> ## Documentation Index > Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt > Use this file to discover all available pages before exploring further. # GR Risk Management - Admin Guide > Module: GR-05 Risk Register Audience: Risk Managers, Compliance Officers, Administrators Last Updated: 2025-12-14 **Module:** GR-05 Risk Register\ **Audience:** Risk Managers, Compliance Officers, Administrators\ **Last Updated:** 2025-12-14 *** ## Overview This guide covers how to identify, assess, and manage organizational risks including risk creation, assessment scoring, mitigation planning, linking to sources, and monitoring. > **Required Role:** Compliance Officer or Organization Admin *** ## Initial Setup ### 1. Configure Module Settings 1. Navigate to **GR → Settings** 2. Configure Risk Management settings: * Enable/disable risk reminders * Set default review frequency * Configure risk rating thresholds * Set mitigation reminder intervals 3. Save your settings ### 2. Define Risk Categories The system includes standard risk categories: * Operational, Financial, Clinical, Safety, Compliance, Reputational Custom categories can be configured in module settings if needed. *** ## Risk Identification ### Creating a New Risk 1. Navigate to **GR → Risks** 2. Click **New Risk** 3. Complete the form: | Field | Description | Required | | --------------- | -------------------------------------- | -------- | | **Title** | Clear risk name | Yes | | **Description** | Detailed risk description | Yes | | **Category** | Operational, Financial, Clinical, etc. | Yes | | **Risk Owner** | Person responsible for risk | Yes | | **Site** | Affected site(s) | No | | **Source** | How risk was identified | No | 4. Click **Create Risk** ### Risk Sources Document how risks are identified: | Source | Examples | | ------------------- | ----------------------------------- | | **Audit Finding** | Linked from GR-04 | | **Compliance Gap** | Linked from GR-03 | | **Incident Report** | From incident management | | **Staff Report** | Employee-identified | | **External** | Industry alerts, regulatory changes | ### Linking to Source Entities Risks can be linked to: * **Audit Findings** - Issues discovered during audits * **Compliance Requirements** - Regulatory gaps * **Policies** - Policy-related risks 1. Open the risk detail page 2. Go to **Linked Items** tab 3. Click **Add Link** 4. Select entity type and search for the item 5. Click **Link** *** ## Risk Assessment ### Performing an Assessment 1. Open the risk detail page 2. Click **New Assessment** 3. Rate likelihood and impact: | Likelihood | Score | Description | | ------------------ | ----- | ------------------------- | | **Rare** | 1 | \< 1% chance of occurring | | **Unlikely** | 2 | 1-10% chance | | **Possible** | 3 | 10-50% chance | | **Likely** | 4 | 50-90% chance | | **Almost Certain** | 5 | > 90% chance | | Impact | Score | Description | | ----------------- | ----- | ---------------------------------- | | **Insignificant** | 1 | Minimal effect on operations | | **Minor** | 2 | Small impact, easily managed | | **Moderate** | 3 | Noticeable impact, requires action | | **Major** | 4 | Significant operational impact | | **Catastrophic** | 5 | Severe impact, potential failure | 4. The risk score is calculated automatically (Likelihood × Impact) 5. Add assessment notes 6. Click **Save Assessment** ### Risk Rating Matrix | Score | Rating | Color | Response | | ----- | ------------ | ------ | ----------------------------- | | 1-4 | **Low** | Green | Monitor quarterly | | 5-9 | **Medium** | Yellow | Monitor monthly | | 10-15 | **High** | Orange | Active mitigation required | | 16-25 | **Critical** | Red | Immediate executive attention | ### Assessment History Each risk maintains a complete assessment history: * Track changes in likelihood/impact over time * Document reasons for rating changes * Monitor effectiveness of mitigations *** ## Risk Mitigation ### Mitigation Strategies | Strategy | When to Use | Example | | ------------ | -------------------------- | ----------------------- | | **Avoid** | Eliminate the risk source | Stop high-risk activity | | **Reduce** | Lower likelihood or impact | Add controls, training | | **Transfer** | Shift risk to third party | Insurance, outsourcing | | **Accept** | No action, monitor only | Low-impact risks | ### Creating a Mitigation Action 1. Open the risk detail page 2. Go to **Mitigations** tab 3. Click **Add Mitigation** 4. Complete the form: | Field | Description | Required | | --------------------- | ------------------------------- | -------- | | **Title** | Clear action description | Yes | | **Strategy** | Avoid, Reduce, Transfer, Accept | Yes | | **Description** | Detailed action steps | Yes | | **Responsible Party** | Who will complete it | Yes | | **Due Date** | Deadline for completion | Yes | | **Expected Outcome** | What success looks like | No | 5. Click **Create Mitigation** ### Mitigation Status Workflow ``` Planned → In Progress → Completed → Verified ``` ### Tracking Mitigation Progress 1. Navigate to **GR → Risks** 2. Filter by mitigations or use the dashboard 3. Review status and progress notes 4. Verify completed mitigations ### Residual Risk Assessment After mitigations are implemented: 1. Open the risk 2. Click **New Assessment** 3. Rate the current (residual) risk with controls in place 4. Document how mitigations affected the rating 5. Continue monitoring if risk remains above tolerance *** ## Risk Monitoring ### Risk Dashboard The GR Overview shows: | Metric | Description | | ----------------------- | ------------------------ | | **Total Risks** | Count of active risks | | **Critical Risks** | Risks rated critical | | **High Risks** | Risks rated high | | **Pending Mitigations** | Actions not yet complete | ### Risk Register Views Filter the risk register by: * Status (Active, Mitigated, Resolved, Closed) * Rating (Critical, High, Medium, Low) * Category (Operational, Financial, etc.) * Owner * Site ### Review Cycles Set up periodic risk reviews: 1. Navigate to **GR → Settings** 2. Configure default review frequency 3. Risks will show "Review Due" when period expires 4. Conduct reviews and update assessments *** ## Integration with GR Modules ### GR-03 Compliance Integration Risks linked to compliance requirements: * View linked risks on Requirement Detail page * Create risks from compliance gaps * Track compliance-related risks separately ### GR-04 Audit Integration Risks linked to audit findings: * View linked risks on Audit Detail page * Create risks from high-severity findings * Link findings that indicate systemic risk ### Viewing Linked Risks On RequirementDetail and AuditDetail pages: * **Risks** tab shows all linked risks * View risk ratings and status * Navigate directly to risk detail * Add new risk links *** ## Notifications & Reminders ### Automated Reminders The system sends automatic reminders for: | Reminder | When Sent | Recipients | | ---------------------- | ------------------------ | ------------------------ | | **Risk Created** | On creation | Risk owner | | **High Risk Alert** | When rated high/critical | Risk owner, admins | | **Review Due** | At review interval | Risk owner | | **Mitigation Due** | 7, 3 days before | Responsible party | | **Mitigation Overdue** | When past due | Responsible + supervisor | ### Configuring Reminders 1. Navigate to **GR → Settings** 2. Under **Risk Management**: * Toggle reminder types on/off * Adjust reminder intervals * Set escalation rules 3. Save settings *** ## Risk Reporting ### Available Reports | Report | Description | | --------------------- | ------------------------------- | | **Risk Register** | Complete list with ratings | | **Risk Summary** | High-level statistics | | **Mitigation Status** | Progress on all mitigations | | **Trend Analysis** | Risk patterns over time | | **Heat Map** | Visual likelihood/impact matrix | ### Generating Reports 1. Navigate to **GR → Risks** 2. Click **Reports** 3. Select report type 4. Choose filters (category, rating, date range) 5. Export as PDF or CSV *** ## Best Practices ### Risk Identification 1. **Encourage reporting** - Create culture of risk awareness 2. **Regular reviews** - Conduct periodic risk assessments 3. **Learn from incidents** - Create risks from near-misses 4. **Industry awareness** - Monitor external risk sources 5. **Cross-functional input** - Include multiple perspectives ### Risk Assessment 1. **Be objective** - Use consistent criteria 2. **Document rationale** - Explain likelihood/impact ratings 3. **Consider controls** - Factor in existing mitigations 4. **Regular reassessment** - Update as conditions change 5. **Calibrate across organization** - Ensure consistent ratings ### Risk Mitigation 1. **Prioritize by rating** - Address critical risks first 2. **Set realistic timelines** - Allow adequate time 3. **Assign clear ownership** - Single responsible party 4. **Verify effectiveness** - Don't assume mitigations work 5. **Monitor residual risk** - Continue tracking after mitigation ### Common Pitfalls to Avoid * **Incomplete descriptions**: Document risks clearly * **Rating inflation/deflation**: Use objective criteria * **Missing owners**: Every risk needs accountability * **Stale assessments**: Review and update regularly * **Unverified mitigations**: Always verify effectiveness *** ## Troubleshooting ### Common Issues | Issue | Solution | | -------------------------- | ------------------------------------ | | Can't create risk | Verify compliance officer role | | Risk score not calculating | Ensure likelihood and impact are set | | Reminders not sending | Check module settings | | Can't link to finding | Ensure finding exists in GR-04 | | Can't assign mitigation | User must be in organization | ### Getting Help For technical issues: 1. Check this documentation 2. Contact your system administrator 3. Submit a support ticket *** ## Related Guides * [Risk User Guide](./risk-user-guide.md) - For all staff * [Audit Admin Guide](./audit-admin-guide.md) - Audit management * [Compliance Admin Guide](./compliance-admin-guide.md) - Compliance tracking * [GR Documentation Index](index.md) - GR module overview *** **Need Help?** Contact your system administrator.