Background to the Risk Module
The Risk Module lets you manage all the risks that affect your organisation.
Most organisations need to identify and manage risks. By identifying and managing risks’ threats, you can reduce or even prevent adverse consequences.
Coruson uses the Bowtie Methodology to visualise the Risk Management process.
This Article will help you understand: -
- The terminology used in the Risk Module.
- The purpose of each of the areas in a bowtie diagram.
- The process for managing risk in Coruson.
How is Risk Managed in Coruson
The Bowtie is a way of visualising all the elements relating to a Risk.
Starting with the Undesirable Event, this is generally the name of the risk and the event that you are trying to avoid, e.g. falling from a height or a bird striking an aircraft.
Events that can cause the Undesirable Event, to occur are called Threats. In our “falling from height” risk, threats include Untrained Staff, Equipment not fit for Purpose and Time Pressures.
Outcomes that can occur if the undesirable event happens are called Consequences. In our example, this could include Fines from Regulators, Injury / Death and Damage to Reputation.
To stop Threats occurring or to minimise the effect of Consequences, we must introduce Controls. For example, the likelihood of a fall occurring as a result of Untrained Staff or Unfit Equipment can be reduced by Staff Training.
Likewise, a safety harness can reduce the severity of all the Consequences. The same Control can be used more that once, and more than one Control can be assigned to any Threat / Consequence.
Not all Controls are fully effective. You can evaluate each Control to evaluate its effectiveness.
We now have a visual overview of the entire risk. This view lets us see which Threats and Consequences are not controlled.
Performing Risk Assessments
Each Risk / Undesirable event can be evaluated and assessed.
This is usually done as a combination of the Likelihood of the event happening and the Severity of the impact if it does.
Several perspectives can be used to measure the impact severity, e.g. environment, financial and organisational reputation, this is used to identify areas for improvements.
As a result, each risk is assigned a Risk Rating and a suggested action.
This is assigned a colour to visualise the severity of the risk.
Multiple risk assessments can be performed on the same risk, e.g. to measure initial, current and target risk rating (after all Controls have been assigned).
Process for Managing Risk
These are the steps to take to manage a Risk project in Coruson: -
1. Create a Risk Project
A Risk project is a collection of similar risks. For example, a “Warehouse” risk project would contain risks relating to working at heights, fork-lift trucks and heavy lifting.
From the Coruson side Menu select Risk
When in the Risk Projects Register select the button to create a new project then complete the mandatory * fields.
Type * - from prespecified list, Internal, External, Building etc.
Title* – Name the Rick Project.
Description – add a description to explain scope of Risk Project.
Owner* – this is the Coruson Users responsible for the project.
Accountable – optional field for a Coruson users to manage the project.
2. Add Risk Events and Hazards
Next, we must add risks (known as Risk Events) to the project, these are added from the master risk event list.
We can also assign hazards. A Hazard is anything that has the potential to cause an undesirable event to occur, such as “working from height”.
3. Threats, Consequences and Controls
Risk events from the master risk event list already have Threats, Consequences and Controls.
However, you can add, remove or edit them, as well as assess each Control’s effectiveness
These can be found in the MODEL tab of the risk event.
Press the button to add and define the element as you desire
To add a Control, press the chevron
N.B. it is also possible to add attachments to this Risk Project, by pressing the button.
4. Perform Risk Assessments
You should perform risk assessments on the risk event.
As well as the current risk rating, you can also assess its inherent rating (i.e. before Controls are added) and its target rating. This is done from the ASSESSMENTS tab,
Press the button, this selects your predefined risk matrix.
Choose the Likelihood and Severity of the risk.
There is a suggested Action to Accept, Treat or Avoid.
The Risk Event Status * is a mandatory Field filled from a predefined list detailing all the acceptable levels of the risk, e.g. Avoid, Accepted, Ignore, Test, Transferred or anything else relevant to your business.
5. Raise Reports
You can raise a report against any risk event.
Each Report is then reviewed and managed though to closure, this is done in the REPORTS tab,
Press the button and select the appropriate report from the list.
There is a Knowledge Base Article that describes how to use the Report module: -
6. Schedule Audits
You can schedule an audit to be performed against any risk, from the AUDITS tab
Press the button create your desired Audit.
Complete all the mandatory fields *
Type* - select from predefined list.
Primary Scope* - select from predefined list.
Title* - Name the Audit
Location – Organisation Unit (OU) where the audit belongs.
Purpose- Optional description of the Audit
Lead Auditor* - name of responsible Coruson User.
Follow the link below for a Knowledge Base Article on Audits - https://coruson.help.ideagen.com/hc/en-gb/articles/360009478939-Coruson-Getting-Started-with-Audit
7. Analyse Risks
You can create a dashboard to give you an overview of all the risks in Coruson.
Please see the following link for a knowledge base article on the Dashboard.