QualityOne Vaults allow you to manage the risk associated with enterprise, operational, product, project, and customer processes in your business using QualityOne’s Risk Management feature. Risk Management includes the ability to define risk levels using risk matrices, then assess related risks using risk registers. Risk Management supports creating and performing HAZOP (Hazard and Operability Studies) and P-FMEA (Process Failure Modes and Effects Analysis) types of risk studies. These tools help your organization remain compliant with the most up-to-date requirements for risk-based decision making, while preventing risks before they become a reality.

Risk Management Objects

QualityOne uses the following objects and object types to support Risk Management:

Risk Matrix Objects

  • Risk Matrix: Stores the definition of risk based on severity and likelihood, used to calculate risk level (also known as criticality) for a given context such as a quality Risk Matrix. You can create two (2) types of risk matrices: qualitative and quantitative.
  • Severity: Defines various levels of risk if it materializes in a given matrix (for example, “Minor”, “Moderate”, or “Major”). These records represent the columns of a typical Risk Matrix chart.
  • Likelihood: Defines the probability that a risk event will happen (for example, “Rare”, “Likely”, or “Highly Likely”). These records represent the rows of a typical Risk Matrix chart.
  • Detectability: Defines the difficulty of noticing the issue. For example, “Unlikely” or “Likely” or “Highly Likely”. These records represent the third axis in a three-dimensional Risk Matrix.
  • Risk Level: Defines the risk level (also known as criticality or impact) based on a combination of Severity, Detectability, and Likelihood. These records represent the individual cells of the typical Risk Matrix chart. You can define the color for the cells of your matrix chart.

Risk Register Objects

  • Risk Register: Stores records of risk ledgers that you can use to manage specific risk events and the actions they require with an identified context. For example, you may create an “Enterprise Risk Register” to assess risk events that occur across your entire business or a “Product Risk Register” to assess risk events that occur at the product level for a newly commercialized product.
  • Risk Event: A potential risk or opportunity that may occur and may require a mitigation activity to reduce the impact of the identified risk.
  • Mitigation Action: Tracks mitigation actions that you must complete depending on the response to a risk event to reduce the risk to an acceptable level.
  • NCR: Captures nonconformance records associated with the risk event.
  • HSE Event: Captures health, safety, environmental, and vehicle or property damage incidents, near misses, and hazards associated with the risk event.

Risk Study Objects

  • Risk Study: Stores and performs risk analysis on risk study types such as HAZOP and P-FMEA. Users may copy an existing Risk Study to use the same parameters for future studies. Users utilize Risk Studies to assess the acceptance level of a risk when deciding to accept or mitigate the risk.
  • Risk Analysis: Stores the definition of what the deviation, cause, and consequences of a risk before and after mitigation for HAZOP, the definition of what the process step, failure mode, effect, cause, and controls are before and after mitigation for P-FMEA, and the definition of what the severity, occurrence, and detectability scores are before and after mitigation for the Risk Matrix.
  • HAZOP Node: Stores the set of nodes to be identified with supporting information when used for HAZOP risk studies.
  • FMEA Process Step: Stores the set of process steps to be identified with supporting information when used for P-FMEA risk studies.

Risk Matrix Visualization

Vault can display the traditional risk matrix chart as a section in a Risk Matrix record. The visualization is a chart with colored cells corresponding to the values defined in your risk matrix for each combination of severity and likelihood.

To add a risk matrix section to your Risk Matrix object page layout:

  1. Navigate to Configuration > Objects > Risk Matrix > Page Layouts > [Page Layout].
  2. Click Create Section, and choose Risk Matrix Preview.
  3. Enter a Label for the section.
  4. Click Done.
  5. Optional: Click and drag your Risk Matrix section to reorder.
  6. Click Save.

Example: Qualitative Risk Matrix Visualization

Qualitative Risk Matrix

Example: Quantitative Risk Matrix Visualization

Quantitative Risk Matrix

About Detectability

By default, Vault calculates risk based on severity and likelihood of occurrence and displays it in a two-dimensional matrix. You can also include detectability in risk matrices, which Vault displays in a three-dimensional matrix.

Enabling Detectability for Risk Matrix

Contact your Customer Success Manager to enable detectability in your QualityOne Vault. Detectability cannot be disabled and users are required to define detectability when creating and updating Risk Registers and Risk Events.

Once enabled, you must update your Risk Management configuration in order for Vault to include detectability when calculating risk.

Adding Detectability to Risk Management Configuration

If you have an existing Risk Management configuration that includes only severity and likelihood, you must update the configuration to also include detectability. Once configured, users can create new matrices or update existing records to include detectability.

To update your Risk Management configuration to include Detectability:

  1. On the Detectability field on the Risk Matrix Setup object, select the User must always enter a value (required) checkbox to make the field required.
  2. On the Risk Event object:
    1. Add the Detectability Before and Detectability After fields to the page layout.
    2. Update the formula expressions on the risk level fields to account for Detectability scores in your risk scoring models.
  3. On the Risk Matrix object page layouts:
    1. Add Detectability as a related object section.
    2. Ensure that Detectability Rating is a column to display in the new object section.

Vault displays risk in a two-dimensional matrix until users edit a Risk Event, at which point they must define detectability. When detectability is defined, Vault converts the two-dimensional matrix to a three-dimensional matrix. Once converted, matrices cannot be reverted to two-dimensional.

If you do not configure your Risk Management configuration to include detectability, Vault will continue to calculate the Risk Level with just severity and likelihood of occurrence.

Configuring Risk Management Object Actions

The Risk Study object lifecycle contains the Copy Risk Study action. This action triggers Vault to clone the related Risk Study, HAZOP Node, FMEA Process Step, and Risk Analysis records into a new set of records.

When users run the Copy Risk Study action, Vault does not copy the following:

  • System-managed fields.
  • Fields if the Do not copy this field in Copy Record configuration is selected.
  • HAZOP Node and FMEA Process Step records if the Allow Hierarchy Copy configuration is unselected.
  • A Risk Study record when more than 1,000 records are available to copy from the Risk Study record.

Depending on your business needs, you can add this action as a record action on the Risk Study object or as a user action on the appropriate Risk Study Lifecycle states.