Risk Configuration Options
Note: As you can have multiple Risk categories per project now with their own configuration, the Risk configuration is managed via the Risk field in its Risk category. Old project created in a version before 2.2 can still have the Risk configuration managed under the project settings. If needed, this configuration can easily be transferred to the Risk category doing the conversion in the specific Risk field:
When configuring risks you need to specify the risk factors (text and weights describing the risk), the risk control categories (which can be used to mitigate the risk), the math to calculate the risk level from the factors, and how the risk can be reduced by the selected risk controls.
Risk Factors
The risk factors consists of texts (e.g. to describe cause) and weights (e.g. a probability value).
The UI allows you to create a hierarchy of these texts and weights, that relate to this. A text can be a a text line, (rich) text block or drop down.
If it is a drop down, it can be configured to automatically set other factors or weights: e.g. selecting a hazard, could set already the resulting harm and/or the severity of the harm.
For the weights use only positive numbers (using 0 or negative numbers can have undesired side effects)
Risk Control Categories
As risk control categories you can all categories which can be reduced to mitigate risks. These can either be existing design input or output categories or you can create a specific risk control category, e.g. to add meta information on how a risk control mitigates a risk or what side effects it has. This selection will automatically enable the traceability rule between the Risk layer and its Risk control(s).
Risk Assessment Options
There are currently three methods to quantify a risk:
- by multiplying the weights (like probability and severity)
- by adding the weights
- by using a lookup table
Multiplication or addition of weights
When adding or multiplying the weights you can specify the two threshold values to color the result in three default colors (green,yellow,red). If you need more colors or s simple multiplication / addition of values is not enough, you can use a lookup table instead.
The edit risk before / after mitigation rendering links allow you to modify the text shown / or hide the results of the calculation in the UI and printed reports.
Lookup tables
The lookup tables allow you to specify more complex distributions of risks
The look up tables configuration consist of two parts
- the actual lookup table where you can define what the result of any combination of weight is
- the risk zones table where you can define a visual representation of risk priority numbers depending on the final value
Risk Zones
the risk zones have 5 parameters
- Zone id: a simple id consisting of characters and digits, this is used in the lookup table to select the risk zone for each combination of weights
- Zone text: that's the text displayed
- Colors: colors on the screen and in reports (Print Font)
Lookup Table
The lookup table contains one line for each combination of weights. For each weight you can select the zone (for the visual representation) and the modify text displayed for the combination.
Note: if you have many different combinations of weight, we can generate this table based on a google sheet we share with you. Just contact us through our support channel and we get back to you.
Risk Reductions
There are two methods to specify the risk reductions
- either combined for all risk controls
- or for each risk control individually
Note: When specifying the impact of each risk control individually, you might run in cases where you have many risk controls and some of them will need to be documented to have no impact in order not to reduce the overall risk levels to far.
Defining risk reduction per risk control
When defining the risk reductions per risk control you can decide what can be reduced in one ore more drop downs added to the user interface:
Note: for example some people decide that the severity cannot be reduced, or other that only severity or probabilities but not both can be reduced. This can be addressed by one or more drop down, with the reduction possibilities selected accordingly:
Defining risk reductions for all risks controls combined
In this case you can decide which of the weights the user can adjust if risk controls are applied.
Note: the user can change the risk probabilities or severity only if a risk control was added.
When you save the changed configuration you will be offered to re-index the database, this is a feature (Re-Index function) you can also enable in the Advanced Features.