Risk Management: Steps for performing common tasks
Things you need to know
There are two types of users:
- standard users, who can all record risks
- risk administrators, who can assign risks, manage them, and close them.
There are also two main set-up functions:
- Admin, which is available only to the Super Admin
- Set-Up, which is available to all risk administrators, including the Super Admin.
The module has been populated with content so that a risk can be logged immediately. The set-up content can of course be changed and added to.
All notifications are sent by email and listed on the Risk tab of the Summary page.
You can download the full user manual by logging in to your isoTracker demo account and clicking the Help button at the top right.
Admin: Creating users
To add a user:
- click Admin at the top right and choose Manage Users
- click Create New User
- enter a username and password, both with at least six alphanumeric characters (the password is case sensitive)
- enter the user’s details, including first name, last name and email address (each user’s email address MUST be unique and also must differ from the Super Admin’s address)
To make a user a risk administrator, which means they can assign, manage, and close risks:
- click Risk in the Administrator box on the left and move it to the box on the right
- click Submit & New at the bottom of the page
- repeat to add additional users.
Admin: creating a database of suppliers
To speed up risk registration, you can load a pre-existing list of suppliers, either individually or in bulk.
To add a new supplier,
- click the Admin icon at the top right of the page
- click the Suppliers icon and choose Add New Supplier
- enter the details of a supplier, including an email address
- click Submit.
You can customize the default fields for entering supplier details using the Settings section. You can also reorder and deactivate certain fields by using the Add Fields section.
Note that you can delete suppliers only if they are not the subject of a risk. This list can be easily searched when logging a risk. The process for adding a customer or an employee is similar.
Admin: creating a database of products
The products section has already been set up with a Category text box, a Size drop-down list, and a Lot No field. Note that a blank field can be entered only on the New Risk page. You can change those fields if a risk about a product has not been recorded, or contact us for assistance and we’ll make the changes.
To add a new product:
- click Admin at the top right and then click Products
- choose Add Products
- enter the product’s details in the relevant fields
- click Submit.
The steps for adding a process are similar.
Admin: creating a custom database
Existing databases are available for recording customers, suppliers, employees, products, processes, or “various” (a catch-all for people). In addition, you can choose to create up to three custom databases, using the Others section.
To create a new database:
- click Admin at the top right, click Others, and then click the Others 1 tab
- change the name of the Others 1 database by clicking the little pen icon on the left of the name, typing in the new name, and clicking the Save option that appears
- create up to four fields (drop-down lists or text boxes); note that if you select Yes for the Blank Field option when creating a text box, this field can be populated only on the New Risk page and does not hold data centrally
- click Submit.
You can now add entries to the custom database, either individually or in bulk. You can also add entries “on the fly”, when recording new non-conformances.
If you do not wish for the Others 2 and Others 3 listings to appear on the About drop-down list on the New Risk page, go to Set-Up > About and click the word Active in the Status column to deactivate the relevant items.
Set-Up: Customizing the module
As previously mentioned, the module has been populated with content. Using the Set-Up section, you can customize existing, default settings.
To access the Set-Up section, click the Risk icon and then choose Set-Up at the top of the screen.
The section includes settings such as the following:
- Risk Fields > Risk Definition: includes Risk Type and Risk Control Area drop-down lists. Two additional, custom fields can be added.
- Risk Fields > Risk Assessment: includes Assessment Date and Assessment By fields. Two additional, custom fields can be added.
- Risk Fields > Risk Resolution: includes Completion Date and Completed By fields. Two additional, custom fields can be added.
- Risk Fields > Resolution Effectiveness: includes Completion Date and Completed By fields. Two additional, custom fields can be added.
- Risk Matrix: the risk matrix is built from five Likelihood options, five Impact options, and four Rating options. The options can be edited. The matrix elements can also be changed but only before any risks are logged in the system.
- Number: you can create additional numbering systems
- Responsibility: determine users (other than risk administrators) who have the right to be assigned risks and to manage them
- Status: change the default names of different statuses to terms familiar to you
- Action Required: determine which fields to display on the Action Required page, which is the module’s default opening page and lists active risks
- Object Activate/Deactivate: re-order objects (also known as sections) by dragging and dropping them; deactivate an object by clicking its Active entry in the Status column; change the name of an object by clicking the Edit icon in the Action column and typing a new name; and add up to two new objects using the Add a New Object On the Settings tab, you can choose to change the default opening page from the Action Required page to the Risk Matrix page. You can also choose whether closing a risk must be a one- or two-step process.
Recording a risk
To record a risk:
- click the Risk icon at the bottom of the screen and click New Risk
- select Risk from the Number drop-down list
- enter a title for the risk that clearly defines it
- select the type of entity affected by the risk (Product, for example) from the About drop-down list, enter a suitable search term (Produ for example) in the Quick Search box, and click Find
- in the search results, click the Click Here to Select link in the Select column to access options in the chosen category (available products, for example); alternatively, click or Add New Product and add the details of a new product in the fields that appear (the details will then be added to the database and can be retrieved through searches)
- in the Risk Definition section, select the risk type (for example, Management); the risk control area (for example, Compliance Management); the likelihood (for example, Likely); and the impact (for example, Moderate)
- enter details of the risk in the Definition text box
- in the Documents object, click the Upload button; you can also choose to attach an external document and wait for it to be uploaded at this point
- in the Assign To section, select Assigned from the Status drop-down list and choose an administrator or accept the default selection of Super Admin in the Assign Administrator drop-down list (note that the Assign To section is available only when a risk administrator is recording a risk; it’s not available when a standard user is recording one)
- click Submit at the bottom of the page.
The page refreshes and the status of the risk appears as Assigned. It’s also given a rating (for example, High Risk).
In a Risk Analysis section, the following new options appear:
- Risk Assessment: assess the risk and, if required, change its likelihood and/or impact. Select a recurrence for assessments or just schedule the next assessment.
- Risk Resolution: record the date when the risk was resolved, who was responsible for resolving it, and the details of the resolution.
- Resolution Effectiveness: record the effectiveness of the resolution process before closing the risk.
Below this section, the following new options appear:
- Risk Notification: send a time-based task notification to another user in your account, and escalate if they don’t reply in time. Copy their reply to the Risk Assessment, Risk Resolution, or Resolution Effectiveness sections.
- Notes: record a note in this section.
- Close: close the risk.
Note that these options can be used in any order, or not used at all – it’s possible to close a risk immediately after it has been recorded and assigned.
Assessing a risk
To assess a risk:
- click on the + icon on the left of Risk Assessment in the Risk Definition object
- enter today’s date in the Assessment Date calendar and your name in the Assessment By text box and type in the assessment controls. Click on the Change Risk Rating link below the controls text box, select “Possible” in the Likelihood drop down list and see that the Risk Rating below changes immediately to Moderate Risk. Then schedule the next assessment of this risk by selecting 1 week in the Recurrence drop-down list and click on Submit. . See that the assessment is recorded with the changes in the Likelihood and Risk Rating. Also see the next assessment date
You can wait for the next scheduled assessment or record another assessment at any time. An important thing to remember is only the latest assessment can be edited or deleted
Recording a risk resolution
To record the details of the resolution for a risk:
- open the Risk Resolution section by clicking the + sign on the left
- select a completion date and enter a name in the Completed By text box
- enter the details of the resolution
- click Submit.
You can then record the effectiveness of the action taken by opening the Resolution Effectiveness section, entering a description, and clicking Submit.
An alternative method for recording the effectiveness of the resolution
A more collaborative method for recording, implementing, and checking the effectiveness of a risk resolution involves sending notifications to users and then copying their replies into the relevant sections.
To do this,
- in the Risk Notification object, click the + sign
- select a user and click Add
- set the date and time by which a reply is required, and click Done
- enter the details of what you want the person to do in the Action Required text box
- click Submit.
A user who has been sent a risk notification can access it by opening the Risk tab on their Summary page, opening the Risk Notes listing, and clicking the relevant number. Then the user can click the Submit Reply option that appears above the relevant post, enter the details of the reply, select a completion date, attach documents if required, and click Submit.
The receiving user, most likely you, will receive a Risk Replies notification on the Risk tab of the Summary page. Click the notification to view the details of the reply.
Above the reply will be an Accept/Reject button. If you’re not satisfied with a reply, click that button, select Rejected from the Action drop-down list, type in the action required, and select a new reply due date. If you are satisfied with a reply, you can select Accepted or do nothing.
Three buttons display next to the Reply Sent date:
- Copy to RA: to copy the contents of the reply (along with the assessment date and assessment by information) to the Risk Assessment section
- Copy to RR: to copy the contents of the reply (along with the completion date and the completed by information) to the Risk Resolution section
- Copy to RE: to copy the contents of the reply (along with the completion date and the completed by information) to the Resolution Effectiveness section.
After clicking any of the three buttons, click the Submit button to complete the action. The Resolution Effectiveness section is then populated.
Be careful not to copy a reply to a section that is already populated or the existing entry will be overwritten.
Multiple notifications can be sent to multiple users to cover all the steps of the resolution process. They can also be spaced out by selecting different required reply dates, which are then followed up with reminders. Note that this alternative method is probably more complicated but it is more cooperative and inclusive.
Closing a risk
To close a risk:
- scroll to the Close Risk object and click the + sign
- optionally, enter a comment
- click Submit.
The closed risk is removed from the Action Required list but is still accessible from the All Risk page and on the Closed Risk tab of the Risk Matrix (both of which are available to all risk administrators).
Remember that instead of using a one-step closure process, you can choose to implement a two-step closure process. You do this using the Set-Up > Object Activate/Deactivate > Settings tab.
Activating a two-step process adds the interim status of Monitoring. The monitoring responsibility can be assigned to another user, who can decide to close the risk.
During the monitoring process, the user assigned to monitor the risk can use the risk assessment, risk resolution, resolution effectiveness, and risk notification features. They can also close the risk or reject the monitoring process and send the risk back to the previous assigned user.
Reactivating a risk
Risk administrators and the Super Admin can choose to reactivate a closed risk and view all objects associated with it. To do this:
- click the All Risks icon at the top of the screen and click the Properties icon in the Action column of the relevant risk
- go to the Risk object header and click the Click Here link on the right of Assigned To
- in the pop-up box that appears, select Reactivate from the Status drop-down list
- to assign the reactivated risk, select an administrator from the Administrator drop-down list
- click Submit.
The assigned administrator will receive a Reactivated Risk notification on the Risk tab of their Summary page. The risk is now reopened and can be managed as before by the assigned administrator, the Super Admin, and other risk administrators.
Walk-throughs
- Document Control: Steps for performing common tasks
- Complaints Management: Steps for performing common tasks
- Audits Management: Steps for performing common tasks
- Non-Conformance Management: Steps for performing common tasks
- Training Management: Steps for performing common tasks
- Risk Management: Steps for performing common tasks
Risk Management: Steps for performing common tasks
Things you need to know
There are two types of users:
- standard users, who can all record risks
- risk administrators, who can assign risks, manage them, and close them.
There are also two main set-up functions:
- Admin, which is available only to the Super Admin
- Set-Up, which is available to all risk administrators, including the Super Admin.
The module has been populated with content so that a risk can be logged immediately. The set-up content can of course be changed and added to.
All notifications are sent by email and listed on the Risk tab of the Summary page.
You can download the full user manual by logging in to your isoTracker demo account and clicking the Help button at the top right.
Admin: Creating users
To add a user:
- click Admin at the top right and choose Manage Users
- click Create New User
- enter a username and password, both with at least six alphanumeric characters (the password is case sensitive)
- enter the user’s details, including first name, last name and email address (each user’s email address MUST be unique and also must differ from the Super Admin’s address)
To make a user a risk administrator, which means they can assign, manage, and close risks:
- click Risk in the Administrator box on the left and move it to the box on the right
- click Submit & New at the bottom of the page
- repeat to add additional users.
Admin: creating a database of suppliers
To speed up risk registration, you can load a pre-existing list of suppliers, either individually or in bulk.
To add a new supplier,
- click the Admin icon at the top right of the page
- click the Suppliers icon and choose Add New Supplier
- enter the details of a supplier, including an email address
- click Submit.
You can customize the default fields for entering supplier details using the Settings section. You can also reorder and deactivate certain fields by using the Add Fields section.
Note that you can delete suppliers only if they are not the subject of a risk. This list can be easily searched when logging a risk. The process for adding a customer or an employee is similar.
Admin: creating a database of products
The products section has already been set up with a Category text box, a Size drop-down list, and a Lot No field. Note that a blank field can be entered only on the New Risk page. You can change those fields if a risk about a product has not been recorded, or contact us for assistance and we’ll make the changes.
To add a new product:
- click Admin at the top right and then click Products
- choose Add Products
- enter the product’s details in the relevant fields
- click Submit.
The steps for adding a process are similar.
Admin: creating a custom database
Existing databases are available for recording customers, suppliers, employees, products, processes, or “various” (a catch-all for people). In addition, you can choose to create up to three custom databases, using the Others section.
To create a new database:
- click Admin at the top right, click Others, and then click the Others 1 tab
- change the name of the Others 1 database by clicking the little pen icon on the left of the name, typing in the new name, and clicking the Save option that appears
- create up to four fields (drop-down lists or text boxes); note that if you select Yes for the Blank Field option when creating a text box, this field can be populated only on the New Risk page and does not hold data centrally
- click Submit.
You can now add entries to the custom database, either individually or in bulk. You can also add entries “on the fly”, when recording new non-conformances.
If you do not wish for the Others 2 and Others 3 listings to appear on the About drop-down list on the New Risk page, go to Set-Up > About and click the word Active in the Status column to deactivate the relevant items.
Set-Up: Customizing the module
As previously mentioned, the module has been populated with content. Using the Set-Up section, you can customize existing, default settings.
To access the Set-Up section, click the Risk icon and then choose Set-Up at the top of the screen.
The section includes settings such as the following:
- Risk Fields > Risk Definition: includes Risk Type and Risk Control Area drop-down lists. Two additional, custom fields can be added.
- Risk Fields > Risk Assessment: includes Assessment Date and Assessment By fields. Two additional, custom fields can be added.
- Risk Fields > Risk Resolution: includes Completion Date and Completed By fields. Two additional, custom fields can be added.
- Risk Fields > Resolution Effectiveness: includes Completion Date and Completed By fields. Two additional, custom fields can be added.
- Risk Matrix: the risk matrix is built from five Likelihood options, five Impact options, and four Rating options. The options can be edited. The matrix elements can also be changed but only before any risks are logged in the system.
- Number: you can create additional numbering systems
- Responsibility: determine users (other than risk administrators) who have the right to be assigned risks and to manage them
- Status: change the default names of different statuses to terms familiar to you
- Action Required: determine which fields to display on the Action Required page, which is the module’s default opening page and lists active risks
- Object Activate/Deactivate: re-order objects (also known as sections) by dragging and dropping them; deactivate an object by clicking its Active entry in the Status column; change the name of an object by clicking the Edit icon in the Action column and typing a new name; and add up to two new objects using the Add a New Object On the Settings tab, you can choose to change the default opening page from the Action Required page to the Risk Matrix page. You can also choose whether closing a risk must be a one- or two-step process.
Recording a risk
To record a risk:
- click the Risk icon at the bottom of the screen and click New Risk
- select Risk from the Number drop-down list
- enter a title for the risk that clearly defines it
- select the type of entity affected by the risk (Product, for example) from the About drop-down list, enter a suitable search term (Produ for example) in the Quick Search box, and click Find
- in the search results, click the Click Here to Select link in the Select column to access options in the chosen category (available products, for example); alternatively, click or Add New Product and add the details of a new product in the fields that appear (the details will then be added to the database and can be retrieved through searches)
- in the Risk Definition section, select the risk type (for example, Management); the risk control area (for example, Compliance Management); the likelihood (for example, Likely); and the impact (for example, Moderate)
- enter details of the risk in the Definition text box
- in the Documents object, click the Upload button; you can also choose to attach an external document and wait for it to be uploaded at this point
- in the Assign To section, select Assigned from the Status drop-down list and choose an administrator or accept the default selection of Super Admin in the Assign Administrator drop-down list (note that the Assign To section is available only when a risk administrator is recording a risk; it’s not available when a standard user is recording one)
- click Submit at the bottom of the page.
The page refreshes and the status of the risk appears as Assigned. It’s also given a rating (for example, High Risk).
In a Risk Analysis section, the following new options appear:
- Risk Assessment: assess the risk and, if required, change its likelihood and/or impact. Select a recurrence for assessments or just schedule the next assessment.
- Risk Resolution: record the date when the risk was resolved, who was responsible for resolving it, and the details of the resolution.
- Resolution Effectiveness: record the effectiveness of the resolution process before closing the risk.
Below this section, the following new options appear:
- Risk Notification: send a time-based task notification to another user in your account, and escalate if they don’t reply in time. Copy their reply to the Risk Assessment, Risk Resolution, or Resolution Effectiveness sections.
- Notes: record a note in this section.
- Close: close the risk.
Note that these options can be used in any order, or not used at all – it’s possible to close a risk immediately after it has been recorded and assigned.
Assessing a risk
To assess a risk:
- click on the + icon on the left of Risk Assessment in the Risk Definition object
- enter today’s date in the Assessment Date calendar and your name in the Assessment By text box and type in the assessment controls. Click on the Change Risk Rating link below the controls text box, select “Possible” in the Likelihood drop down list and see that the Risk Rating below changes immediately to Moderate Risk. Then schedule the next assessment of this risk by selecting 1 week in the Recurrence drop-down list and click on Submit. . See that the assessment is recorded with the changes in the Likelihood and Risk Rating. Also see the next assessment date
You can wait for the next scheduled assessment or record another assessment at any time. An important thing to remember is only the latest assessment can be edited or deleted
Recording a risk resolution
To record the details of the resolution for a risk:
- open the Risk Resolution section by clicking the + sign on the left
- select a completion date and enter a name in the Completed By text box
- enter the details of the resolution
- click Submit.
You can then record the effectiveness of the action taken by opening the Resolution Effectiveness section, entering a description, and clicking Submit.
An alternative method for recording the effectiveness of the resolution
A more collaborative method for recording, implementing, and checking the effectiveness of a risk resolution involves sending notifications to users and then copying their replies into the relevant sections.
To do this,
- in the Risk Notification object, click the + sign
- select a user and click Add
- set the date and time by which a reply is required, and click Done
- enter the details of what you want the person to do in the Action Required text box
- click Submit.
A user who has been sent a risk notification can access it by opening the Risk tab on their Summary page, opening the Risk Notes listing, and clicking the relevant number. Then the user can click the Submit Reply option that appears above the relevant post, enter the details of the reply, select a completion date, attach documents if required, and click Submit.
The receiving user, most likely you, will receive a Risk Replies notification on the Risk tab of the Summary page. Click the notification to view the details of the reply.
Above the reply will be an Accept/Reject button. If you’re not satisfied with a reply, click that button, select Rejected from the Action drop-down list, type in the action required, and select a new reply due date. If you are satisfied with a reply, you can select Accepted or do nothing.
Three buttons display next to the Reply Sent date:
- Copy to RA: to copy the contents of the reply (along with the assessment date and assessment by information) to the Risk Assessment section
- Copy to RR: to copy the contents of the reply (along with the completion date and the completed by information) to the Risk Resolution section
- Copy to RE: to copy the contents of the reply (along with the completion date and the completed by information) to the Resolution Effectiveness section.
After clicking any of the three buttons, click the Submit button to complete the action. The Resolution Effectiveness section is then populated.
Be careful not to copy a reply to a section that is already populated or the existing entry will be overwritten.
Multiple notifications can be sent to multiple users to cover all the steps of the resolution process. They can also be spaced out by selecting different required reply dates, which are then followed up with reminders. Note that this alternative method is probably more complicated but it is more cooperative and inclusive.
Closing a risk
To close a risk:
- scroll to the Close Risk object and click the + sign
- optionally, enter a comment
- click Submit.
The closed risk is removed from the Action Required list but is still accessible from the All Risk page and on the Closed Risk tab of the Risk Matrix (both of which are available to all risk administrators).
Remember that instead of using a one-step closure process, you can choose to implement a two-step closure process. You do this using the Set-Up > Object Activate/Deactivate > Settings tab.
Activating a two-step process adds the interim status of Monitoring. The monitoring responsibility can be assigned to another user, who can decide to close the risk.
During the monitoring process, the user assigned to monitor the risk can use the risk assessment, risk resolution, resolution effectiveness, and risk notification features. They can also close the risk or reject the monitoring process and send the risk back to the previous assigned user.
Reactivating a risk
Risk administrators and the Super Admin can choose to reactivate a closed risk and view all objects associated with it. To do this:
- click the All Risks icon at the top of the screen and click the Properties icon in the Action column of the relevant risk
- go to the Risk object header and click the Click Here link on the right of Assigned To
- in the pop-up box that appears, select Reactivate from the Status drop-down list
- to assign the reactivated risk, select an administrator from the Administrator drop-down list
- click Submit.
The assigned administrator will receive a Reactivated Risk notification on the Risk tab of their Summary page. The risk is now reopened and can be managed as before by the assigned administrator, the Super Admin, and other risk administrators.
Walk-throughs
- Document Control: Steps for performing common tasks
- Complaints Management: Steps for performing common tasks
- Audits Management: Steps for performing common tasks
- Non-Conformance Management: Steps for performing common tasks
- Training Management: Steps for performing common tasks
- Risk Management: Steps for performing common tasks