A risk which is marked 'confidential' may only be seen by those with a specific role on it i.e. it's author, owner or any of the people with an action (mitigators).
RAP uses an inherited top-down security model. The permissions you are given at a particular level in the organisation hierarchy will be inherited downwards to all subordinate levels. However, the administrator can assign higher security privilege at any point in the hierarchy giving complete control over your ability to see, create or modify risks and issues.
In order to allow an employee to access an organisational unit which is external to his “home” unit, permission must be granted by an administrator who has administrator privileges to both the user’s organisation unit and the target organisation unit.
Administrators and coordinators can be assigned at any level in the hierarchy allowing the creation of devolved administrator groups, which reduces the workload of the root administrators, and simplifies usage of the system by developing local expert user groups.
In a standard RAP installation, there are five access levels defined. Each access level includes all the rights of the access levels below it. The levels in increasing rights order are:
Viewer – This is the lowest level of privileges in the system giving the ability to only view risks or issues.
Owner - May be assigned ownership of a risk or issue by a user with higher access but cannot actually raise one themselves.
Author – Allows the ability to raise risks or issues and to act as a risk mitigator Someone who is assigned an action on a risk/issue. in those parts of the business structure allowed by the administrator.
Coordinator – Allows the ability to modify risks/issues on which the user has no role and to view audit trail information. This role allows the business to ensure consistency of approach across the company. Some data maintenance facilities are provided by this profile.
Administrator – This profile controls the structure of the business hierarchy that is modelled by the system. An administrator can assign user privileges and carry out data maintenance activities.
Regardless of their access level, all users may maintain risks for which they are the author or the owner. They may also edit any actions assigned to them.
Each user may be given one of the above access levels to one or more nodes in the organisation unit hierarchy. Each node will automatically inherit the access rights of its parent.
The 'owner' access level is designed for those who wish to allow only a small set of users to raise risks/issues whilst still allowing a large number of users to own risks.
Keywords are a way of ensuring that risks/issues with a common aspect can be located easily without having to allow for typos or spelling mistakes.
A set of keywords may be defined at the organisation unit level with each automatically inheriting keywords from its parent.
A risk or issue may be in one of four states. These are:
The risk or issue has been created but does not yet have any actions or controls. In other words, there is no plan to mitigate it.
The risk or issue has been created and has a mitigation plan but there are outstanding actions or controls which are not yet established.
The mitigation plan has been completed but the risk or issue still remains a threat.
The risk or issue is no longer a threat.
Generally speaking, a risk or issue will progress through the states in the order shown above. However it is quite common for a risk/issue to move backwards and forwards between being In Progress and Controlled as it is reviewed and new mitigation steps are identified. It is also likely that a risk or issue will remain in the Controlled state for a significant amount of time and may never move to being Closed.
The escalation level of a risk/issue indicates how far up in the management structure of the organsiation it should be flagged. This may be independent of a risk/issue's rating as it is possible to have a low rated risk/issue which needs to be visible to higher management or a high rated risk/issue which can easily be managed at a lower level. For example, a risk/issue might have a low rating of 5 because it has a low likelihood of 1 but still has a very high financial impact of 5.
A risk or issue may have three different scores, depending on your configuration. These are:
This is the score of the risk/issue when it was first identified. This should remain the same throughout the life of the risk/issue.
Current Score (or Inherent Risk)
This is the score at the last review of the risk/issue and should take account of the action progress and any controls which have been put in place or improved.
Target Score (or Residual Risk)
This is the score at which the risk/issue exposure becomes acceptable.
For each type of score above, a risk/issue will be assessed for the level of impact, should it occur, and the likelihood of it occurring. Multiple types of impact may be defined and the impact score will then be the highest of these. Each of the two components (impact and likelihood) is scored on a 1 to 5 scale and the overall score determined by multiplying the two components together.
For example, if a risk has a financial impact score of 4, a reputation impact of 3 and a likelihood of 2, then it's overall score will be 8; the highest impact is 4.
The RAP system is designed to model your company’s business structure as closely as possible, so that users can associate risks and issues with the most appropriate part of the business. The hierarchy employed should reflect that used within your business processes during day-to-day operations.
The top level is known as the root of the hierarchy which may represent a single company or a group of companies,depending on your licensing agreement for RAP. The next level down within a typical company are directorates or departments. Each node of the hierarchy within the system is referred to using the generic term 'organisation unit' and can be used for any sub-division within your organisation. Consequently, whether you want to manage risks at a corporate, departmental or individual project or team level, you can use organisation units in a hierarchical manner to create the necessary structure.
The hierarchy is the central basis for access control allowing users to be given access at various levels to specific nodes of the hierarchy.
When you login to the system a number of preference are set which determine how the system displays results. As you move around the system it will remember the settings you use to generate risk lists. These settings will then be the default values the next time you run a risk list.
Home Organisation Unit
Each person known by this system will have a 'home' organisation unit which is typically set to the company or department which they work for.
This is used to indicate when a person is acting outside their own area. If they raise a risk in another leg of the organisation hierarchy their name will be shown as the author but with their 'home' company/department in brackets afterwards. Likewise, if someone allocates a risk to a person who is in another leg of the hierarchy the owner name will include their 'home' company/department.
The 'people' option of the action list report uses a person's 'home' company/department to generate a list of actions which belong to all the people within a given company/department.
The responsibility list shows a list of risks and issues for organisation units over which you are the manager.
The 'manager' role may be assigned by the administrator to each node of the hierarchy and applies to all organisation units including and below that point. This means that if you are the manager of several nodes within the hierarchy which are not it the same leg, you can still see all of your risks and issues in one list.
The side menu includes a list of organisation units to which you have at least viewer access. It also includes any parent organisation units which are necessary to navigate to those to which you have access. This means that some items on the menu may not actually be clicked on. The cursor will change to a hand to indicate when it is possible to click.
An arrow indicates when a menu has sub-menus.
On any page which includes a scrolling list in the main panel the list will automatically become active each time it is refreshed. This means that you may use the wheel on your mouse, if you have one, to move up and down the list.
Output Format Requirements
In order to support the requirement users may have to further manipulate report results, the reporting facility can output the resulting report data in one of two formats as defined below. Depending on the method employed by your business to access the RAP application, the effect of selecting the various report format options will differ.
For detailed information relating to the operation of each option, please contact technical support staff who will be happy to assist with issues you may encounter. The report output format options are:
Standard HTML (Web page)
Standard Report Format
This format produces the report in a native HTML document format, which can be displayed on your screen and printed out using your standard browser print controls if required. The format is suitable where no further manipulation of the resulting report is required.
Microsoft Excel Format
The Microsoft Excel format has been developed to support users of “Microsoft Office 365”. This version of Excel does not fully support the open standard known as XML which is used to pass data in an application understandable form from the RAP application to MSExcel.
This option allows the raw data to be automatically transferred into MSExcel where further manipulation of the data or report format can be undertaken. However, this option does not allow the report formatting and colouring information to be transferred as well, resulting in a report representation that is less than ideal.
All pages within the system which display a list based on the selection of an organisation unit will have breadcrumb navigation shown above the list. This shows where in the hierarchy the selected organisation unit sits by displaying its parents right back up to the top of the hierarchy, plus its immediate subordinate organisation units.