1. Install the SoftComply Risk Manager (from hereon, Risk Manager) from the Atlassian Marketplace to your JIRA Cloud instance. This step may require JIRA administration permission.
2. After the successful installation, open the “Risk Manager” drop-down menu and start creating a new risk management project from the top navigation bar (see next step).
3. The creation of the new risk management consists of these three steps:
3.1. Fill in the name of the project, the project key and the project lead;
3.2. Select a suitable risk matrix from the matrix templates (the matrix can be customized later, if necessary);
3.3. Select a suitable risk management table template and click “Submit”.
Success! You have just created a new risk management project and you can now start managing risks in your projects.
Here is a short video tutorial guiding you through these steps – SoftComply Risk Manager Quick Start Guide:
1. For a quick start, you can import risks to your newly created risk management project by using all the available import options that JIRA provides. For detailed import guide of your existing risks, please look here.
2. Customize the risk matrix according to your severity and probability levels, and assign the risk class values in the matrix cells.
3. You can navigate by using the left panel options: “Risk Management” (the table), “Risk Matrix” (initial and residual risk matrices) and “Reports” (Risk Management Plan and Risk Management Report).
4. Enter your product risks and the related information in the risk management table by filling in the table cells.
5. Link mitigation actions and verification actions by starting to type the JIRA issue number or summary into the corresponding cells, and then selecting the required issue.
6. Customize the table (add, remove, edit columns) according to your needs by hovering over the table headers and selecting the options required.
7. Filter and/or export the table content if necessary.
To manage risks you first need to create a special type of project to JIRA. This can be done only by using the “New Risk Management project” menu item from the Risk Manager drop-down menu. The SoftComply Risk Manager knows whether it is a risk management project or any other project you have created to your JIRA instance. Only risk management projects can have access to the features of the SoftComply Risk Manager. In other words, in order to manage your product risks you first need to create a new risk management project.
After starting the risk management project from the Risk Manager wizard → Create “New Risk Management Project”, follow these steps:
1. The first step requires you to enter the project name, the project key and the project lead. These fields are the JIRA standard fields that are required while creating a new project.
Regarding the “Inherit Permission, Notification and Issue Security Level Scheme from the following Risk Project” checkbox: If you have a specific project configuration set up in an earlier project, you can inherit those schemes by checking the checkbox and selecting the suitable earlier project. It can make your JIRA administrator’s life much easier and you can use the same configuration in your next risk management projects as well! You can inherit only permission, notification and issue security schemes but not the entire configurations. There are some restrictions in JIRA Cloud, thus you cannot inherit workflow schemes, screen schemes or anything else that is not listed as inheritable.
If you do not choose to inherit any configuration, the default ones will be used. After project creation you should configure your project according to your needs by following JIRA administration guide.
2. The second step in the wizard is the selection of a risk management matrix template. There are several of the most frequently used matrix layouts to choose from, as a starting point. You can, if you need to, customize your risk matrix after you have finished the project creation. Thus, to accelerate your risk management project setup, choose a matrix layout that is as close to your needs as possible to minimize customization effort later on.
3. Last step of creating a new risk management project is the selection of a risk management table template. Various templates are proposed with different table layouts (columns). You can customize the table layout after finishing your project creation. During customization you can Add/Remove new columns (additional new columns) and Edit column names (all columns).
Be aware that the columns that are inherited from the table template will be the default columns that cannot be deleted later. Only columns that you add can be removed by you. Also, you can only add columns with text values. Thus you cannot add columns for links, for example. In other words, choose a table template that is closest to your needs and configure the rest of the table as you work on the risk assessment.
Risk matrix is fully configurable. You can:
a) Add/Remove severity levels and their descriptions;
b) Add/Remove probability levels and their descriptions;
c) Add/Remove risk class values;
d) Change risk class values in the matrix.
Have a look at the short video tutorial below for Risk Matrix customization options:
To access the previously mentioned actions just hover over severity, probability or risk class fields and you should see the hover menu with available action buttons. It is important to be aware that if you remove a severity or a probability value, the risks that had the value assigned to them will automatically get the value of “unassigned”. Thus, you have to re-evaluate those risks later on. In order to avoid this, it is best to configure your matrix before filling in your data to the risk management table!
Configuring the risk table is the most important part of setting up your risk management project properly. Since each person responsible for risk management has their own way to approach risk management, it is best to use the risk terminology that is accepted and used in your company. The predefined templates are also a good option to start with if you have not yet created your own tailored approach. The columns/terms that are used there are same as in ISO 14971. Thus, it is highly recommended to use one of our templates especially when you are working in a medical domain.
Below is a short video tutorial on SoftComply Risk Manager table customization options:
In order to change the table layout you have the following options:
1. Rename the column names and descriptions. This applies to all columns;
2. Add/Remove new columns. Only free text columns can be created. Note!: You cannot delete a column that is created by the template, thus you can remove only columns that you have added yourself;
3. Hide columns. All columns available can be hidden to give a better overview of the table according to your needs.
4. Change the column order. You can change the order of the columns in your risk management table by clicking on the right/left arrows in the floating menu that appears when you hover over the column header.
5. Resize the column width. You can easily resize the width of each column by dragging the triangles on the headers of each column to expand or decrease the column width.
You can access those actions by clicking on the menu that opens while hovering over the table header.
The SoftComply Risk Manager is a tool to make risk management process easy to implement in your organization. Risk management is done by simply managing your risks in a table. Adding, removing, and linking risks to provide full traceability is now easier than ever!
The main tool for successful risk management is the risk management table. In the following sections you will learn how to get most out of its features.
To add a new risk(s) there are three options:
1. Manually add risks by using the table’s first row; or
2. Clone risks from previous row; or
3. Import risks from another system or project.
To add new risks click on “+ Add Risk” button above the table. This creates a top row of the table with empty values. Fill in the necessary column values and click on “Confirm” button that is found on the floating menu or press “Enter” on keyboard to save the risk.
Risk Cloning is a useful feature if you have more than one risk with the same Hazard, Hazardous Situation, etc. Often one Hazard can occur in different Hazardous Situations and can thereafter cause different Harms. Thus, by entering risks to the table, it would be convenient to copy all the values up to a certain cell, and then start filling in the rest of the necessary fields.
In order to do this, use the “Clone” feature. You can access the “Clone” feature from the floating menu. Be aware that it is important to select the “Clone” feature from the correct cell – the cell where you choose the “Clone” feature will be the last of the copied cells in the new risk management row that is created!
To edit a risk in the table, you have two options:
1. First, by clicking a row that you would like to edit, makes the risk editable. Another click somewhere else in a table saves the changes you made and makes another risk (row) editable. If you have finished making changes, select “Confirm” on the floating menu;
2. Second, by selecting “Edit” action from the floating menu.
You can also use keyboard shortcuts in the risk management table: to edit a risk, click on the cell you wish to edit. To save entered text in a cell, press “Enter”; to delete entered text in a cell that you added, press “Escape”. For saving a selected “Severity” or “Probability”, double-click “Enter” after selecting the desired level.
To delete or remove a risk from the table, select the correct risk from the table by hovering on it with a cursor. Then click on the “Delete” button of the floating menu. The risk itself will not be deleted! It will be changed from “Open” status of JIRA issue workflow to the “Done” state. Thus, there is always an option to undo the delete action by opening the JIRA issue view and manually changing the issue status back to “Open”.
In addition to manually entering risks to a table, you can also import risks from another system. If you have not yet added any risks to your project, then quick links to risk/issue import are available. If you choose to import risks from other systems (e.g. csv file, excel, other issue management systems) follow the instructions for this that JIRA provides. You can also follow our detailed guidelines to import your existing risks to the SoftComply Risk Manager.
Assignment of risk classes (e.g. High, Medium, Low, TBD) is done automatically according to the risk matrix configuration after you have defined the values of severity and probability of the risk under assessment. The risk class of each risk under investigation will be assigned to each risk automatically based on the value of severity and probability of that risk. Risk class is defined in the risk matrix. Risk class cannot be assigned automatically to risks prior to defining the risk classes by setting the values of severity and probability. Until that time, the value of a risk class will remain “TBD” (To Be Determined).
According to the risk management process, each risk has two values of risk class assigned: initial risk class, and the final (residual) risk class after the mitigation has been completed. Thus, there are two values of severity and probability and two values of risk class columns on the risk management table corresponding to initial and residual risks.
The first column of the risk management table is called “Risk” and it provides a visual indicator of the initial and residual risk class values. E.g. if your initial risk class was High and you mitigated it to Low, then you should see a Red dot and a Green dot. This field provides a quick visualization of the risk mitigation results. The uncolored dot depicts a risk to which a risk class has not yet been assigned.
Risk mitigation can be done by assigning mitigation actions to your risks. The mitigation actions can be activities or procedures that mitigate the risk and lower the risk class. There are 2 columns that describe the mitigation actions:
1. Mitigation Action (free text field), and
2. Mitigation Links (link to another (external) issue/software item).
Mitigation actions can be defined either by entering a description to the column “Mitigation Action” or by linking another issue to the risk. Mitigation actions can be issues from other projects, thus you can link requirements or other development issues to the risk under mitigation. To link issues, start typing either an Issue key or Summary of the issue you would like to link to. The autocomplete text field will suggest you the issues it finds based on the text that you entered.
NB!: The recommended use of mitigation actions is as follows:
1. There should be at least 2 separate projects: one for the risk management and another where you manage other product development issues (like development tasks, requirements and alike that might be mitigation actions).
2. Link the mitigation action from the development project to your risk via “Mitigation Links” column.
If you have no mitigation action defined yet, but you would like to create it during risk management project, then use “+” button in the Mitigation Links column. This will open a “Create new issue” popup window in JIRA and you can create a new mitigation action to any project you have access to. After creating an issue by using this feature, the SoftComply Risk Manager automatically adds a link between the issue you created and the risk you were processing at that moment. Thus, you can add new risk mitigation actions and move on with your risk management from the same place you were at before.
NB!: In the risk management table you can see the mitigation action issue key, issue summary and issue status. In this way, it is easy to assess at a glance if actions are done, in progress, or still on the to do list.
Verifying mitigation actions is similar to mitigating risks with regard to the features of the SoftComply Risk Manager. There is always an option to add verification actions manually as a free text to column called “Verification Action” and linking the verification actions to the risk mitigation action (to verify that the risk mitigation action works as intended).
Linking verification actions (e.g. testing activities from another JIRA project) is similar to linking mitigation actions. It is best to start by typing the issue key or summary to autocomplete the text field and then pick the issue from the drop-down list of suggested issues.
By clicking on a “+” button on the right side of the “Verification Action” column, it is possible to create a new verification action in the risk management project. The created verification action will then automatically be linked to the risk.
NB!: In the risk management table you can see the verification action issue key, the issue summary and the issue status. In this way, it is easy to assess if the verification actions are done, in progress, or still on the to do list.
After mitigating risks, the final risk assessment should be conducted by assigning final severity and probability values. Thereafter, the final risk class will be assigned and it is possible to see the residual risks. To see the initial and the residual risks click on the “Risk Matrix” icon on the left menu and open the Risk Matrix view.
In this view there are two risk matrices: the initial and the residual one. The matrices can be exported or printed by selecting the suitable action from the top-right corner of the page. It is possible to export the matrices to PDF, DOCX and PNG format. After exporting the matrices, you can save the file as a snapshot of that moment in time.
It is also easy to visualize the effectiveness of your risk mitigation actions by looking at the first column of your risk management table. The colored dots depict the values of the initial and the residual risk class of each risk. Thus, in a perfect world you wish to see primarily green dots on the right of the small arrow.
The SoftComply Risk Manager provides two report templates (Risk Management Plan and Risk Management Report) in addition to the export feature for both the risk management table and the matrices.
The Risk Management Plan is based on the requirements of ISO 14971 giving an overview of all the planned activities of risk management. The Risk Management Report is a document that describes the results of the Risk Management activities. Both reports can be accessed either from the Risk Manager drop down menu or from the “Reports” section of JIRA sidebar.
Both the Risk Management Plan and the Risk Management Report include guidelines on how to fill in your project specific data. The Risk Management Plan automatically includes the data that you defined at the start of your risk management project, including the risk classes and their acceptance criteria; risk matrix configuration; the severity; and the probability values. The Risk Management Report automatically includes the initial and the residual risk matrices.
Depending on the risk management table template, there are at most 3 columns that have links to other issues:
1. Mitigation Links;
2. Verification Links;
The “Mitigation Links” and the “Verification Links” columns can be used to assign a link of an issue (mitigation action or verification action) to each risk or to create a link to a new issue (new mitigation action or new verification action).
The “Traceability” column provides an overview of all the links that are connected to each risk, including the links to other risks that the mitigation action(s) may have introduced.
Thus, the “Traceability” column provides an overview of all the links while the “Mitigation Links” and the “Verification Links” columns can be used to link other issues to a risk.
In the “Traceability” column you can see all the links related to one risk, including the following Risk Manager link types:
a. “is mitigated by” – link type describes connection between a mitigation action and a risk, e.g. risk is mitigated by some software development project issue;
b. “is verified by” – link type describes connection between a verification action and a mitigation action, e.g. a mitigation action is verified by some verification action or test case;
c. “is caused by” – link type describes that this Hazard has been caused by another issue, e.g. some mitigation actions can cause new hazards to appear in the project;
d. all other available JIRA link types that can be used as needed, e.g. link types like “is blocked” , “duplicate” , etc.
You can create a new mitigation action or a verification issue while describing a new risk. To do that, just use “+” button on the right edge of the “Mitigation Links” or the “Verification Links” column in edit mode.
Clicking the “+” button will open a “Create new issue” window. After submitting the new issue, the link between issue and risk will be automatically added and it will be visible in the table as well. In this way, you can continue managing risks and post some new issues to other projects at the same time.
The content of the risk management table can be filtered to allow an overview of any particular set of data. Each column that allows filtering has a small filter icon just below the column title.
If the filter is applied, a corresponding icon becomes visible. To remove the filter, just click on the remove filter icon.
NB!: If you apply filters and try to export the risk management table, then only the visible content will be exported. Thus, if you need to export the entire table, you must first remove all the filters.
The risk management table can be customized as follows:
1. Rename column titles that were assigned by the template;
2. Add or remove new custom columns (only free text columns);
3. Hide any column;
4. Columns that were assigned by the template cannot be deleted. They can only be renamed.
All actions that were described above can be performed by hovering the cursor over the table header and selecting the required action from the floating menu.
The risk management matrix can be customized as follows:
1. Edit Severity or Probability values.
1.1. Add a new value;
1.2. Edit the existing value name and description;
1.3. Remove a value.
2. Add or Remove Risk Classes
2.1. Add a new Risk Class;
2.2. Edit the name of a Risk Class;
2.3. Remove a Risk Class.
3. Assign risk classes to specific Severity-Probability combination in the Risk Matrix
3.1. Each cell in the Risk Matrix must have a Risk Class value assigned to it.
All the listed actions can be found in the floating menus that appear if the cursor is hovered over the Severity or Probability values in the matrix.
In order to demonstrate a compliant risk management process, you may have to report as required by regulations. These reports are provided by the SoftComply Risk Manager:
1. Risk Management Plan, and
2. Risk Management Report.
Reports can be accessed from the top navigation bar menu item “Risk Manager” → “Risk Management Plan” or “Risk Management Report”. They are also available from the “Reports” section of JIRA left sidebar.
Both reports are pre-filled templates with guidelines and available data configuration or risk project data contained in them. You can export these reports and edit their content as needed in your organization.
NB!: The blue coloured text provides the guidelines and should be removed from the final version of your document. The square brackets [ ] display the suggested content that you should input. The red coloured text provides you with additional information in the case where you want to comply with IEC 62304 requirements.
NB!: Reports are project specific.
To import existing risks into the SoftComply Risk Manager, please review the importing guidelines.
In the SoftComply Risk Manager each row of the risk table is a separate issue in the project. Thus, if you try to import new risks by using JIRA import features, this constraint should be considered. During import, please note one important aspect – the Summary field in JIRA is mandatory. If you enter a new risk manually to the risk management table, then the ‘Summary’ field will be the same as the ‘Hazard’. If you choose to import, you can import any value to the ‘Summary’ field, but it will not be displayed in the table. In order to successfully import your data to the table, please import ‘Hazard’ value to the ‘Summary’ field and also to the ‘Hazard’ field.
The risk management table cannot be sorted by the user. Sorting is done automatically. The sorting algorithm starts from the “Hazard” column, which it sorts alphabetically. Next, each hazard value is sorted alphabetically based on the “Hazardous Situation”. Thereafter, each “Hazardous Situation” is sorted by the “Harm” and so on. In this way, it provides an easy to read structure for the risk management table. Identical content in subsequent rows is displayed in light gray, indicating grouped items. This approach hides repetitive information and emphasizes the unique information. In order to limit the number of rows in the table, you can always use filtering.
Each market sector has its own rules and best practices for risk management. The SoftComply Risk Manager is based on the ISO 14971 – risk management for Medical Devices.
Regardless of the sector you are in, the approach described in ISO 14971 can be applied to any safety critical domain. In addition, the SoftComply Risk Manager provides many customization features to enable the user to modify the risk management table to other safety critical domains and risk assessment approaches.
Typically there are two approaches to risk management: “bottom-up” and “top-down”, generally referred to as “xFMEA”/”xFMECA” and “Hazards Analysis”, respectively. They are intended to be complementary, not exclusive.
Using both approaches increases the probability that you will capture all potential risks associated to your system. It is important to remember that the different approaches need to be aligned and consistent, e.g. the same harm should have the same severity level, etc.
“FMEA” stands for Failure Mode and Effects Analysis. The “x” is a placeholder that is replaced by a letter that indicates the area of the product the FMEA is applied to, e.g. DFMEA for Design, PFMEA for Process (manufacturing process), HFMEA for Human Factors, etc.
The “bottom-up” approach refers to the fact that typically on the left side of the table, where the analysis starts, you list components and sub-components of your system, what their function is and how they can fail.
Example: your system contains a bolt; its function is to keep two components together. The “failure mode” of this bolt is that it fails to keep these two components together; the two components can become loose or even fall apart. The effect will depend on the actual purpose of your device. The cause could be that the bolt is under designed or that it is not tightened, or other causes. Risk mitigation actions could be to use a safety factor when you design your bolt and/or to define a minimum tightening torque during assembly.
Hazards Analysis is a “top-down” approach, meaning that you start (on the left side of the table) with high level, system wide hazards that can be posed by your device. ISO 14971 provides a list of example Hazards that you can use as a starting point. You can also perform a functional analysis of your device and determine how it can fail to provide its functions.
Example: pick “Heat”. The Hazard is that some surfaces of your device can overheat (or in case they can get too cold then freezing is the hazard). One Hazardous Situation is that someone can get in contact with these surfaces, resulting in burns (harm) of different severity. Potential causes could be that some internal electrical or mechanical components overheat. Risk mitigation actions will depend on the actual architecture of the system.
We recommend having separate projects for software development and risk management. If necessary there can be a separate project also for verification activities and testing.
The following set up allows your risk management table to be used to group mitigation actions from the development project(s) and verification actions from the verification projects. Different actions that link to risks provide the necessary division and flexibility in the projects and in the reporting that you may need later. If you prefer to group all issues from different projects together, use JIRA Agile boards or queries.
In the case where you need a snapshot of the risk management table or of the risk matrices, use the export feature and store the exported files to your file storage or Confluence.
It is possible to get a full audit trail of the Risk project and its risks from JIRA by exporting issues and their Activity Logs. Follow the JIRA documentation to do this.
It is possible to import new risks to risk projects from other systems. If you have not yet added any issue to your project, then quick links to risk/issue import are available. If you choose to import risks from other systems (e.g. csv file, excel, other issue management systems), please follow the instructions outlined here.