Introduction
Identifying, assessing, and managing risks effectively is essential. Risks are typically identified, assessed, and documented in a risk register to facilitate proactive management and mitigation strategies. This article explains the process of documenting and tracking risks across your organisation.
You require a Staff User (Risk RW Org or Risk RW Site) permission to access, view and Add a Risk to the Risk Register Module.
Follow the steps below to add a risk to your project.
Step 1 - Add the Risk Details & Initial Risk Rating
1.Log in to the ComplyFlow App using your credentials.
2. Go to the new Dashboard, at the top left select the 
module picker > Risk Register.
3. Once you're in the Risk Register Module, at the top right select Add Risk.
4. Add a Risk Area: A Risk Area is a broad description of the Risk type, for example, Financial, Strategic, or WH&S. For more information, refer to Working with Risk Areas.
5. Select Category: A Category is a child of the Risk Area and is used to classify each Risk. Type in a category and select + Add new Category to save. For more information, refer to Risk Categories.
In the Health and Safety Risk Area, the Category corresponds to the Hazard to which you will link one or more Risks.
6. Enter Risk: Enter the name of the Risk, for example, Loading dock accidents, or falling from heights (A "Potential risk" is any event or circumstance that could potentially cause harm, loss, or negative impact to a project, organisation, or process).
Risk Examples
Risk Area | Category | Risk |
WH&S | Plant & Vehicles | Loading dock accidents |
WH&S | Working from heights | Falling |
Financial | Loans | Bad debt |
Environmental | Noise Pollution | Controlled explosions |
7. The next step is to select the Sites where the Risk is present, and Risk Owners at each site.
Selecting Sites and assigning Risk Owners in a risk register promotes systematic risk management, enhances clarity, accountability, and collaboration. Assigning a Risk Owner empowers your team to actively participate in mitigating risks and achieving project objectives.
8. After you have selected Sites & Risk Owners you will be prompted to select the Initial Risk by referencing the Likelihood and Consequence:
9. After selecting the Initial Risk, select Done.
Step 2 - Define the Risk Status & Add the Controls
After completing Step 1, you’ll be prompted to add a Controls. Controls are mechanisms or measures to manage or mitigate risks effectively. It’s possible to add several controls for each Risk.
1. Firstly, select the Risk Status:
The options available for selection are:
Not Controlled - This status indicates that the risk has been identified but no measures have been put in place to mitigate or manage it. The Initial Risk is saved as the Residual Risk rating when the Risk is saved to the Risk Register.
Partially Controlled - This status suggests that some actions have been taken to address the risk but are not fully mitigated or managed. There may be ongoing efforts to reduce the likelihood or impact of the risk, but further actions are needed.
Controlled - This status indicates that effective measures have been implemented to mitigate or manage the risk.
When creating risks for two or more sites, you'll see two radio button options:
Controls at all sites (uniform controls)
Controls vary (site-specific controls)
2. If the risk is controlled or partially controlled, you can enter details of each Control in place. For each control, fill in the following fields.
a. Control: Provide details about the measures or actions to manage or mitigate the Risk
b. Hierarchy of Control: Specify which level of control is being implemented to manage the risk, e.g. elimination, substitution, engineering controls, administrative controls, and personal protective equipment (PPE)
c. Effective Date of Control: This is the date when the control measure becomes operational or is implemented
d. Add Files: Enables users to upload up to 20 supporting documents or images per control, with a maximum total file size of 100MB
e. Mandatory Control (toggle): This indicates whether the control measure is mandatory or required by regulations, standards, or organisational policies.
You can add as many controls as needed by selecting the Add Control + button
This is how your uploaded files/photos will appear:
3. Once you've entered the required data, select Continue to save the control, record it in the system, and move on to the next page.
Step 3 - Define the Residual Risk Rating
What is Residual Risk?
The Residual Risk rating indicates the extent to which the risk has been reduced but not eliminated (i.e. after any Controls have been applied).
1. Select the Residual Risk rating from the Risk Matrix. Take note of the Initial Risk (IR). When the Risk = Controlled or Partially Controlled, the Residual Risk likelihood and consequence score should be less than the Initial Risk.
2. When you are finished, select Save Risk.
Understanding Residual Risk is crucial for decision-making and resource allocation, as it helps organisations determine whether additional measures are necessary to further reduce risk or if the remaining risk is acceptable within the organisation's risk tolerance.