Risk Assessments | CCQ - Cloud Compliance & Quality

CCQ helps you develop realistic, cost-effective strategies for dealing with risk. The first step in preparing a risk assessment is to identify potential risk factors or hazards your company faces. Careful analysis of their consequences allows managers to devote resources where needed, and enables them to establish efficient control measures to offset any negative impact. As a result, companies gain a better understanding of their risk profile and are better suited to capitalize on opportunities.


Filtering

When you enter the Risk assessments interface, you can select different views by filtering out the documents that you want to inspect. There’s a drop-down list with different filtering options at the top of the interface. The risk assessments then appear in a list below, in accordance with the selected filter.

The list layout includes four different attributes or columns that you can use to sort and display the documents in ascending or descending order. In addition to the assessment title, the columns concern the version number, risk rating and risk management plan of the assessment.

All documents

When All documents are selected, you get an overview of all risk assessments in the system. You can control how many documents are shown on the page you’re viewing, via a drop-down list on the top-right side. The options you’re given are 5, 10, 15, or 25 documents.

My documents

When My documents are selected, you get an overview of all risk assessments that have been added to a risk management plan that you are either the owner of, or responsible for.

At risk

If you’re interested in finding risk assessments related to something specific that’s At risk, you can use this filter. When this filter is selected, an additional filter comes into sight on the left side of the document list that includes the things you’ve identified as being at risk. This actually refers to the severity templates that you create in system settings. This additional filter can then be used to sift through the documents even further, in accordance with the selected severity template. The definition of severity templates will be covered in more detail in chapter 5.2.

By risk rating

You have the option of filtering risk assessments By risk rating. When you’re making a risk assessment and you’ve determined its severity and probability, CCQ automatically assigns a rating to the risk. The rating is calculated by multiplying the severity level with the probability ranking – this will be covered in more detail in chapter 3.2.4.4. The rankings used in CCQ are low, moderate, high, and critical. This way, the filter helps you with prioritization and finding the risks that pose the greatest overall threats.


New Risk Assessment

When you are in the Risk assessments interface and you want to create a new assessment, you simply click the New document button.

A template for a new document appears with three tabs at the top of the interface. The tabs are General, Risk management and Connection to documents. On the right-hand side, you can see fields that are required before you can save the assessment and what information you need to provide to complete the document. When all necessary fields have been filled out the risk assessment is saved (without closing) by clicking Save and then you hit Close to close it.


General

How a company conducts risk assessments can vary widely, depending on the type of business it’s in. However, there are common practices that all companies can follow regardless of their business type or industry. CCQ makes the whole process relatively straightforward. The first step is to provide the information required in the General tab. There are fields that specify the title, risk management parent, mail list, and status of the new risk assessment.

Title

This is a required field and is obviously for specifying an appropriate title for the risk assessment. The title should adequately describe the type of risk you’re evaluating.

Risk management parent

This is also a required field.
In CCQ, risk management plans are essentially a collection of related risk assessments that concern the same type of business risk. So in this context, “parent” refers to the management plan that the risk assessment should be part of. As discussed in chapter 2.2.4, this field is automatically filled out and cannot be altered if you’re entering the risk assessment template from a specific risk management plan.

Mail list

If you have a list of persons that need to be made aware of a risk assessment that’s been carried out, it can be convenient to create a mailing list. The contacts that you add to the list will receive a notification when the risk assessment is published. This is part of establishing good communication methods, and helps ensure everyone is clear on their personal roles and responsibilities.

The employees can be added to the list one at a time by clicking the relevant input field and then selecting them from the register that appears. At the top of the roster you can sometimes find mail groups previously defined in the system which, if applicable, can considerably expedite the process. Creating mail groups will be discussed in detail in chapter 5.5. Another way to pick out the employees is to click the icon next to the textbox, which opens the address book. You select the persons from the staff list by marking their checkboxes and click OK.

Status

The status of risk assessments is indicated in two ways in the system, i.e. In progress or Published. When a new risk assessment is created, it gets the status In progress by default. The status can be changed, simply by clicking Change status. A dialog window appears, asking if you’re sure you want to modify the document status. The risk assessment cannot be altered after it has been marked as Published, unless it’s status is set to In progress again. When an assessment is published, a copy of the published version appears in the Published risk assessments interface. All changes to document status are automatically saved in the system.


Management

The Risk management tab only contains information about the risk management plan that the risk assessment belongs to. The names of the stakeholder, risk owners and persons responsible are listed here. These fields cannot be modified here directly, in order to do that you’ll need to go to the corresponding risk management plan and adjust the values there.


Connection to documents

Risk assessments can be linked with both documents in the Quality Manual, and assets in the Asset Management module. By going through every aspect of your operations and business activities you will most likely find plenty of risks that affect your internal processes and administrative procedures. For that reason, being able to link risk assessments with documents in the Quality Manual can be of considerable benefit.

When it comes to software and IT assets that your company uses, it’s important to identify the risks inherent in these systems. Failure to meet legal and regulatory requirements such as data protection rules may result in significant cost for your business. Moreover, employee health and safety should clearly be every company’s top priority. The importance of identifying hazardous equipment and establishing sensible control measures to provide a safe workplace cannot be overstated. By connecting risk assessments to specific business assets in your company’s arsenal, whatever they may be, you get a better sense of where to focus your mitigation efforts.

Quality manual document

The options that appear in this field depend on the risk management plan that the assessment belongs to, and the process it’s been linked with. As previously discussed in chapter 2.2.3, management plans can be connected to a specific process in the Quality Manual. This means that when you create a new risk assessment and determine its risk management parent, the associated process dictates which quality documents become available here.

Asset document

When the assessment concerns a specific asset in your company’s arsenal, you can link the assessment to that asset as well. All assets that are registered in the Asset Management module are available in the drop-down list that appears under this field.


Assessment

The process of risk assessment involves the identification and evaluation of hazards and vulnerabilities that could negatively impact the company’s ability to conduct business. The goal is not only to identify these inherent risks and their potential effects, but also to provide control measures and mitigation strategies for dealing with those risks. This will help your business to recover quickly if an incident occurs.

CCQ strives to make the assessment process as straightforward and as painless for you as possible. All you need to do is follow the steps provided as conscientiously as you can. The risk assessment template leads you through the process and shows a number of different fields that you need to fill out. You need to identify what’s At risk and evaluate the impact by estimating both Severity and Probability. It’s recommended that you pin down the Risk source and potential Consequences and finally assess current Controls, or lack thereof.

At risk

The first step is to identify exactly what is at risk in the assessment you’re making. The options available in this field’s drop-down list are the different severity templates that you define in system settings. When creating a severity template, you determine different levels of severity in accordance with what’s at risk, and you provide a treatment option for each risk rating.

The risk selected here, dictates what options appear in the Severity field that comes next, and also what treatment method appears under Steps to handle risk if risk is present. The creation of severity templates will be discussed in detail in chapter 5.2.

Severity

Once you have identified the risk, you need to assess the possible impact of that risk. There are five different severity levels for each risk, which you define in the severity template in system settings, see chapter 5.2.2. The best way of thinking about impact is in terms of how much money you stand to lose. Don’t spend too much time focusing on precision with these dollar estimates, there are too many unknowns. However, money is not the only way to measure impact – it’s just a method to help you rank your risks on a scale of 1 to 5.

Probability

When you try to estimate the likelihood of the risk occurring, there’s no need to strive for scientific accuracy or try to calculate some exact percentage. Obviously there are plenty of unknown factors at play here, but a simple five-point scale will be sufficient for most businesses. Thus, each risk can be classified under one of five different probabilities. You determine the scale in system settings, which will be covered in detail in chapter 5.1.2.

Risk rating

Risk rating combines impact and likelihood levels and indicates the potential threat the risk poses to your company. By now, you’ve linked two scores to the risk in question; one for severity and one for probability. CCQ automatically multiplies these two numbers together to give an overall risk rating score, and makes the importance of the risk visibly clear. Risks that have serious consequences and are highly likely to occur will receive the highest rating, whereas risks with both low impact and low likelihood receive the lowest rating.

The levels of risk ratings are color coded, and are classified as:

  • low (green, score 1-4)
  • moderate (yellow, score 5-8)
  • high (orange, score 9-14)
  • critical (red, score 15-25)

Low risk ratings suggest that the consequences of the risk are minor, and it’s unlikely to occur. Risks of this type generally don’t pose any significant problem and in most cases, these can be safely ignored. Still, managers should be aware of them and take action, if needed.

Moderate risk ratings imply that the risk is somewhat likely to occur, and while the consequences are slightly more serious, they should not significantly affect the company. These risks are of relatively low priority and should not require extensive resources.

High risk ratings represent serious risks that have considerable consequences, and are likely to occur. Prioritize and try to respond to these risks in the near term. If these issues cannot be resolved directly, strict timelines should be established to ensure that they get sorted out without delay.

Critical risk ratings indicate risks that are of the highest priority. They have severe consequences for the company and are highly likely to occur. Prevention and mitigation strategies for these risks must be mapped out in advance in order to avert their occurrence. Should these risks come to fruition, immediate action is required as to eliminate them completely.

As discussed in chapter 3.2.3, risk assessments can be linked to both published documents in the Quality Manual, and assets in the Asset Management module. When the risk assessment is published, the risk rating is made clearly visible in the quality document or asset, and details about the assessment can be looked up in the Information field.

Steps to handle risk if risk is present

When CCQ has calculated the risk rating score for the assessment, a treatment option automatically appears in the field Steps to handle risk if risk is present. The treatment options are defined in the severity template for the risk in question and a different course of action is provided for each risk rating level; low, moderate, high and critical. This will be explained in detail in chapter 5.2.3.
Examples of risk treatment for each risk rating level are shown in the image below.

Risk source

In this field, you select the relevant source of the risk in question.
Risk source is an “element which alone or in combination has the intrinsic potential to give rise to risk.” You define different risk sources in system settings, and they’re subsequently made available in this field’s drop-down list. Risk sources will be further discussed in chapter 5.1.3.

Consequence

In this textbox, you should outline the potential consequences the risk might have on your company. It’s important to have a clear understanding of the adverse effects that a risk can have – that is, the extent of the influence or damage caused by the risk to key business assets. These can include critical infrastructure, IT systems, business operations, company reputation and even employee safety.

Note that your risk assessment should not only take into account the negative impact, it should also consider any benefits or opportunities presented by the risk.

Controls or lack of controls

Control is defined as a “measure that is modifying risk.” Controls include any process, policy, device, practice, or other actions which decrease the level of risk, although they may not always exert the intended or assumed modifying effect.

In this textbox, you make an assessment of present controls. You describe what you are currently doing to control or manage the risk, and evaluate the effectiveness of those actions. If the current controls are inadequate, you try to figure out what else you could do, either to reduce the likelihood of that risk happening, or to minimize its impact when it does happen.


Risk reduction measures

At this point, you’ve identified a certain risk to your business, prioritized it based on severity and probability, and assessed the effectiveness of current controls. The next step is to come up with a plan for dealing with the risk, because being prepared will certainly increase your chances of long-term success. You have to decide which strategy to employ; whether you want to eliminate the risk, manage it, accept it, or pass it on to someone else. Each strategy has its own advantages and disadvantages.

Avoid
If the rating of a risk is too high, you may decide to eliminate the risk completely, for example by avoiding the activity altogether, or using an entirely different approach. This is obviously a very effective way of dealing with a risk, since you eliminate the chance of incurring losses – but it has the disadvantage that you also lose out on possible benefits.

Reduce
If you don‘t want to abandon the activity altogether, a common approach is to reduce the risk associated with it. This strategy is applicable for a wide range of different risks and involves steps to make the negative outcome less likely to occur, or to minimize the impact. Reducing a risk can involve costly new software or perhaps introducing new safety measures, processes and controls.

Transfer
We‘re all familiar with the concept of insurance from our everyday lives, and it‘s a solid alternative for dealing with risk that has a potentially large financial impact. By taking insurance, you simply transfer the risk to another party, and if anything goes awry, it‘s the insurance company that bears the loss. You might also consider shifting the responsibility through outsourcing, joint ventures or partnerships.

Accept
In the case of minor risk, it may be best to simply accept it and continue with business as usual. If the risk can‘t be avoided, reduced or transferred – or if the risk is extremely unlikely and therefore too impractical or expensive to treat, you may also choose to accept it. The advantage of this strategy is that there’s no cost, and it frees up resources to focus on more serious risks. Just make sure you’ve assessed the risk correctly before you decide to accept it.

The built-in text editor below allows you to put together a risk response plan, where you take all of the above into consideration. With a well-constructed plan that you regularly review and update, you’ll be better prepared to manage your risks on an ongoing basis and deal with any curveballs that come your way. Unforeseeable events can still crop up and pose challenges, but at least you‘ve tried to protect the company to the best of your ability.

Text editor

The inbuilt text editor comes with all the basic features. As expected, you are presented with a blank document where you can begin typing. You have a host of formatting options for setting the font size and style, controlling line spacing and indentation, etc. You can insert tables, pictures and video, and a nice feature allows you to get links to quality documents in the system.

By clicking the icon, you can put the text editor into full screen mode to see more of the document that you’re working with. This stretches the editor to the width and height of your browser window.

Another feature allows you to fetch predetermined templates for your risk assessment. In the settings menu you can create different templates that you can use in the editor. This should facilitate the process of installing new risk reduction measures and establish a kind of consistency. This will be covered in more detail in chapter 5.3. To get a template for the reduction measures you click the icon in the text editor. You get a list of the templates that you’ve already created in the settings menu, and then you select the appropriate one.

By clicking the icon, you will receive a list of published quality documents that you can search through and get links to, as long as your company is subscribed to the Quality Manual module.

Attachments

You can add as many attachments to a risk assessment as you want. There are various types of files you can attach to a document, ranging from simple text files to complex Visio diagrams. To add an attachment you simply click New attachment, which opens a file explorer where you choose the file to add. The selected file appears in a list at the bottom of the page which indicates that the file has been attached, but it isn’t uploaded to the system until the assessment is saved. On the other hand, if the intention is to remove an attachment from the risk assessment, you can do that by clicking the x behind the file.