Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Axes of consequence

Once a risk has been registered, it must be evaluated. A risk is first evaluated according to probability, then according to selected types of consequences:

  • HSE

  • Environment

  • Quality/process

  • Information security

  • Personal data

  • Preparedness/emergencies.

NEW evaluation / RE evaluation

Once a risk has been defined, it can be evaluated in several places in the organization by NEW evaluating several times and selecting different departments in the org.list each time. The same risks are evaluated on different processes, or different departments / locations, or the same risk on different Assets (e.g. software).

Outcome

When the same risk is evaluated against different areas of the business, we call it different outcomes. In other words, one and the same risk is evaluated with several NEW evaluations with different outcomes.

NB! For each new outcome of a risk, a NEW evaluation must therefore be made. The outcome is tagged during evaluation under the heading "Connection". The outcome must then be unique compared to other outcomes. For each outcome, only RE evaluation shall be carried out later without making any changes to the Connection fields. So - if you are to make an evaluation of an outcome that has already been evaluated, you must RE evaluate this risk (not a NEW evaluation) as this picture illustrates:

A NEW evaluation uses the plus icon and RE evaluation uses the "repeat" icon. When doing RE evaluations, you will build up a history of this outcome for probability and consequence and be able to see graphs of the development of the risk outcome. In addition, you will be able to see all measures that have been implemented over time and what effect these have had.

An outcome can therefore be based on different organizations as shown in the image above, but also different processes, suppliers, context, assets and several other data types in the system.

If you receive an e-mail with a reminder that you must "reassess" or "reevaluate" a risk, this means that you RE evaluate the outcome in question and build up the history for this particular outcome.

Risk reduction / realize opportunities in case of residual risk

If you do NOT accept a residual risk during evaluation, you must (the system requires) reduce the risk / take advantage of the opportunity in one (or both) of these two ways:

  • Actions are created to reduce risks and realize opportunities.

  • Refer to security measures/barriers that are in place to prevent the risk.

  • No labels