How to Create an Organisational Risk Register with SoftComply Risk Manager?

Abstract

The aim of this blog post is to guide you through the creation of an organisation-wide Risk Register with SoftComply Risk Manager. This Risk Register supports risk management across your organisation providing your team members with a list of risks that apply to a specific product or project.

To achieve that, we will first create a solution where we have one “Risk Register” project that contains all the risks of your organisation. The purpose of the Risk Register project is to manage the mappings between all the risks in the organisation i.e. the risk register and the project specific risks of certain products/projects. Next, we’ll add the logic that clones the risks of the risk register into the specific risk projects while keeping the data up to date based on the previously created mapping. Now, every time that you add a risk to the risk register and apply it to a specific product, the risks in the specific risk projects are updated automatically at the same time!

How to create a risk register & map specific risks to a certain projects

Prerequisites:

You will need Jira Administration permissions and you will have to have CPrime Powerscript app or similar e.g. Adaptavist Scriptrunner installed in your Jira server.

  1. Create a separate risk project just for the Risk Register (RR). In this project you will keep all your risks that you later will map to a specific project/product/component risk issues.

  2. Create as many risk projects as you need in order to manage your system/product/service risks. Each of these projects will have its own risks, its own risk model and own mitigation/verification actions. You can push the risks from the Risk Register project to these projects automatically without having to add them manually.
  3. Add a new multiple choice select list field to your Risk Register project to describe the relationship between the Risk Register risks and the specific products/projects. This way you can easily map which RR risks are applied to a specific product.
  4. Optional: Create a new issue link type to illustrate the relationship between the RR risks and the product specific risks. Map this newly created link type to your RR table.
  5. Create two new SIL script files: one script for handling how the new product specific risks are created (i.e. cloning of the RR risk to the product specific risk project) and another script for updating the existing risks (if RR risk changes, the changes are also applied to the product specific cloned risk).

    To check out and use the two SIL script files that we created, please see the code in SoftComply’s Knowledge Base.

  6. Create two event listeners. The first one is listening only to the “Issue Created” event and the second one to the “Issue Updated Event”. Both use the corresponding SIL scripts from the previous step.

  7. Optional: If you’d like to know when the RR risk is updated and when this update is applied to your product specific risk, you should customise your workflow and transition the issue always to a specific state e.g. “Needs review” or “Updated” after the update.
  8. Start using your Risk Register and enjoy being efficient with SoftComply Risk Manager on Jira!

Example of how to create a risk register

We have a Risk Register project with two new columns in the beginning of the table: Product and Related Risks. The first column is a multi select field type, and the second one is an Issue Link type:

 

The Product field has three options here: SYS1, SYS2, SYS3 as seen from the image below.

These options are reflecting the product specific risk project keys. For example, the risk project with the project key SYS1 consists of the System 1 specific risks.

The SYS1 project has the following view now:

 

On the image above you can see that we have added one additional column to the beginning of the table – Status. That column reflects the issue status in the risk workflow. More on how to do that at: How to display the Status of a Risk Issue in the SoftComply Risk Table? and How to automatically update the status of a Risk when it has been modified/updated?

As described before we have also added a special link type to describe the relationship between the Risk Register risk and the product specific risk:

 

We have also changed the workflow of the project SYS1. If the Risk Register sends updates to the product specific project risks like SYS1 risks, then the SYS1 risks are always transitioned to the status “RR Updated”.

This allows us to easily see when something has been updated and needs to be reviewed. Fore more information on how to update risk workflows, please read more at: How to customise SoftComply Risk Project’s workflow?

Finally, the two scripts you have added to the SIL Manager should also be used in the SIL listeners.

From the image below you can see that the first and the third listeners are published on this page. Other three are not relevant for this exercise:

 

For more tricks & tips on using SoftComply Risk Manager together with the powerful scripting apps on Jira, please see other how-to articles at SoftComply’s Knowledge Base.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Back