk Level: Defines the risk level (also known as criticality or impact) based on a combination of Severity, Detectability (if enabled), and Likelihood. These records represent the individual cells of the typical Risk Matrix chart. You can define the color for the cells of your matrix chart.

Risk Register Objects

  • Risk Register: Stores records of risk ledgers that you can use to manage specific risk events and the actions they require with an identified context. For example, you may create an “Enterprise Risk Register” to assess risk events that occur across your entire business or a “Product Risk Register” to assess risk events that occur at the product level for a newly commercialized product.
  • Risk Event: A potential risk or opportunity that may occur and may require a mitigation activity to reduce the impact of the identified risk.
  • Mitigation Action: Tracks mitigation actions that you must complete depending on the response to a risk event to reduce the risk to an acceptable level.
  • NCR: Captures nonconformance records associated with the risk event.
  • HSE Event: Captures health, safety, environmental, and vehicle or property damage incidents, near misses, and hazards associated with the risk event.

Risk Study Objects

  • Risk Study: Stores and performs risk analysis on risk study types such as HAZOP and P-FMEA. Users may copy an existing Risk Study to use the same parameters for future studies. Users utilize Risk Studies to assess the acceptance level of a risk when deciding to accept or mitigate the risk.
  • Risk Analysis: Stores the definition of what the deviation, cause, and consequences of a risk before and after mitigation for HAZOP, the definition of what the process step, failure mode, effect, cause, and controls are before and after mitigation for P-FMEA, and the definition of what the severity, occurrence, and detectability scores are before and after mitigation for the Risk Matrix.
  • HAZOP Node: Stores the set of nodes to be identified with supporting information when used for HAZOP risk studies.
  • FMEA Process Step: Stores the set of process steps to be identified with supporting information when used for P-FMEA risk studies.

Risk Matrix Visualization

Vault can display the traditional risk matrix chart as a section in a Risk Matrix record. The visualization is a chart with colored cells corresponding to the values defined in your risk matrix for each combination of severity and likelihood.

To insert a risk matrix visualization section into a Risk Matrix object layout:

  1. Navigate to Configuration > Objects > Risk Matrix > Layouts.
  2. Select the layout you want to update.
  3. Click Insert Section, and choose Risk Matrix Preview.
  4. Enter a Label for the section.
  5. Click Done.
  6. Optional: Click and drag your Risk Matrix section to reorder.
  7. Click Save.

Example: Qualitative Risk Matrix Visualization

Qualitative Risk Matrix

Example: Quantitative Risk Matrix Visualization

Quantitative Risk Matrix

About Risk Matrix Dimensions

If you enabled Risk Management in your Vault prior to 23R3 and need to use both 2D and 3D matrices in the same Vault, you must contact your Veeva Representative to enable and configure.

Detectability in 3D Matrices

Vault calculates risk based on severity and likelihood of occurrence and displays it in a two-dimensional matrix. If enabled for your organization, you can also include detectability as the third factor in Vault’s risk calculations to convert your matrix into a three-dimensional matrix. Matrix visualization is not available for three-dimensional matrices. Once you enable detectability and build 3D risk matrices, we do not recommend turning off 3D matrices in your Vault.

Configuring Risk Management Object Actions

The Risk Study object lifecycle contains the Copy Risk Study action. This action triggers Vault to clone the related Risk Study, HAZOP Node, FMEA Process Step, and Risk Analysis records into a new set of records.

When users run the Copy Risk Study action, Vault does not copy the following:

  • System-managed fields.
  • Fields if the Do not copy this field in Copy Record configuration is selected.
  • HAZOP Node and FMEA Process Step records if the Allow Hierarchy Copy configuration is unselected.
  • A Risk Study record when more than 1,000 records are available to copy from the Risk Study record.

You can add this action as a record action on the Risk Study object or as a user action on the appropriate Risk Study Lifecycle states, depending on your business needs.