Skip to main content
Version: 4.0.4

Risk Center

To manage risks, it's necessary to identify existing risks in the organization and analyze possible alternatives to address these issues, considering available resources, deadlines, costs involved, and, in some cases, monitoring these actions frequently. All these actions can be performed through the Risk Center.

The Risk Center submenu is located in the second position within the Risk Management module.

1

Risk Listing

In the risk listing, each risk will have the Code and Risk Name data displayed on the first line, with a link that, when clicked, will open the risk screen in the Identify stage in view mode if the user is only a query user, and in edit mode if the user is responsible for the risk context in the category configuration where this risk was created. The second line will display the name of the Context related to the risk.

3

Additionally, the risk card also has an action button. This button will open the risk in edit format so that information can be filled in, and it will always have the name of the next step that needs to be performed on the risk. Therefore, if the risk has been filled in up to the Identify stage, the button will come with the name Analyze, if it has been filled in up to the Analyze stage, its button will be Assess, and after the first evaluation is performed, while it is under reassessment, it will always maintain the Reassess button.

4

When clicking on the risk action arrow, it's possible to perform some actions.

5

  • Edit: Risk editing can only be done by those responsible for the context in which the risk was registered. Clicking the button will open the Identify stage for editing, regardless of the current stage of the risk.

6

  • Visualize: Risk viewing can be done by both those responsible and query users within the context in which the risk was registered. Clicking the button will direct you to the Identify stage in view mode only.

7

Note

In the Edit and Visualize actions, only the stages of the risk that have already been completed will appear enabled. The other stages will remain disabled until they are filled in for the first time.

  • Remove: The risk can only be removed by those responsible for the context and only if it is not linked to the system. When removing a risk, a confirmation window will appear to confirm the action.

8

When the action is confirmed, a validation message will appear on the screen, and the risk will be permanently removed, meaning it will not appear in the database.

9

The risk is linked to the system when it has action plan tasks in progress because these are processes that were initiated in the Processes module.

The Remove option will be available, but selecting it will generate an on-screen error stating that it is not possible to remove it.

106

Note

When a query user from a context clicks on the risk action arrow, they will only have access to the Visualize option. Therefore, the other options will appear disabled for them.

When the reassessment frequency deadline is reached, an icon will appear to indicate that this risk needs to be reassessed.

107

It will disappear after the user reassesses the risk and saves the changes.

When a risk is closed, the tag Closed will appear, and hovering over the tag will display the date and time of closure.

10

When a risk is closed, its action button will be Visualize, and when clicked, it will perform the same action as the Visualize option from the risk action arrow.

11

When clicking on the three-dot icon next to the stage button, it will open the risk details tab containing more information.

12

The Author and Created in fields will be automatically filled in upon risk creation, representing the risk creator and its creation date, respectively.

13

To search for a risk, simply perform a search in the top bar. Enter the term you want to search for in Research risks.

14

The search can be performed in the Current Category, Subcategories, and All options.

15

  • Current Category: It will only search within the category where the search is being conducted.
  • Subcategories: It will search within the category and its subcategories where the search is being conducted.
  • All: It will search across all categories in the Risk Management module.

If the search yields no results, a message will be displayed indicating that the search returned no results.

16

Ordering

In the Risk Center, it's possible to order the risks so that they are displayed according to the user's needs. To order, click on the Situation option, which is the default option when opening the Risk Center.

17

Risks can be ordered by Code, Name, Context, Risk type, Origin, Situation, and Creation date, in Ascending or Descending order. By default, they will be ordered by Situation in Ascending order.

Note

In addition to the default ordering, which can be changed by the user, risks are always ordered by Creation Date as well. In other words, they are first ordered by the selected ordering criterion, and then, if there is a tie, the tiebreaker is the Creation Date of the risk.

If risks are ordered by Context, Risk Type, Origin, Situation, or Creation Date, they will have groupings to separate them.

18

Filter

Risks can also be filtered by Situation, Status, Origin, Impact, Probability, Context and Risk type.

19

  • Situation: Check to find risks by the situation they are in, i.e., in which stage they are in the risk registration. You can choose between Analyze, Assess, Reassess, and Visualize.

20

  • Status: Check to find risks by their status. Risks with Opened or Closed status can be found.

21

  • Origin: Check to find risks by their origin. Origins can be Internal and External.

22

  • Impact: Check to find risks by the impact registered in them. The impacts that can be searched will depend on the settings made in the Risk Appetite of the category where the filter is being performed.

23

  • Probability: Check to find risks by the probability registered in them. The probabilities that can be searched will depend on the settings made in the Risk Appetite of the category where the filter is being performed.

24

  • Risk type: Check to find risks by the risk type registered in them. All risk types registered in the system will appear for filtering.

26

  • Context: Check to find risks by the context registered in them. Only the contexts configured in the category where the filter is being performed will appear.

25

After selecting the desired filter options, click on Apply, and the risks should be displayed according to the applied filter.

Multiple filters can be chosen, allowing for a more specific display of risks. However, only one option per filter can be selected, meaning it's not possible to filter by two different contexts or two different risks types. To display all risks of the category again, click on Clear.

Attention

When accessing the Risk Center, only the risks that the user has access to will be displayed, either as the responsible party for the context or as a query user.

Configuring Categories

Upon accessing the Risk Center, you will see a list of created categories. These categories aim to structure the Risk Center according to the specific needs of the organization. You can segment them by units, such as "Joinville Unit", "Blumenau Unit" and "Florianópolis Unit", or by functional areas of the company, such as Human Resources, Sales, Finance, Quality, Customer Service and Production.

2

It is not possible to add risks to the root category.

27

After creating categories, there will be situations where it will not be possible to add risks within the category. These situations are:

  • If the category does not have any Context registered. In this case, it will be necessary to register a context within the category, which can be created at any time by the user responsible for the category.
  • If the logged-in user is not responsible for any Context within the created category. Even users who are responsible for the category will not be able to create risks if they are not responsible for any context within the category.

28

Note

Consultation users will be able to view the created risks but will not be able to create new risks if they are not responsible for the context.

Note

Category configuration is essential, as it defines the Responsible, Contexts, Frequency of Reassessment, Authorized Query Users, and Terms in the Risk Appetite.

Attention

We emphasize that configuring a New Risk or Category is only possible after creating the Context and Risk Type. Therefore, it is crucial to create these records beforehand for effective integration.

It is possible to organize categories into subcategories, creating a hierarchy of up to three levels. To include a subcategory, simply select the desired category and click on the edit icon.

29

Next, click on the icon to add a subcategory (+).

30

This will open a window for configuring the new category.

31

Note

Each category or subcategory will have its own settings for the Risk Appetite.

To remove a category or subcategory, simply click on the delete icon (x).

32

Then, a message will be displayed on the screen, alerting that if the category contains subcategories, they will also be removed.

33

After confirming the removal, another message will be displayed, confirming that the operation was successful.

34

Attention

If the category contains created risks or subcategories that have risks, they cannot be deleted. This is because deleting these categories could compromise data integrity, as there is information associated with them.

When attempting to delete a category under these conditions, a validation message will be displayed on the screen explaining the reason for the impossibility of removal.

35

When you click on the gear icon of a category, a window for editing the data will be displayed.

36

After editing the data, simply click on the Save button.

37

To create a new category, click on the tag icon.

39

Then, a new window containing three tabs will be displayed, allowing you to enter the necessary data to configure the category.

38

Data Configuration

In the first tab, called Data, there will be three fields to fill out.

40

  • Name: Enter a name for the category. This is a required field and has a limit of 64 characters.
  • Responsible: Select one or more groups, roles, or users who will be responsible for the category. These users will be able to edit the category and configure Contexts and Responsible for each context through the category.
Note

In the Responsible field, you can select any user in the system, but only users with module permission will be able to see the module and its categories.

  • Description: Enter a description for the category. This field is optional and has a limit of 2000 characters.

Context Configuration

After defining the category name and its Responsibles, you can create one or more Contexts for it. It is important to note that a category can be saved without a Context, but to create new risks within that category, it must have at least one Context added. Additionally, you can assign responsibles for each Context created in this category and include Query Users, who can be individual users, groups, or roles.

To configure a Context, simply click on "Add Context".

41

Then, several fields will be available for you to fill out.

42

  • Context: This field is autocomplete and mandatory. When you start typing the name, suggestions for existing contexts will appear. To configure a Context, it must have been previously created in the Manage Contexts module. For more information on how to create new contexts, please refer to the Manage Contexts manual.
Note

It is not allowed to create two identical contexts within the same category. Therefore, when creating new Contexts, those previously selected will be disabled in new configurations.

Note

It is not allowed to change the Context already existing within a category. For this reason, when attempting to edit a context, the name will appear disabled for editing.

After selecting a Context, you will have the option to choose if it will have a reassessment frequency for the associated risks for monitoring. To do this, enable the Add frequency of reassessment of risks in this context option.

43

  • Revaluation Frequency: This field is used to define the recurrence of checking the risks associated with the context. In Amount, add the time in whole numbers that reassessment will be performed, and in Unit, you can choose between time measurement units such as Day(s), Week(s), Month(s), and Year(s).

  • Responsible: In this field, the individuals responsible for this context will be defined. The responsible parties play a crucial role in the effective supervision and management of associated risks. They are the key individuals or groups tasked with taking appropriate action in case of identification or occurrence of any risk within the established Context. This definition is mandatory as it ensures clarity on who is responsible for which aspects of risk monitoring and treatment.

  • Query Users: This field is optional. It can be selected from individual users, groups, or roles within the organization. Their role is to closely monitor the development and evolution of risks within the specific Context. Although they are not directly responsible for corrective actions, their participation is valuable in providing additional insights and a comprehensive view of the risk landscape. Query users have access to view all monitoring and associated history. This includes detailed information about actions taken, risk assessment results, and other relevant activities. This transparency promotes a more robust and collaborative Risk Management culture, where multiple stakeholders can contribute to effective risk mitigation and informed decision-making.

Therefore, careful definition of responsibles and inclusion of query users are essential steps to ensure the effectiveness and comprehensiveness of the Risk Management process within the organization. These measures significantly contribute to strengthening organizational resilience and minimizing potential negative impacts resulting from adverse events.

44

After saving a Context within a category in the Risk Center, specific information about it will be displayed on the screen. If you have created multiple Contexts, you will see a list of them, and each one will contain details about its corresponding Contexts, respective Responsibles, Frequency of Reassessment, and Query Users.

45

To make changes to these Contexts, simply click on the edit icon, represented by a pencil. This will open options to edit the information as needed.

46

If you need to remove a Context, look for the delete icon, represented by a trash can. Clicking on it will permanently delete the selected Context.

47

An icon can only be deleted when a context does not have any related risks. Otherwise, it will be disabled for deletion.

48

Risk Appetite Configuration

The final step in configuring the category is setting up the Risk Appetite. This functionality is essential for defining the levels of probability and impact of risks, as well as the actions to be taken in each scenario.

49

Let's explore in detail how to use this tool and how it impacts the continuous monitoring of risks for the organization.

Understanding Risk Appetite

The Risk Appetite acts as a guide that defines the degree of risk the company is willing to accept in its operations. It helps establish the boundaries within which the organization feels comfortable operating, taking into account the probability and impact of risks.

Configuring the Risk Appetite

When configuring the Risk Appetite, you will have the opportunity to define the levels of probability and impact of risks, as well as specify the actions to be taken in each scenario.

For example, imagine you are dealing with a risk whose probability of occurrence is considered "very high" and the impact on the company is evaluated as "very high". In this case, the recommended action might be to "Avoid" the risk, meaning to take measures to eliminate it completely.

On the other hand, if the risk has a "low" probability of occurring but a "very high" impact, the suggested action might be to "Mitigate" the risk, implementing strategies to reduce its impact, even if the probability of occurrence is low.

Although the system comes with default settings for the actions of "Retain", "Mitigate", and "Avoid", you have the flexibility to customize these quadrants according to the specific needs of your company. You can alter these settings by clicking on the quadrant you want to change. A list with available options will then be displayed for selection.

50

Additionally, if your organization has a unique risk management strategy that involves a different approach, you can adjust the settings to reflect this customized approach. You can even change the terminology for "very low", "low", "medium", "high", and "very high" for both probability and impact.

51

Once the Probability and Impact settings are configured in the category setup, they will be used as a reference for creating risks within that category.

The configuration of the Risk Appetite has a significant impact on the continuous monitoring of risks for the organization. By clearly establishing the limits and appropriate actions for each risk scenario, the Risk Appetite helps guide risk management decisions and prioritize company resources effectively.

For example, suppose your company is considering launching a new product in the market. Before proceeding, it is essential to assess the risks involved.

Using the Risk Appetite, you can determine that if the probability of the new product failing in the market is "high" and the financial impact on the company is "very high", the recommended action is to "Avoid", meaning to postpone or abandon the product launch until the risks can be mitigated.

In summary, the Risk Appetite is a powerful tool that allows the company to define its risk tolerance limits and make informed decisions about risk management. By understanding how to configure and apply it to practical scenarios, users can significantly improve the organization’s ability to handle challenges and opportunities in its operational environment.

With the Risk Appetite configured, simply click on Save, and a message will be displayed on the screen informing you that the new category has been successfully created.

52

It's also important to mention that the risk appetite can be edited at any time. However, if there are already risks created in this category, when editing it and clicking on save, a confirmation will be generated to make the user aware that the risks may be impacted by the changes.

53

Configuring a New Risk

After creating and configuring a new category, the next step is to create a New Risk. To do this, simply click on the button located in the top right corner of the screen.

54

In the risk registration process, there are several stages that the risk must go through to be identified, evaluated, and resolved. The risk configuration will begin with its detailed identification, followed by analysis, assessment of its severity and potential impact, and concluding with a strategic plan to deal with it effectively.

Next, we will explain each stage and how to perform them.

Identify Stage

This stage is crucial for comprehensively configuring the risk. To begin this process, it's necessary to fill out all fields related to the risk, ensuring that essential information is provided.

55

  • Name: The name of the risk, serving as its identification. This is a mandatory field with a limit of 255 characters.
  • Code: This field is not editable because it will have a unique value, meaning there cannot be two risks with the same code. It has a default value of 0000000 following a numerical creation sequence. Therefore, the first created risk will have the value 0000001, the second will have the value 0000002, and so on.
  • Description: Enter a description for the use of this risk. This is not a mandatory field and has a limit of up to 2000 characters.
  • Context: This is an autocomplete field and mandatory. It will be possible to select contexts already created in the Manage Contexts module and configured within the category where the risk is being created. More information can be viewed in the menu Manage Contexts.
  • Risk Type: This is an autocomplete field and mandatory. It will be possible to choose risk types created in the Manage Risk Types module. More information can be viewed in the menu Manage Risk Types.
  • Origin: Indicate whether this risk is internally generated by the organization or is an external threat.
Note

If there are no Risk Types or Contexts registered to select, it will not be possible to proceed beyond this stage of registration, due to the mandatory nature of these fields.

It's not possible to save a risk without completing the identification stage. After filling out all mandatory fields of this stage, you have two options: move on to the next stage or save the risk to fill in the subsequent stages later.

109

Analyze Stage

After completing the initial stage of risk identification, it is essential to conduct a detailed analysis of the causes and consequences involved. For instance, in the case of a risk related to insufficient workforce to meet demand, it's crucial to understand the reasons behind this issue and the implications it may have for the company.

One observed cause is the Sudden Market Expansion, characterized by the emergence of new business opportunities leading to an unforeseen demand from customers. This situation can overload existing staff, leading to long working hours, which can directly impact team productivity and well-being.

The consequences of this scenario can be varied. Firstly, there may be delays in deliveries due to the limited number of staff available to handle the sudden increase in demand. This can compromise established deadlines, harming customer relations and the company's reputation.

Moreover, service quality may suffer due to the reduced team's difficulty in maintaining usual quality standards under the pressure of high demand. Operational errors and challenges in maintaining quality standards may arise, resulting in a less satisfactory service experience for customers.

Another significant consequence is the loss of business opportunities. Failing to meet demand can result in the loss of customers and business opportunities, directly affecting the company's market reputation and its ability for future growth. Therefore, a detailed analysis of the causes and consequences of this risk is crucial for identifying effective preventive and mitigating measures.

56

The Cause and Consequence fields are mandatory and have a character limit of 100.000 each.

After filling out all the required fields in this stage, choose whether to proceed to the next stage or save the risk to complete the subsequent stages later.

110

Assess Stage

In the Assess stage, you need to fill in the Probability and Impact fields, both of which are mandatory and selectable. The values for these fields are defined in the category settings.

58

  • Probability: Please indicate the likelihood of the risk occurring. By default, the following options are available: Very Low, Low, Medium, High, and Very High, but they can be changed at any time in the category settings.
  • Impact: Please specify the impact of this risk on the company. By default, the following options are available: Very Low, Low, Medium, High, and Very High, but they can be changed at any time in the category settings.

After choosing the most appropriate options for the risk at hand, the system will determine the action to be taken for that risk, which can be Retain, Mitigate, or Avoid. In the example under analysis, the option to mitigate the risk was selected.

57

Note

The actions to be taken can also be changed in the category settings.

Risk Impact and Probability assessment are essential for helping companies better understand potential risk scenarios and make informed decisions on how to deal with them. Let's consider some examples to illustrate how this tool can be applied:

Imagine a company facing the risk of insufficient workforce. By using risk Impact and Probability assessment, the company can consider different scenarios:

In the first scenario, the probability of a labor shortage is low, and even if it does occur, the impact on the company will be minimal. For instance, during mild seasonal periods like specific holidays, the company might face a slightly increased demand, but this can be easily managed with existing internal resources. Therefore, the appropriate measure here would be to mitigate the risk by implementing a contingency plan to reallocate internal resources during seasonal demand peaks.

In the second scenario, the probability of a labor shortage is medium, and the impact on the company would be moderate. For example, if the company launches a new marketing campaign resulting in a moderate increase in sales, this might generate higher-than-expected demand. In this case, hiring temporary staff can help cope with the increased demand during the campaign period. Hence, the appropriate measure would again be to mitigate the risk but with a more proactive approach.

In the third scenario, the probability of a labor shortage is high, and the impact on the company would be significant. For instance, if the company receives a large order from a key corporate client, this might result in a significant increase in demand exceeding the current team's capacity. In this case, temporarily postponing new projects or business until the team's capacity is increased to meet the demand might be the best option. Therefore, the appropriate measure here would be to avoid the risk by taking proactive preventive measures to mitigate its impact.

Finally, in the fourth scenario, the probability of a labor shortage is very high, and the impact on the company would be extremely severe. For example, a public health crisis like a pandemic could cause significant disruptions to the company's workforce, leading to an extreme labor shortage in a short period. In this case, implementing proactive preventive measures such as creating a reserve talent pool could be essential to mitigate the impact of labor shortages in emergencies. Therefore, the appropriate measure would again be to avoid the risk, but with a more robust and comprehensive approach.

These examples demonstrate how risk Impact and Probability assessment can help companies identify and assess risks more effectively, enabling them to take appropriate actions to protect their businesses and ensure resilience during uncertain times.

After filling out all the mandatory fields in this stage, choose whether to proceed to the next stage or save the risk to fill in the subsequent stages later.

111

Plan Stage

This stage is not mandatory. Therefore, you can proceed without the need to register any action plans. Actions can be taken to contribute to adequate and effective risk monitoring.

59

To implement the actions that will guide the management of this risk, you need to click the New Action button located in the upper right corner of the screen. Then, a new window will open for you to fill in the necessary fields.

60

  • Who?: It is necessary to name a system user to carry out the actions needed to mitigate this risk. This user will be responsible for coordinating all registered actions related to the risk. This field functions as an autocomplete field for selecting a user. It only displays users who have permissions in the Processes module. It is not possible to select groups or roles in this field, and it accepts the selection of one user per action.

61

When you select any user in this field, a delete icon will appear next to them. This icon will be used to clear the field, deselecting the chosen user.

62

  • What?: In this field, define the actions to be implemented. For example: plan to increase production capacity, hire more temporary sales staff, or negotiate agreements with suppliers to ensure product supply.
  • How?: In this field, detail the steps necessary for implementing the actions. This may include steps like identifying additional suppliers, training new employees, and adjusting marketing strategies to handle increased demand.
  • Why?: In this field, explain the reason for these actions. For example: to ensure the company can meet growing demand and take advantage of business opportunities arising from market expansion.
  • Where?: In this field, indicate where the actions will be executed, which may involve different areas of the company, such as production, sales, and logistics.
  • When?: In this field, set a deadline for completing the actions to ensure the plan is executed within the expected timeframe. This field functions as a date field, showing a calendar when clicked. It is not possible to select past dates for an action, and an error will occur if you attempt to select a date earlier than the current date.

63

  • It will cost: In this field, assess whether implementing the actions will have associated costs and determine if it will be necessary to allocate financial resources for their execution. This may include expenses for hiring, training, and investments in infrastructure. It has Yes and No options, with No selected by default.

64

  • Type of Action: Finally, it is important to classify the actions as either Corrective or Preventive, depending on whether they aim to correct an existing problem or prevent a problem from occurring in the future. In the case of market expansion, the actions are preventive, as they aim to prepare the company to handle an increase in demand before it happens. This field is empty by default.

65

All fields in this window are mandatory.

With all these fields properly filled out, it is possible to create a robust action plan to mitigate the impacts of the sudden market expansion risk. This structured approach significantly contributes to effective risk management within the organization, allowing for a proactive response to potential threats and opportunities.

After completing all the fields, click the Save button.

66

Then the action plan will be created and can be initiated as soon as the configuration of this new risk is completed.

67

Note

The Conclusion Date and Effort (Hours) fields are information that will be extracted from the process once it is initiated to carry out the actions. Therefore, the Conclusion Date will be the date when the task is completed, and Effort will be the number of hours logged for the task (when hours are logged for the task).

The created action will have three available action buttons located in the arrow to the left of the line.

68

  • Edit: It will be possible to edit the created action, so it will open the action window in editable format.
  • Visualize: It will be possible to view the information provided in the creation of the action, so it will open the action window in viewing format.

69

  • Remove: Remove the action. This removal does not require validation, so clicking on remove will always delete the action.
Note

The Visualize option will only open the action creation window in non-editable mode while it has not been initiated. After the Start button of the action has been clicked, the Visualize action will take the user to the process that this action opened in the Tasks Center.

Note

Actions added can be removed or edited only when the process has not yet been initiated. Therefore, after clicking the Start button, these options will be disabled.

It is possible to initiate processes through the inserted records. The list will have a column called Status where the process can be started through the Start button and will also indicate when it is Running, Cancelled, or Completed.

70

The actions will appear sorted by Status and follow the following order:

  • Start (disabled): The action was created, and the Start button appears, but the risk has not been saved after creating the action. Therefore, the action is waiting for the risk to be saved, and the button remains disabled.
  • Start: The action was created, and the risk was saved after its creation, so the Start button was enabled but has not yet been clicked.
  • Running: The Start button was clicked, triggering the process, but the person responsible for the action has not yet completed it. This status has an arrow in its button that, when clicked, shows the Cancel action. The cancel action changes the process status to Cancelled.

71

  • Completed: The process was initiated, and the action was completed by the responsible person.
  • Cancelled: The action was cancelled while it was in Running status.
  • Refused: The responsible person filled out the Execute Task field as No, declining the action.
Note

Actions with Start Status can be viewed, edited, and removed, with batch removal possible. However, those with Running and Completed Status can only be viewed.

Users who have permission to edit a risk but do not have permissions in the Processes module cannot perform any actions from the Status column, meaning they cannot start a process or cancel it. In these cases, an error will be displayed on the screen, preventing the action.

72

Additionally, it is also not possible to start an action with a retroactive deadline. For example, it is possible that the creator of the risk filled in the When? field of an action with a date that was not retroactive at the time of creating that action, but some days have passed, and now the selected date has passed. Therefore, to prevent any action from being initiated with a retroactive deadline, there is a validation when clicking the Start button that will check if the date entered in the field is retroactive. If it is retroactive, another error will appear on the screen.

108

For Query Users, the buttons in the Status column will be in text format, meaning they can only be viewed but not clicked.

73

Actions can only be started after they are filled out and the risks are saved at least once. If the action has been filled out and the risk has not been saved, it will not be possible to start it.

74

Após saving the risk, the Start button can be clicked.

75

Clicking the button will initiate the Action Plan (5W2H) process in the Tasks Center. The process will start with the Execute Action task, which will be directly assigned to the user responsible for the action filled in the Who? field.

76

Tasks initiated in the action plan function just like tasks initiated by the process module itself. After receiving this task in their inbox, the user responsible for it will receive an email notification of pending task.

When the process is runnig, it is possible to cancel it through the created action.

77

Clicking the cancel button will prompt a confirmation message on the screen to confirm the cancellation of the process, where the reason for the cancellation must be provided.

78

In the process history, it will be possible to observe when the process was initiated through a risk.

79

Clicking on it will open a new tab that redirects to the risk that originated the process if the user has viewing permissions.

If the user does not have access to the Risk Management module, or if they have access to the module but are neither a responsible nor a consultative user in the context configuration, clicking on the link and opening a new tab will display a lock screen, indicating that the user does not have viewing permissions.

After filling out all the mandatory fields in this stage, choose whether to proceed to the next stage or save the risk to fill in the subsequent stages later.

112

Attachment Stage

The next screen will present the option to attach a file to the new risk. This tab can be accessed at any stage of the risk.

80

This action offers possibilities and advantages that can significantly enhance the risk management process. Let's consider the example of dealing with the risk of a sudden market expansion in the company.

One of the key advantages of attaching a file is the ability to provide additional relevant documentation for the risk at hand. For instance, we can attach market analysis reports detailing growth trends and projected customer demands. This provides more context about the risk and aids in making informed decisions about mitigation strategies.

Moreover, by attaching documents such as business policies or standard operating procedures, it's possible to ensure that all activities related to market expansion are aligned with the company's best practices. This contributes to compliance with internal and external guidelines and reduces the risk of non-compliance.

Another advantage is the ability to efficiently share information among team members. For example, if we need to collaborate with other departments like production or marketing, we can attach relevant documents to ensure everyone has access to the same information and is aligned with risk mitigation objectives and strategies.

Furthermore, attached files can serve as evidence during internal or external audits, demonstrating the company's commitment to effective risk management and transparency in its operations.

Finally, maintaining a history of attached documents allows for comprehensive tracking of risk-related activities over time. This includes revisions, updates, and actions taken, which are essential for efficient risk management and learning from past experiences.

In summary, attaching files is a powerful way to enrich the decision-making process, promote collaboration among teams, ensure compliance and transparency, and provide a complete record of risk-related activities.

To attach a document, click the New Attachment button located in the top right corner of the screen.

81

Upon clicking, a screen will appear where you can choose a file from your local device or drag it into the window.

82

It's important to remember that the system supports files up to 2 MB in size. You can also enter a description for the attached file. After entering the necessary information, simply click Save.

83

With the new document attached to this risk, you can see a dropdown arrow that contains actions to Edit, Visualize, or Remove the attachment from the created risk.

84

It's important to remember that it's possible to attach multiple files to the same risk.

After completing all the steps of identification, analysis, evaluation, and planning, the risk will be displayed on the screen within the category where it was created. With the new risk created, you can edit it, visualize it, or remove it from the system.

85

Additionally, the new risk created remains available for reassessment. This means that the entire action plan can be revisited and analyzed, generating a history each time it is evaluated. Therefore, after the risk is saved for the first time, the Assess stage will transform into Reassess. To reassess an action, simply click Reassess.

86

Reassess Stage

This is the final stage of the risk. It serves for regular monitoring of the risks created, identifying any changes and verifying the effectiveness of the treatment measures implemented.

87

  • Probability and Impact: It will behave in the same way as the fields in the Assess stage. The first time you access it, they will come filled with the options defined in the Assess stage. In subsequent times, it will show the last values defined and saved in the Reassess stage itself. Just as specified in the Assessstage, according to the values ​​defined in these selectable fields, the quadrant is automatically changed.

88

  • Next step: This is a mandatory selectable field. It allows the user to define the action to be taken when saving the risk. By selecting Keep in reassessment, the risk remains open and editable. Choosing Close risk marks it as finished and cannot be changed anymore. After saving, the field is cleared to be filled again in a new assessment.

89

  • Justification: This field is mandatory and has a limit of up to 2000 characters. Provide the justification for the changes made in the risk, not only for the Reassess stage, but for all others as well. After saving, the field is cleared to be filled again in a new assessment.

  • Assess history: This field will save the information filled in with each new risk assessment according to the decisions made. The table will contain information about the user and date of each assessment and the filled fields. The first record will be from the Assess stage. It does not contain values in the Next Step and Justification fields, as these fields are not filled in.

90

The only available action in the assess history will be Visualize.

91

Note

When the risk is closed, it will also generate a record in this table.

Revaluation Frequency

In the category configuration, a revaluation frequency can be defined for the risks. This frequency starts counting from the date the risk advances to the Reassess stage.

94

If the user changes the frequency in the category edit, the deadlines of the risks will be reset and will start counting again according to the new defined frequency. Additionally, if the user reassesses the risk before reaching the deadline, the frequency will also be reset. The deadline starts counting always after the last reassessment.

When a risk reaches the reassessment deadline, the users responsible for the context of this risk will be notified within the Fusion Platform, through notifications, and outside of it by email notifications.

Upon reaching the stipulated reassessment deadline, the risk will display an icon to identify that its reassessment is pending.

95

Once the risk is reassessed, meaning the user makes any changes and saves them, the icon will disappear.

Note

The changes made during reassessment don't necessarily need to be in the Probability and Impact fields of the Reassess stage. Only the Next step and Justification fields should always be filled.

Close Risk

The risk is closed when it no longer represents a significant threat or when mitigation actions have successfully reduced or completely eliminated it.

It can only be closed in the Reassess stage through the Next step field by selecting the option Close risk.

96

Whenever no Action plan is created, available in the Plan stage, upon closing the risk, a window will appear prompting you to provide the reason for not having any action plan.

92

Clicking on Finish will close the risk. The justification for not having an action plan will appear as a non-editable field in the view of the Plan stage.

93

After the risk is closed, it cannot be edited or removed; it can only be viewed.

97

You cannot close a risk that contains actions with the Running status in the action plan. If you attempt to close a risk under these conditions, an error message will appear on the screen, indicating the reason for the inability to close the risk.

98

Risks can be viewed at any stage, whether they are closed or not. When you click to visualize the risk, it appears in viewing mode, without the ability to make any edits.

Note

If a stage has not been completed at least once, it should not appear for viewing.

Starting the Action Plan Process

The process is initiated through the Action plan table, in the Plan stage of risk management. Processes can only be initiated by those responsible for the risk, as configured in the category to which the risk is being created, with responsibility assigned to the Context.

In more detail: When creating a category, it is necessary to specify which contexts that category belongs to. Each context, in its registration, has responsible users who are the "managers" of the risks of that context in the category to which the context is created. It is these responsible individuals who can create, start, and cancel Action plans at this stage of the risk management process.

99

To start the process, click on the Start button. The responsible user who clicks to Start the action plan process is designated as the Requester of that initiated process.

100

The values ​​entered in the Action plan are copied to the first task of the workflow in fields with the same name. Therefore, the first activity is automatically sended, and the workflow moves on to be filled out in the second task of the process by the executor. The executor of this task will be defined by the user entered in the Who? field within the action plan.

101

The process managers will be all users responsible for the risk in that context/category. Meanwhile, the users with consultation permissions are all consultation users for that risk in that context/category.

After clicking the Start button, the status changes to Running, indicating that the action plan is still open.

102

After the process is initiated, a task will be assigned and forwarded to the individuals associated with the new risk created. Upon completing the setup of the new risk, a new task is assigned to this user and will be available in their Tasks Center in the In Box. To access the task, the user simply needs to click on "Execute Action".

103

Then, a screen will be displayed to indicate if the task has been completed and to provide details about the actions taken.

104

The task has mandatory fields for completion. They are:

  • Execute task?: This field indicates whether the task executor will perform the action or not. If they select Yes, they will need to fill in the field Describe what was done. If they select No, they will need to fill in the field Reason why the task was not executed.

After filling in the details about the task execution, the user can click Send. Then, a message will appear on the screen indicating that the process has been completed and the task has been successfully executed.

105

Right after the task has been successfully executed, the process author will receive a notification stating that the process has been completed.

Attention

It is essential to note that this process will work exclusively within the Risk Management module. This means that all activities related to the Action Plan must be carried out and managed within this specific module, ensuring a centralized and controlled approach to risk management.

Additionally, it is important to highlight that the form and modeling associated with this process cannot be altered. This restriction is crucial to ensure the integrity of the Action Plan structure, guaranteeing that all information is maintained consistently and reliably.