Risk Management Plans | CCQ - Cloud Compliance & Quality

Developing strategies to manage risks is crucial if you want your business to recover quickly when an incident occurs. CCQ provides the resources to make effective risk management plans, and helps you improve and streamline your operational processes and procedures. One important step is to identify the individuals who are accountable for ensuring the risks are managed appropriately. Risk management will help you meet your legal obligations for providing a safe workplace, and can reduce the probability of an incident ever occurring.

Filtering

When you enter the Risk management plans interface, you can select different views by filtering out the documents that you want to inspect. There’s a drop-down list with different filtering options at the top of the interface. The documents then appear in a list below, in accordance with the selected filter.

All documents

When All documents are selected, you get an overview of all risk management plans in the system. You can control how many documents are shown on the page you’re viewing, via a drop-down list on the top-right side. The options you’re given are 5, 10, 15, or 25 documents.

My documents

When My documents are selected, you get an overview of all risk management plans that you are either the owner of, or responsible for.

By revision

When you filter risk management plans By revision, you get a calendar where you can find plans that are due for review on different dates. You can scan through the calendar by year, month, week or day. Risk management plans that are up for review are indicated with dots on their respective calendar dates.


New Risk Management Plan

When you are in the Risk management plans interface and you want to create a new plan, you simply click the New document button. A template for a new document appears with three tabs at the top of the interface. The tabs are General, Approvers and Connection.

Below, you have the ability to add risk assessments to the management plan. On the right-hand side, you can see fields that are required before you can save the document and what is necessary before risk assessments can be added. When all necessary fields have been filled out the risk management plan is saved (without closing) by clicking Save and then you hit Close to close the plan.


General

You should create a management plan for each main type of risk your business may face. This is the foundation or basis for the risk management strategy that you’ll employ in your company. Once you have a clear picture of your business, you can get much more specific and start identifying things that could negatively affect your organization. In the General tab there are fields that specify the title, date, revision date and stakeholder of the new risk management plan.

Title

This field is obviously for specifying an appropriate title for the risk management plan. The title should adequately describe the type of plan you’re creating.

Date

This is where you specify the date of the risk management plan. If you click the calendar icon, a datepicker will pop-up that allows you to choose a specific date. The calendar will open the current month by default, but you can easily navigate between months and years if needed.

Revise date

This is where you determine the revision date of the risk management plan.
The danger with a document like this is that you spend a great deal of time preparing it initially, but then never return to update it later. Risk assessment must be a living process and should be conducted, at the very least, on an annual basis. Risks and vulnerabilities may develop and change as your business grows, and it’s a valuable exercise to revisit the company’s risk library regularly. The risk management plan should constantly be referred to and updated to reflect new situations, new risks, and the efficiency of your controls. If your company’s risk profile is suddenly subject to substantial changes, it should certainly be revised and reassessed more frequently.

One month before a scheduled revision, the person responsible and owner of the risk management plan will receive emails saying that a review is pending. You can easily find plans that are due for review by using the corresponding filter, see chapter 2.1.3. If you don’t want the risk management plan to be revised for some reason, you simply don’t pick a date in this field.

Stakeholder

This is where you specify the stakeholder of the risk management plan.
A stakeholder can be a “person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity.” Stakeholders are defined in the system settings. This will be covered in more detail in chapter 5.1.1.


Approvers

In the Approvers tab you can specify the owner of the risk management plan, as well as the person that’s responsible for it. Several risk owners can be specified for each plan, as well as a number of responsible persons.

The employees can be selected one at a time by clicking the relevant input field and finding the right people in the register that appears. Another way to pick out the employees is to click the icon next to the textbox, which opens the address book. You select the people from the staff list by marking their checkboxes and click OK.

Risk owner

A risk owner is defined as a “person or entity with the accountability and authority to manage a risk.” In other words, the risk owner is an individual who is ultimately accountable for ensuring the risk is managed appropriately. He is responsible for identifying, monitoring and reviewing risks, and is involved in defining their associated controls and response plans. The risk owner usually oversees the coordination of efforts to properly mitigate the risk and reduce its impact.

Responsible person

Generally speaking, everyone within the organization is responsible for some element of risk handling. For every risk management plan, it’s crucial that it’s communicated to everyone whose cooperation or involvement is required for the plan to be successful. Otherwise, the plan’s objectives may not be realized. Everybody should be well informed and made aware of imminent risks and their potentially adverse effects.

The management of risk primarily resides with risk owners and at least one person responsible. Responsible persons typically include key individuals, with expertise in handling risk in a particular area, and project managers. They have the shared responsibility of developing the mitigation plan for the identified risks and putting the measures in place to keep those risks to an acceptable minimum.


Connection

In the Connection tab you can link the management plan with a specific process in the Quality Manual. This means that when you add a risk assessment to a management plan that’s been linked with a process, you can connect that assessment to the quality documents that are related to that process.


Add risk assessment

In CCQ, the main content of every risk management plan is naturally the different risk assessments you’ve made. Risk management plans function as kind of umbrellas for related risk assessments – i.e. assessments that concern the same type of business risk.

By clicking Add risk assessment, you’re redirected to the template for a new risk assessment where the “parent” field is already filled out for you. Since you’re adding the assessment to the risk management plan that you’re currently in, the value of the field cannot be changed. Creating new risk assessments will be covered in more detail in chapter 3.2.