Skip to main content

Overview

This guide covers how to identify, assess, and manage organizational risks including risk creation, assessment scoring, mitigation planning, linking to sources, and monitoring.
Required Role: Compliance Officer or Organization Admin

Initial Setup

1. Configure Module Settings

1
  • Navigate to GR → Settings
  • Configure Risk Management settings:
    • Enable/disable risk reminders
    • Set default review frequency
    • Configure risk rating thresholds
    • Set mitigation reminder intervals
  • Save your settings
  • 2. Define Risk Categories

    The system includes standard risk categories:
    • Operational, Financial, Clinical, Safety, Compliance, Reputational
    Custom categories can be configured in module settings if needed.

    Risk Identification

    Creating a New Risk

    1
  • Navigate to GR → Risks
  • Click New Risk
  • Complete the form:
  • 2
    FieldDescriptionRequiredTitleClear risk nameYesDescriptionDetailed risk descriptionYesCategoryOperational, Financial, Clinical, etc.YesRisk OwnerPerson responsible for riskYesSiteAffected site(s)NoSourceHow risk was identifiedNo
    3
  • Click Create Risk
  • Risk Sources

    Document how risks are identified:

    Linking to Source Entities

    Risks can be linked to:
    • Audit Findings - Issues discovered during audits
    • Compliance Requirements - Regulatory gaps
    • Policies - Policy-related risks
    1
  • Open the risk detail page
  • Go to Linked Items tab
  • Click Add Link
  • Select entity type and search for the item
  • Click Link

  • Risk Assessment

    Performing an Assessment

    1
  • Open the risk detail page
  • Click New Assessment
  • Rate likelihood and impact:
  • 2
    LikelihoodScoreDescriptionRare1< 1% chance of occurringUnlikely21-10% chancePossible310-50% chanceLikely450-90% chanceAlmost Certain5> 90% chance
    3
    ImpactScoreDescriptionInsignificant1Minimal effect on operationsMinor2Small impact, easily managedModerate3Noticeable impact, requires actionMajor4Significant operational impactCatastrophic5Severe impact, potential failure
    4
  • The risk score is calculated automatically (Likelihood × Impact)
  • Add assessment notes
  • Click Save Assessment
  • Risk Rating Matrix

    Assessment History

    Each risk maintains a complete assessment history:
    • Track changes in likelihood/impact over time
    • Document reasons for rating changes
    • Monitor effectiveness of mitigations

    Risk Mitigation

    Mitigation Strategies

    Creating a Mitigation Action

    1
  • Open the risk detail page
  • Go to Mitigations tab
  • Click Add Mitigation
  • Complete the form:
  • 2
    FieldDescriptionRequiredTitleClear action descriptionYesStrategyAvoid, Reduce, Transfer, AcceptYesDescriptionDetailed action stepsYesResponsible PartyWho will complete itYesDue DateDeadline for completionYesExpected OutcomeWhat success looks likeNo
    3
  • Click Create Mitigation
  • Mitigation Status Workflow

    Tracking Mitigation Progress

    1
  • Navigate to GR → Risks
  • Filter by mitigations or use the dashboard
  • Review status and progress notes
  • Verify completed mitigations
  • Residual Risk Assessment

    After mitigations are implemented:
    1
  • Open the risk
  • Click New Assessment
  • Rate the current (residual) risk with controls in place
  • Document how mitigations affected the rating
  • Continue monitoring if risk remains above tolerance

  • Risk Monitoring

    Risk Dashboard

    The GR Overview shows:

    Risk Register Views

    Filter the risk register by:
    • Status (Active, Mitigated, Resolved, Closed)
    • Rating (Critical, High, Medium, Low)
    • Category (Operational, Financial, etc.)
    • Owner
    • Site

    Review Cycles

    Set up periodic risk reviews:
    1
  • Navigate to GR → Settings
  • Configure default review frequency
  • Risks will show “Review Due” when period expires
  • Conduct reviews and update assessments

  • Integration with GR Modules

    GR-03 Compliance Integration

    Risks linked to compliance requirements:
    • View linked risks on Requirement Detail page
    • Create risks from compliance gaps
    • Track compliance-related risks separately

    GR-04 Audit Integration

    Risks linked to audit findings:
    • View linked risks on Audit Detail page
    • Create risks from high-severity findings
    • Link findings that indicate systemic risk

    Viewing Linked Risks

    On RequirementDetail and AuditDetail pages:
    • Risks tab shows all linked risks
    • View risk ratings and status
    • Navigate directly to risk detail
    • Add new risk links

    Notifications & Reminders

    Automated Reminders

    The system sends automatic reminders for:

    Configuring Reminders

    1
  • Navigate to GR → Settings
  • Under Risk Management:
    • Toggle reminder types on/off
    • Adjust reminder intervals
    • Set escalation rules
  • Save settings

  • Risk Reporting

    Available Reports

    Generating Reports

    1
  • Navigate to GR → Risks
  • Click Reports
  • Select report type
  • Choose filters (category, rating, date range)
  • Export as PDF or CSV

  • Customizing Dropdown Values

    Risk categories and many other risk dropdowns are powered by picklists under the gr.risk.* namespace. The platform ships defaults so risk forms work out of the box, but you can tailor the options to match your risk taxonomy. Common risk picklists to customize: To customize:
    1
  • Navigate to Settings → Picklists (/settings/picklists).
  • Filter or search for the gr.risk.* picklist you want to edit.
  • If the picklist shows the System badge, select Duplicate to Org to create an editable copy.
  • Add, rename, reorder, or deactivate items as needed.
  • Save your changes — risk forms pick up the new values immediately.
  • Likelihood and impact scoring scales, risk status, and risk source stay fixed (or remain free-form) because they drive workflow logic or aren’t drawn from a configurable list. The full list of governance picklists and their default values is in the Picklist Reference.

    Best Practices

    Risk Identification

    1
  • Encourage reporting - Create culture of risk awareness
  • Regular reviews - Conduct periodic risk assessments
  • Learn from incidents - Create risks from near-misses
  • Industry awareness - Monitor external risk sources
  • Cross-functional input - Include multiple perspectives
  • Risk Assessment

    1
  • Be objective - Use consistent criteria
  • Document rationale - Explain likelihood/impact ratings
  • Consider controls - Factor in existing mitigations
  • Regular reassessment - Update as conditions change
  • Calibrate across organization - Ensure consistent ratings
  • Risk Mitigation

    1
  • Prioritize by rating - Address critical risks first
  • Set realistic timelines - Allow adequate time
  • Assign clear ownership - Single responsible party
  • Verify effectiveness - Don’t assume mitigations work
  • Monitor residual risk - Continue tracking after mitigation
  • Common Pitfalls to Avoid

    • Incomplete descriptions: Document risks clearly
    • Rating inflation/deflation: Use objective criteria
    • Missing owners: Every risk needs accountability
    • Stale assessments: Review and update regularly
    • Unverified mitigations: Always verify effectiveness

    Troubleshooting

    Common Issues

    Getting Help

    For technical issues:
    1
  • Check this documentation
  • Contact your system administrator
  • Submit a support ticket


  • Need Help? Contact your system administrator.