How to Perform a Risk Assessment

Who is this article for?

 Risk Managers responsible for managing risk assessments.

 Staff access to edit risk matrices is needed.

The risk module allows you to identify events that could cause you, your project, or the business harm and then assess these in terms of impact so that remedial action can be taken.

This article outlines how to perform a risk assessment from start to finish. This article references how to set-up certain features (e.g. How to Create and Manage Controls) and also provides links to articles designed to guide you through each process individually. 

To make performing a risk assessment easier to learn, this article is split into 12 sections so that you can either walk through the steps in sequence or you can jump to the section relevant to what you are doing in Q-Pulse Cloud:

1. Create the Risk
2. Add Controls
3. Assess the Control Effectiveness
4. Remove Ineffective Controls
5. Assign the Risk Matrix
6. Assess Inherent Risk
7. Set the Target Rating
8. Perform Treatment Plans
9. Assign Stakeholders
10. Assess Residual Risk
11. Assign Risk to a Register
12. Further Reading

---

1. Create the Risk

To create a new risk:

1. Go to Risk, then Registers.
2. Open a register.
3. Click [Create Risk].
4. Enter the required information:
   • Title: A clear and concise title for the risk.
   • Description: A meaningful description of the risk.
   • Owner: The name of the person responsible for managing the risk.

5. Click [Save].

Note: Once created, the risk record is available in the Add Risks section and is ready to be assessed. It will only move to the Risks section after an assessment has been performed.

---

2. Add Controls

To add controls to the risk:

1. Open the risk.
2. Go to the Controls
3. Type the name of the control.
4. Click [Add].

 

Remember, controls can be quick added! If a control does not already exist in Q-Pulse Cloud as a Master Control then it can be added using the search box. Simply type the name of the control and then click [Add] to add a new control.

---

3. Assess the Control Effectiveness

To assess the effectiveness of a control:

1. Open the risk record and then browse to Controls.

1. Open the control item.
2. Click the ellipsis button and then click Assess Control.

3. Perform your control assessment.

Important: Please visit How to Perform a Control Assessment for more details on performing a control assessment.

---

4. Remove Ineffective Controls

Note: To remove a control from a risk you need to delete it from the risk. The control is still part of Q-Pulse Cloud but is no longer part of this risk assessment.

To remove a control from the risk:

1. Go to the Controls tab.
2. Click the Ellipsis.
3. Click Delete.

 

4. When prompted, click [Delete].

---

5. Assign the Risk Matrix

To assign the risk matrix:

1. Open the risk record.
2. Click on the Ellipsis and click Set Matrix.

3. Select the matrix you want to use.

4. Click [Save].

---

6. Assess Inherent Risk

To assess the inherent risk:

1. Click the Ellipsis and select Inherent Risk Assessment.

2. Use the sliders to assign the inherent likelihood and severity.

3. Enter any comments and click [Next].
4. Click [Save], then [Confirm] when prompted.

Important: Once confirmed, a risk assessment cannot be edited or changed.

---

7. Set the Target Rating

The target rating represents the desired risk posed to the organisation.

To set the target rating:

1. Open the risk record.
2. Click on the Ellipsis and click Target Risk Assessment.

3. Use the sliders to assign the inherent likelihood and severity.
4. Enter any comments and click [Next].
5. Click [Save], then [Confirm] when prompted.

Important: Once confirmed, a risk assessment cannot be edited or changed.

---

8. Perform Treatment Plans

With the risk now assessed and a target assigned, the next step is to devise and implement a treatment plan that will lower the risk rating to the target.

There is no right or wrong approach to this, however some common activities include:

• Using the Issues module to raise and manage Continuous Improvements or Business Changes.
• Creating and implementing additional controls which can then be assigned to the risk.
• Engaging with stakeholders on the risk findings.

---

9. Assign Stakeholders

As part of addressing the risk and reducing the impact this will have on the project or business it is important to engage with stakeholders. Q-Pulse Cloud allows stakeholders to be added to the risk so that they are kept up to date on changes.

To assign stakeholders:

1. Go to the Stakeholders tab.
2. Begin typing the name of the stakeholder.
3. Click [Add].

---

10. Assess Residual Risk

The residual risk is the amount of risk associated remaining on an event after inherent risks have been reduced by controls.

To assess the residual risk:

1. Open the risk record.
2. Click on the Ellipsis and click Residual Risk Assessment.

3. Use the sliders to assign the inherent likelihood and severity.
4. Enter any comments and click [Next], and then [Next].
5. Confirm the treatment strategy recommended.

6. Click [Save], then [Confirm] when prompted.

---

11. Assign the Risk to a Register

To add the risk to a register:

1. Go to Risk, then Registers.
2. Open the risk register.
3. Go to the Risk
4. Type the name of the risk you would like to add.
5. Click [Add].

---

12. Further Reading

• How to Raise an Issue
• How to Use the Issues Module to Manage Risk Actions
• How to Create and Manage Controls