System Guides

RAW RISK ASSESSMENT 

Risk and Opportunity Assessment is a pivotal feature within CIMSNex, enabling organizations to methodically assess and manage risks associated with identified organisational context, facilitating proactive mitigation and informed decision-making. The process starts with creating current issues in the 'Issues Mapping' Module under context menu, which then generates uncertainties and risks pertinent to the chosen context. For further details, consult the online manual at Mapping Issues to Services at Mapping Issues to Services (andysystems.net)


RISK EVALUATION

Then, complete the risk evaluation and treatment as outlined below to assess the likelihood and severity, as well as to finalize risk treatment measures before submission.

1. Context ID: Reference ID to the issue description against which the risk is assessed. Links the risk assessment to the specific service issue identified within the organization.

2. Risk ID: System-generated ID for the risk assessment, defaulting to the current date. Provides a unique identifier for tracking and referencing each risk assessment.

3. Date of Analysis: Date of the risk assessment. Captures the date on which the risk analysis is conducted.

4. Assessor: Individual responsible for conducting the risk assessment. 

5. Likelihood: Select Likelihood of the risk event occurring, rated on a scale from Rare (1) to Frequently (5). Determines the probability of the risk event happening based on available information or analysis.

6. Severity: Select Severity of the potential consequences or harm if the risk event were to occur, rated on a scale from Insignificant (1) to Catastrophic (5). Evaluates the impact or severity of the risk event on the organization.

7. Raw Risk Rating: This is a System Calculated risk rating obtained by multiplying the likelihood and severity values. Helps determine the overall risk level and prioritize risk treatment actions.

8. Raw Risk Ranking: This is a system Categorization of the risk based on the risk rating, such as Low, Medium, or High. Indicates the acceptability of the risk level and guides risk treatment decisions.

9. Risk Treatment Option: Select Options for addressing the identified risk, including Risk Avoidance, Risk Retention, Risk Transfer, and Risk Reduction. Specifies the preferred approach for managing the assessed risk.

10. Reason for Risk Retention: Select Reasoning or justification for choosing Risk Retention as the risk treatment option. Provides context or rationale behind the decision to retain the identified risk.

11. Responsibility: The individual or department tasked with executing the risk treatment plan is responsible for assigning accountability for the implementation of the selected risk treatment measures.

12. Review Date: An initial review date of the risk to evaluate the residual risk.

RISK EVALUATION CRITERIA

Below is the criteria applied by the system to evaluate the likelihood and severity of the risk.

RISK TREATMENT PLANNING:

The management of Medium and High risks is achieved by establishing clear action plans following a comprehensive evaluation of risks and opportunities. Through the establishment of precise plans of action, organizations can streamline their efforts, efficiently allocate resources, and make tangible strides toward their strategic objectives.

To access Risk Treatment Planning, navigate to the "Planning" menu , hover on "Risk and Opportunity Assessment" and click "Risk Treatment Planning" to initiate the process.

• • Choose risks with Medium or High Residual Ranking from the displayed list and copy the proposed opportunity action.

  • Click "Add" to access the form and complete the action details, including Action details, timeline, frequency, assigned personnel, and evaluation method as per the below fields.

Below is a brief explanation of each field for Risk Treatment Planning:

1. Risk#: Risk reference number based on which the objective is created. System-generated; no manual entry required.

2. OBJ No: System-generated objective number for reference and tracking.

3. Date: Default is the current date. Automatically populated for reference.

4. Department: Specify the department within the organization associated with the objective. This can be the entire organisation hence All departments 

5. Action Details: Specify the daction plan totreat the risk based on the proposed opportunity.

6. Action Timeline: Default is the current date. Specifies the timeline for executing the action plan.

7. Action Frequency: Specify how often the action plan needs to be executed.

8. Assigned To: Indicate the person or team responsible for executing the action plan.

9. Evaluation Method: Choose the method for evaluating the success of the objective from predefined dropdown options.

After submitting, the Risk Treatment Plan will be saved and to access the Risk Treatment Report that details all action plans for treating the risks, navigate to the "Planning" menu , hover on "Risk and Opportunity Assessment" and click "View Risk Treatment Plans"

RISK TREATMENT PLAN VERIFICATION

1. Access Verification Menu:

   • Navigate to the "Planning" menu.
   • Hover on "Risk and Opportunity Assessment" and click "Risk Treatment Plan Verification."

2. Verify Treatment Plans:

   • View the list of plans pending verification.
   • Click the "Verify" button next to any plan.
   • Select the appropriate status (e.g., Complete, Ongoing).
   • Enter the verification date and add comments if necessary.
   • Click "Submit" to save the verification status.

3. View Risk Treatment Plans:

   • Navigate to the "Risk and Opportunities" menu.
   • Click "View Risk Treatment Plans."
   • Review the detailed action plans and statuses for all treated risks.

RISK & OPPORTUNITY VERIFICATION/ REVIEW:

Following a review of the Risk Treatment Plans, a verification of the risks and opportunities will be carried out to re-evaluate the effectiveness of the risk treatment plans, and the following fields may be adjusted to assess the residual risk.

• Residual Likelihood:  Evaluate the probability of residual risk following the application of risk treatment measures. Employ the identical likelihood scale (for instance, rare-1, unlikely-2, moderate-3, likely-4, frequently-5) that was utilized in the preliminary risk assessment.

• Residual Severity:  Evaluate the severity of remaining risks after applying risk treatment actions. Use the same severity scale (for example, insignificant-1, minor-2, moderate-3, major-4, catastrophic-5) that was employed in the preliminary risk assessment.

• Residual Rating:  To calculate the risk rating for residual risk, combine the residual likelihood and severity. This field is usually calculated automatically using a predefined formula or calculation.

• Residual Ranking: Residual Ranking involves assigning a rank or priority to residual risks according to their ratings. This process aids in determining which remaining risks should be prioritized for additional mitigation actions.

Verification Status: Select the option that reflects the current state of the risk within the review process. It monitors the advancement and condition of control measures linked to the identified risk throughout the review. This field aids in evaluating the efficacy of risk management strategies and guarantees the prompt resolution of recognized risks.

• Control Measure No Longer Applicable: This signifies that the control measure previously designated for this risk has become irrelevant or unnecessary due to changes in circumstances or the risk environment. Consequently, this will remove the risk records from the preview list, subject to verification.

• Control Measure Replacement: Indicates that the previously implemented control measure has been replaced with an alternative deemed more effective or appropriate for reducing the identified risk. This action will remove the risk records from the preview list until verification is completed.

• Control Removed/Deactivated: This indicates that the control measure linked to this risk has been intentionally removed or deactivated, possibly due to a reevaluation of risk priorities or the control measure's effectiveness. Consequently, this action will clear the associated risk records from the preview list, awaiting verification.

• Control Measure Not Implemented: signifies that the intended control measure has yet to be enacted, possibly due to resource limitations, issues with prioritization, or other factors. It is advised for persistent risks and will not remove the risk from the preview records until verification is complete.

• Control Measure Implemented: This confirms that the planned control measure has been put into action and is actively managing or mitigating the identified risk. It is advised for persistent risks and will not remove the risk from the preview records until verification is complete.

• Control Measure Completed: Indicates that the control measure implementation is complete and all associated actions have been executed, ensuring thorough risk management. This action will remove the risk records from the preview list, awaiting verification.

Remarks: Include any additional comments or observations pertinent to the verification and reassessment of the service risk assessment. This field is designated for capturing significant insights or observations.

Attachment: Please attach any pertinent documents, reports, or evidence that support the verification and reassessment process.