# Risk Management (QMS)

You can manage the risk associated with enterprise and operational processes in your Vault using risk matrices and risk registers. QMS can also be configured to support <a href="/en/gr/62746/">pFMEA or other risk assessments</a>. These tools help your organization remain compliant with the most up-to-date requirements for risk-based decision making.

## Assessment Risks {#risk-events}

A _Risk Event_ is an object record that provides details on an incident that may require risk assessment. If enabled by an Admin, you can use the <a href="/en/gr/54469201/">Risk Builder tool</a> to quickly add and modify _Risk Events_.

### Critical Fields

Risks have several fields that help you determine the outcome of the actions taken to mitigate a risk:

  * **Severity** **Before,** **Likelihood** **Before, Detectability Before**: These fields represent how severe, how likely, and how detectable the risk event is before you complete any mitigation actions.
  * **Severity** **After,** **Likelihood** **After, Detectability After**: These fields represent how severe, how likely, and how detectable the risk event is after you complete any mitigation actions. Use data from mitigation records to help you determine these values.
  * **Risk** **Level** **Before** **and** **Risk** **Level** **After**: Vault populates these fields based on the appropriate _Risk Level_ cell in the related risk matrix.

### Mitigation Actions

The _Mitigation Action_ object helps you take steps to avoid, mitigate, or transfer identified risks. You can assign these mitigation actions to users in your Vault, provide due dates, and describe what the assignee must do to mitigate the risk.

You can create _Mitigation Actions_ from _Risk Event_ records.

After completing any mitigation actions, use the _Actions Taken_ field to give specific details on the actions you took. This field is crucial in determining _Severity After_, _Likelihood After_, and _Detectability After_ on the related _Risk Event_.

## Risk Matrix {#risk-matrix}

A _Risk Matrix_ is a visual representation of the risk involved with a process or product at your organization.

### Related Objects

  * **Risk Matrix**: Houses records of the risk matrices you create in your Vault. You can create qualitative, quantitative, and risk factor template types of risk matrices. For more information about risk factor templates, see <a href="/en/gr/936654/#define-template">Supplier Risk Assessments</a>.
  * **Severity**: Defines various scenarios of risk severity for your matrices, for instance, "Minor", "Moderate", "Major". These records represent the columns of a _Risk Matrix_.
  * **Probability of Hazardous Situation (P1)**: Defines the probability of a hazardous situation occurring for your risk matrices, such as "Unlikely", "Frequent", and so on.
  * **Probability of Harm (P2)**: Defines the probability of that hazardous situation leading to harm, such as "Extremely Unlikely", "Extremely Likely", and so on.
  * **Occurrence**: Defines how often an issue occurs, such as "Rare", "Likely", "Highly Likely", and so on. These records represent the rows of a _Risk Matrix_.
  * **Detectability**: Defines the difficulty of noticing the issue, for example, "Unlikely, Likely", and so on. These records represent a third axis in a three-dimensional _Risk Matrix_.
  * **Risk Level**: Define the overall risk of a scenario based on _Severity_, _Occurrence_, and _Detectability_ records. These records represent the cells of a risk matrix. In quantitative risk matrices, these records are a product of severity, occurrence, and detectability values. You can define color for the _Risk Levels_ of your matrix, as well as the _Maximum Threshold Value_.

#### Risk Thresholds

Vault can assign _Risk Levels_ automatically in a quantitative _Risk Matrix_, using the _Maximum Threshold Value_ field to assign the risk level for the _Risk Matrix Setup_ records. For example, you define two _Risk Levels_ called _Medium_ and _High_ with _Maximum Threshold Values_ of _6_ and _12_, respectively, then create a _Risk Event_ with a _Severity_, _Occurrence_, and _Detectability_ product of _8_. Vault would automatically populate its _Risk Level_ as _Medium_.

To enable automated _Risk Level_ population by threshold, select the _Based on Risk Thresholds (Quant)_ value in the _Risk Level Assignment_ field on the _Risk Matrix_ object record.

### How to Create a Risk Matrix

To create a _Risk Matrix_:

  1. Create a _Risk Matrix_ record from a custom tab or from **Business Admin**. Choose between qualitative or quantitative object types. To create a risk factor template, see <a href="/en/gr/936654/#define-template">Supplier Risk Assessments</a>.
  2. Create and define _Severity_, _Occurrence_, and _Detectability_ records.
  3. Optional: Create and define _Probability of Hazardous Situation (P1)_ and _Probability of Harm (P2)_ records. You can create a maximum of 10 records for any given risk matrix for the _Probability of Hazardous Situation (P1)_ and _Probability of Harm (P2)_ objects.
  4. Define the color palette for your _Risk Level_ records. These are the cells of your matrix.
  5. Vault automatically creates _Risk Matrix Setup_ records and populates fields with data from related _Severity_, _Occurrence, Detectability_, and _Risk Level_ records, depending on the requiredness of _Severity_, _Occurrence_, and _Detectability_.


### Adding Detectability to an Existing Risk Matrix

If you have an existing Risk Management configuration using only _Severity_ and _Occurrence_, you will need to make configuration changes to take advantage of _Detectability_ in risk-related activities. You can either update existing risk matrices to include _Detectability_ or create new risk matrices which include it. Updating an existing risk matrix for this purpose involves the following actions:

  * Activate the _Detectability_ object reference fields on the _Risk Event_ object. Add the _Detectability Before_ and _Detectability After_ fields to the _Risk Event_ object page layout.
  * Update the risk level formula fields on the _Risk Event object_ to account for _Detectability_ scores for quantitative risk scoring models.
  * Add _Detectability_ as a related object to the _Risk Matrix_ object page layout. Ensure that _Detectability Rating_ is a displayed column in the page layout. Add _Detectability_ as a displayed column in the _Risk Matrix Setup_ related object section.

Add _Detectability_ records, per your _Risk Level_ formula, to expand your _Risk Matrix_ to a 3x3 matrix.

## Risk Registers {#risk-registers}

A _Risk Register_ is a ledger of risk-related events that may require action.

### Related Objects

  * **Risk Registers**: Houses records of risk ledgers that you can use to manage specific risk events and the actions they require. For example, you may create an "Enterprise Risk Register" to assess risk events that occur across your business, or a "Product Risk Register" to assess risk events that occur at the product level.
  * **Risk Event**: Tracks potential risk events that may require risk assessment and action.
  * **Mitigation Action**: Tracks mitigation actions that you must complete depending on the response to a risk event.

### How to Create a Risk Register

  1. Create a Risk Register from the **Risk Management** > **Risk** **Register** tab or from **Business Admin.**
  2. Create risk events within the register. Link a risk matrix to this event using the _Risk Matrix_ field. You might link this event to the "Supplier Risk Matrix" for instance.
  3. Depending on what you choose under **Risk Response** (_Avoid_, _Transfer_, _Mitigate_, _Accept_), you may be required to take mitigation actions. Vault requires mitigation actions for all responses besides _Accept_.

### Example Risk Register Setup

  1. You create the "Cholecap Risk Register" to manage risk related to your _Cholecap_ product. You want to assess the risk related to the distribution of your product, so you create a risk event and link this event to your "Supplier Risk Matrix". Your matrix determines the _Risk Level Before_ as "Low".
  2. Your organization's risk response strategy is to mitigate all risk, so mitigation actions are necessary. You create a mitigation action and use the _Owner_ field to assign the action.
  3. The assignee completes the action and describes the actions taken.
  4. With this information, you populate the _Severity After_ field with "Slight Impact" and the _Likelihood After_ field with "Rare" on the risk event since the mitigation action helped to reduce the severity of the risk as well as the likelihood the risk event will materialize
  5. Your organization now has a record of the risk assessment related to an event of this nature.

## Related Permissions

To support the Hazard - Harm identification process, users must have a security profile or role with the following permissions:

* _Read_ permissions on the _Probability of Hazardous Situation (P1)_ and _Probability of Harm (P2)_ objects.
* _Edit_ permissions on the _Risk Matrix_ field of the _Assessment Risk_ object.