History At The Risk Level
Users of OpRiskControl are able to record notes about a Risk using the Risk History form. In addition, many records are written automatically to the Risk history file as specified on the System Settings page. Apart from the history file, all changes are written to an Audit file in case forensic analysis is required.
Whenever a Risk is reviewed, a record is written to the history file showing the new likelihood, consequence and Risk rating. This will happen if either the likelihood or consequence or Risk review date is changed. The automatic record will use the current date, a history type of Risk Review, and the current Risk recorder’s name.
Required: Enter the date the comment was entered. It should default to the current date, but can be altered and back-dated (subject to organisational standards).
Required: Select the history type from the list. There are example history types already created, but if you need different history types, ask your System Administrator to set them up for you.
Optional: If there is to be a follow-up, enter the date due. This field is interrogated by the Alert Reminders program.
Required: Select the comment recorder (user who records the comment) from the User list.
Required: Enter any appropriate comment. There is space for 255 characters.
Risk Rating History
Apart from Risk Change History there is a separate page to log Risk rating changes specifically. There is a drop-down on the right to select Inherent, Residual or Target Residual rating changes with the last change at the top of the page.
The system logs any change of Inherent, Residual or Target Residual rating on the main Risk form.
The system logs any change of Residual or Target Residual rating due to Mitigation Actions, provided Residual Override is not active on the Risk.
Any Risk Status not Open and any Note that has been edited will be highlighted in yellow to draw attention to them.
The Score is determined by the System Settings Formula for Rating Score.
If your Asset Types are exactly the same as your Consequence Matrix column headings then the system will retrieve the Consequence Description for the relevant Consequence Level, else the Consequence Name only is displayed (as shown above).
As well as logging changes in Consequence at the Risk level, the system is capable of logging changes to specific areas of Consequence (i.e. columns in the Consequence Table) if Consequence Factors has been activated on any Risk.
If you are using Consequence Factors that are exactly the same as your Consequence Matrix column headings then the system will retrieve the Consequence Description for the relevant Consequence Level.
History At The Action Level
History about mitigation Actions (treatments or existing controls), can be logged with the Action that it relates to, and/or with the Risk it relates to. Select an Action from the Action grid and click the History link.
The amount of Action History which is logged (and where it is logged – on the Risk History tab, or by clicking the History link as described above, or both places) is determined by the settings on the History tab.
Note For Administrators: Select the System tab, then select System Settings and select History.