# Risk Assessments (QMS)

In addition to <a href="/en/gr/55069/">Risk Management</a> functionality using the _Risk Register_ and _Risk Event_ model, Vault supports creating and performing other types of risk assessment, including Process Failure Mode and Effects Analysis (pFMEA) risk assessments and others. _Assessments_ contain _Assessment Risks_, which represent unique combinations of failure mode, effect, cause, and control. You can tag specific _Assessment Risks_ with more general risk categories for trending and reporting. These _Assessment Risks_ are scored with pre- and post-assessment fields to capture _Severity_, probability of _Occurrence_, and _Detectability_ scores, combined in an overall _Risk Priority Number_ for the event. _Assessments_ make use of the <a href="/en/gr/55069/#risk-matrix">_Risk Matrix_</a>, _Risk Matrix Setup_ and _Risk Level_ functions of Vault's Quality Risk Management (QRM) tools.

## Assessment Types {#assessment-types}

The QRM tool set includes support for multiple risk assessment methodologies:

### Failure Mode & Effects Analysis (FMEA)

#### pFMEA

A pFMEA Risk Assessment is performed against a business process, and thus the first step is identifying a process that requires assessment and creating a _Business Process_ record to uniquely identify and track it. For example, "Batch Manufacturing of Cholecap at Veevaville, CA".

#### dFMEA

Design Failure Mode and Effects Analysis applies to systems still in design to analyze the failure mechanisms and lower level functional failures. A dFMEA is a detailed analysis, used to identify any possible failure mode.

#### uFMEA

Use Failure Mode and Effects Analysis applies to user interaction and the possible failures involved. This analysis seeks to discover where such failures may occur and the possible consequences.

### Generic

Generic risk assessments contain applicable templatized information but have not yet been applied to a specific site, process, or product.

### What-if

A risk assessment which determines the potential consequences of failures that may occur, then judging the likelihood of those consequences. The analysis can become the basis of a recommended course of action.

### Hazard & Operability Analysis (HAZOP)

Hazard and Operability (HAZOP) analysis is an approach to finding possible problems by reviewing designs, existing processes, and operations.

### Hazard Analysis Critical Control Point (HACCP)

A risk management system based on analysis and control of hazards from raw material production, supply, and handling, then to manufacturing, distribution, and consumption of the finished product.


<div class="note-border alert-info">
  <div class="alert alert-info" role="alert">
    <div><i class="far fa-info-circle"></i></div>
    <div class="alert-text">
      <p><strong>Note</strong>: The Risk Management feature set within Veeva QMS includes basic HACCP functionality for creating a risk assessment and identifying control measures associated with process steps. This functionality differs from the <a href="/en/gr/991534/">Veeva HACCP application</a>, which provides more robust tools for end-to-end management of a food safety program within Vault, such as a HACCP Flow Diagram and structured hazard analysis process. Contact your Veeva Representative to discuss if the HACCP application is right for your business needs.</p>
    </div>
  </div>
</div>



### Hazard - Harm

Hazard - Harm is a systematic process for identifying hazards, assessing the risks they pose, and taking steps to control those risks. The steps involved in Hazard - Harm typically include:

  * Hazard identification: This involves identifying all the hazards that are present in a particular situation.
  * Hazard assessment: This involves evaluating the severity of the harm that each hazard could cause and the probability of that harm happening.

### Supplier Risk

A <a href="/en/gr/936654/">Supplier Risk Assessment</a>, also known as a Risk Ranking and Filtering (RRF) assessment, is a structured process used to identify, analyze, and mitigate potential risks associated with engaging or continuing to use a supplier. This assessment considers factors such as quality, compliance, financial health, geopolitics, and business continuity.

Examples of possible risk factors in a Supplier Risk Assessment include the following:

* Past quality or regulatory issues
* Criticality of supplied product or service
* Supplier location and geopolitical stability
* Financial or operational stability

Using scoring criteria defined by your organization, Vault classifies suppliers as low, medium, or high risk. The risk score influences monitoring frequency, audit intensity, and qualification requirements.

You can also use Supplier Risk Assessments outside the context of supplier management, for example, to evaluate a product, material, or process.

## Creating & Performing a Risk Assessment {#creating-and-performing-a-new-pfmea-risk-assessment}

You can start a risk assessment from scratch, or copy a previously completed _Assessment_ record using the **Copy FMEA Risk Assessment** record action, if configured. These steps may differ depending on your [assessment type][3], Vault configuration, and your organization's processes.

The following example steps guide you through creating a new, original pFMEA risk assessment:

  1. Create an _Risk Assessment_ record of the _pFMEA Risk Assessment_ object type from a custom tab or from **Business Admin**.
  2. Select a _Business Process_ record.
  3. Optional: Add a process diagram for this assessment in the _Process Flow Document_ document reference field. We recommend this step as a best practice for Vaults with QualityDocs configurations to allow users to get a high level view of the specific pFMEA assessment process. For Vaults without QualityDocs functionality, use the _Attachments_ section of the object record instead of this field.
  4. Select an existing <a href="/en/gr/55069/#risk-matrix">_Risk Matrix_</a> in the _Assessment Scoring Matrix_ field. The selected matrix must have values for _Severity_, _Occurrence_ and _Detectability_ to work properly with the pFMEA process. This matrix scores the steps within the assessment.
  5. Create and define _FMEA Process Steps_ for this assessment's process in the _FMEA Process Step_ section of the _Risk Assessment_. Define a _Name_, _Step Order_, and optionally a _Description_ for the step. _Step Orders_ are unique integer numbers; no letters or decimals are allowed. Note that once you have finalized a set of steps defining your process, you cannot change those steps without potentially changing information on any events already identified in your assessment. Best practice configurations prohibit altering the order of steps in a pFMEA after beginning the assessment.
  6. Add _Assessment Risks_ for each process step, following your organization's specific risk identification workflow. If configured by an Admin, you can perform the **Create Risk from Template** action on the _pFMEA Risk Assessment_ record to automate _Assessment Risk_ creation, or use the <a href="/en/gr/54469201/">Risk Builder tool</a> for rapid data entry. If these options are not available:
     1. At a minimum, you must define a _Name_, select a _Scoring Matrix_ and a _Process Step_ for each _Assessment Risk_. Your process may also include identifying the _FMEA Failure Cause_, _Controls_, _Mode_, or _Effect_ at this step, or in a subsequent lifecycle state.
     2. In the _Assessment Risk_, define the _Initial RPN_ values for the relevant factors, such as _Severity_, _Occurrence_, and _Detectability_. Your Initial RPN field will not populate until the event has been scored for each of _Severity_, _Occurrence_ and _Detectability_. Follow your organization's process for analysis and scoring of _Assessment Risks_.
  7. Select a _Risk Response_ based on your organization's workflow. Your configuration may include custom values for how your organization addresses risks. For example, the _Mitigate_ response may require that you add a _Mitigation Action Set_, while the _Accept_, _Avoid_, and _Transfer_ responses may not.
  8. Define the final post-response or post-mitigation RPN values for the _Assessment Risk_. You must provide all three values for _Severity_, _Occurrence_, and _Detectability_, scoring those attributes of the risk post-mitigation before Vault populates your _Final RPN_ field.
  9. Continue creating _Assessment Risks_ until all _FMEA Process Steps_ are covered.
  10. Complete the _Risk Assessment_ by your organization's process.

Re-assessments can be started from scratch as described above, or by [creating from a previously completed assessment][2].

## Creating a FMEA Risk Assessment From an Existing Assessment {#creating-a-pfmea-risk-assessment-from-an-existing-assessment}

If the process to be analyzed has been previously assessed, you can save effort and time by starting a new assessment by copying much of the information from a previous one.

Use the record action **Copy FMEA Risk Assessment** on a _Assessment_ object record to perform this copy. This is a special version of the native _Copy Record_ function within your Vault; it is purpose-built to copy the hierarchy of an assessment, restart the lifecycles of associated records, and link those records to their originating records. This action clones the _Risk Assessment_, _FMEA Process Steps_, _Assessment Risks_ and _FMEA Mitigation Action Set_ records and their field data into a new set of records, then restarts the lifecycles for those records.

The **Copy FMEA Risk Assessment** record action copies records according to the following rules:

  * Records not using <a href="/en/gr/30986/">system-managed object record names</a>, but which require _Name_ to be unique, are auto-named upon copying.
  * When a record is copied via this action, all field data for the record is also copied over, respecting <a href="/en/gr/15057/#how_to_add_object_fields">_Do not copy this field in Copy Record_</a> configurations, excluding <a href="/en/gr/28740/">inbound relationships</a> to that record. _FMEA Risk Category_ values for _Assessment Risks_ are preserved and copied.
  * When Vault copies a record via this action, the lifecycle of that record is reset to the initial state of the lifecycle in the new record.
  * When Vault copies a record via this action for the governed object types, a field is populated linking the copy to the record from which it was copied for traceability purposes.

## Promoting Risks to Risk Registers

During or after your risk assessment processes, you may have _Assessment Risks_ to add to one or more existing _Risk Registers_. If configured by an Admin, you can use the _Promote Risks to Registers_ user action to accomplish this:

  1.  From the _Assessment_ record, select **Promote Risks to Registers** in the **Actions** menu. This action may have a different label in your Vault.
  2.  In the dialog, select the _Assessment Risks_ that you want to add to the intended _Risk Register_.
  3.  Click **Next**.
  4.  Select up to five (5) _Risk Register_ records.
  5.  Click **Save**.

Vault creates new _Risk_ records on the selected _Risk Register_, transferring the information from the _Assessment Risk_ and linking the two together.

## Rebalancing a Risk Matrix

Organizations using QRM prior to 22R2 may have _Risk Assessments_ that do not populate _Initial_ and _Residual Risk Scores_ fields from the associated _Risk Matrix_. Additionally, _Assessments_ created before the 23R3 release do not populate _Criticality Scores_ and _Levels_ defined in the _Risk Matrix_. Risk assessment heatmaps rely on these field values.

To address this issue, your Admin can <a href="/en/gr/62748/#rebalance-risk-matrix-action">configure a user action on _Risk Matrix_ lifecycle states</a>. Execute the **Rebalance Risk Matrix** action on a _Risk Matrix_ record to asynchronously update _Risk_ and _Criticality_ fields in a _Risk Matrix_, and all the _Assessment Risk_ records within _Risk Assessments_ where the _Risk Matrix_ is used. The user action recalculates _Risk Scores_ and _Risk Levels_, populating _Assessment Risk_ records' _Risk Score_ and _Risk Level_ fields based on the _Risk Scores_ and _Risk Levels_ defined in the applicable _Risk Matrix_. In addition, this action recalculates the _Criticality Scores_ and _Criticality Levels_, populating _Assessment Risk_ records' _Criticality Score_ and _Criticality Level_ fields based on the _Criticality Scores_ and _Criticality Levels_ defined in the applicable _Risk Matrix_.

The user who performed the action will receive an email with a link to the job log with additional details about which records were updated.

 [1]: #about-business-processes
 [2]: #creating-a-pfmea-risk-assessment-from-an-existing-assessment
 [3]: #assessment-types