Risk Management (QMS)

You can manage the risk associated with enterprise and operational processes in your Vault using risk matrices and risk registers. Vault QMS can also be configured to support pFMEA or other risk assessments. These tools help your organization remain compliant with the most up-to-date requirements for risk-based decision making.

Risk Matrix

A Risk Matrix is a visual representation of the risk involved with a process or product at your organization.

  • Risk Matrix: Houses records of the risk matrices you create in your Vault. You can create two types of risk matrices: qualitative and quantitative.
  • Severity: Defines various scenarios of risk severity for your matrices. For instance, “Minor”, “Moderate”, “Major”, etc. These records represent the columns of a Risk Matrix.
  • Occurrence: Defines how often an issue occurs. For example, “Rare”, “Likely”, “Highly Likely”, etc. These records represent the rows of a Risk Matrix.
  • Detectability: Defines the difficulty of noticing the issue. For example, “Unlikely, Likely”, etc. These records represent a third axis in a three-dimensional Risk Matrix.
  • Risk Level: Define the overall risk of a scenario based on Severity, Occurrence, and Detectability records. These records represent the cells of a risk matrix. In quantitative risk matrices, these records are a product of severity, occurrence, and detectability values. You can define color for the Risk Levels of your matrix, as well as the Maximum Threshold Value.

Risk Thresholds

Vault can assign Risk Levels automatically in a quantitative Risk Matrix, using the Maximum Threshold Value field to assign the risk level for the Risk Matrix Setup records. For example, you define two Risk Levels called Medium and High with Maximum Threshold Values of 6 and 12, respectively, then create a Risk Event with a Severity, Occurrence, and Detectability product of 8. Vault would automatically populate its Risk Level as Medium.

To enable automated Risk Level population by threshold, select the Based on Risk Thresholds (Quant) value in the Risk Level Assignment field on the Risk Matrix object record.

How to Create a Risk Matrix

To create a Risk Matrix:

  1. Create a Risk Matrix record from a custom tab or from Business Admin. Choose between qualitative or quantitative object types.
  2. Create and define Severity, Occurrence, and Detectability records.
  3. Define the color palette for your Risk Level records. These are the cells of your matrix.
  4. Vault automatically creates Risk Matrix Setup records and populates fields with data from related Severity, Occurrence, Detectability, and Risk Level records, depending on the requiredness of Severity, Occurrence, and Detectability.

Adding Detectability to an Existing Risk Matrix

If you have an existing Risk Management configuration using only Severity and Occurrence, you will need to make configuration changes to take advantage of Detectability in risk-related activities. You can either update existing risk matrices to include Detectability or create new risk matrices which include it. Updating an existing risk matrix for this purpose involves the following actions:

  • Activate the Detectability object reference fields on the Risk Event object. Add the Detectability Before and Detectability After fields to the Risk Event object page layout.
  • Update the risk level formula fields on the Risk Event object to account for Detectability scores for quantitative risk scoring models.
  • Add Detectability as a related object to the Risk Matrix object page layout. Ensure that Detectability Rating is a displayed column in the page layout. Add Detectability as a displayed column in the Risk Matrix Setup related object section.

Add Detectability records, per your Risk Level formula, to expand your Risk Matrix to a 3x3 matrix.

Risk Registers

A Risk Register is a ledger of risk-related events that may require action.

  • Risk Registers: Houses records of risk ledgers that you can use to manage specific risk events and the actions they require. For example, you may create an “Enterprise Risk Register” to assess risk events that occur across your business, or a “Product Risk Register” to assess risk events that occur at the product level.
  • Risk Event: Tracks potential risk events that may require risk assessment and action.
  • Mitigation Action: Tracks mitigation actions that you must complete depending on the response to a risk event.

How to Create a Risk Register

  1. Create a Risk Register from the Risk Management > Risk Register tab or from Business Admin.
  2. Create risk events within the register. Link a risk matrix to this event using the Risk Matrix field. You might link this event to the “Supplier Risk Matrix” for instance.
  3. Depending on what you choose under Risk Response (Avoid, Transfer, Mitigate, Accept), you may be required to take mitigation actions. Vault requires mitigation actions for all responses besides Accept.

Example Risk Register Setup

  1. You create the “Cholecap Risk Register” to manage risk related to your Cholecap product. You want to assess the risk related to the distribution of your product, so you create a risk event and link this event to your “Supplier Risk Matrix”. Your matrix determines the Risk Level Before as “Low”.
  2. Your organization’s risk response strategy is to mitigate all risk, so mitigation actions are necessary. You create a mitigation action and use the Owner field to assign the action.
  3. The assignee completes the action and describes the actions taken.
  4. With this information, you populate the Severity After field with “Slight Impact” and the Likelihood After field with “Rare” on the risk event since the mitigation action helped to reduce the severity of the risk as well as the likelihood the risk event will materialize
  5. Your organization now has a record of the risk assessment related to an event of this nature.

Risk Events

A Risk Event is an object record that provides details on an incident that may require risk assessment. If enabled by an Admin, you can use the Risk Builder tool to quickly add and modify Risk Events.

Critical Fields

Risks have several fields that help you determine the outcome of the actions taken to mitigate a risk:

  • Severity Before, Likelihood Before, Detectability Before: These fields represent how severe, how likely, and how detectable the risk event is before you complete any mitigation actions.
  • Severity After, Likelihood After, Detectability After: These fields represent how severe, how likely, and how detectable the risk event is after you complete any mitigation actions. Use data from mitigation records to help you determine these values.
  • Risk Level Before and Risk Level After: Vault populates these fields based on the appropriate Risk Level cell in the related risk matrix.

Mitigation Actions

The mitigation action object helps you take steps to avoid, mitigate, or transfer identified risks. You can assign these mitigation actions to users in your Vault, provide due dates, and describe what the assignee must do to mitigate the risk.

Create Mitigation Actions from Risk Event records.

After completing any mitigation actions, use the Actions Taken field to give specific details on the actions you took. This field is crucial in determining Severity After, Likelihood After, and Detectability After on the related Risk Event.