Vellox Ideas Portal
A couple of suggested areas for consideration:
Risk Reviews and Controls
Under the current "risk review" process it seems that you can only review the "risk" when in affect what you should be doing is reviewing the effectiveness of controls which are associated with and managing the risk.
It would therefore be beneficial to have the ability to rate (review) each of the controls attached to a risk as independent items and apply a control effectiveness rating.
Currently you may have a number of controls associated with a risk that have varied owners yet you have to assign them all to the one risk owner which isn't practical.
The risk as its described is not likely to change but your controls and the effectiveness of those controls certainly can and will regularly change.
As some controls are more critical in there ability to prevent or contain the risk, it would also be beneficial to assign a criticality level to the control, therefore allowing a priority or importance associated with its effectiveness review.
Risk Classification
With the way the register is built there is no opportunity to classify what the risk is and its difficult to differentiate between a threat with the potential to cause the hazard release, or what the consequences of that release might be.
A suggestion might be to allow for a risk to be classified.
E.g. Classify the risk as either something which can cause harm if not controlled (a situation involving exposure to harm - or a "threat") or the outcome of the harm being released (an undesirable "consequence"). When assigning controls to the risk you can then look at whether the control is proactive and used to prevent the threat from releasing harm, or reactive and helps contain or limit the harm if it has been released.
