RxLogix Corporation SOP

Risk Management

Effective Date: 11-Apr-2022

Document Number: SOP-046

Version: 2.0

Confidentiality
This document contains proprietary information. Unauthorized copying or disclosure is
prohibited.
RxLogix firmly believes in maintaining the highest principles of professional ethics and
adheres to the confidentiality agreements of the respective parties. RxLogix has demonstrated
the ability to develop quality solutions while maintaining full confidentiality.
 DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 2 of 10
TITLE Risk Management

Revision History

Version Author Date Description of Change

1.0 Srividhya Sivakumar 16-Mar-2020 Process document exclusively for Risk

Management

2.0 Srividhya Sivakumar 23-Mar-2022 Periodic revision and ported to new template

Template: RxL-TMP-SOP-001, Version 8.0; Effective 01-May-2020

A Signature page is added automatically by the ZenQMS at the end of the document. Therefore, the
page number of the document (‘N’ Page numbers) will reflect as N+1 upon printing via ZenQMS.
 DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 3 of 10
TITLE Risk Management

Table of Contents
1.0 PURPOSE ..................................................................................................................................4
2.0 SCOPE .......................................................................................................................................4
3.0 GENERAL ..................................................................................................................................4
3.1 DEFINITIONS .............................................................................................................................4
3.2 REFERENCES ............................................................................................................................4
3.3 ROLES AND RESPONSIBILITIES ...................................................................................................5
4.0 PROCEDURE .............................................................................................................................5
4.1 IDENTIFICATION OF RISKS: .........................................................................................................6
4.2 ASSESSMENT OF RISKS: ............................................................................................................7
4.3 POTENTIAL RISK TREATMENT OPTIONS: .....................................................................................8
4.4 RESPONDING TO THE RISKS – CONTINGENCY AND MITIGATION ....................................................9
4.5 MONITORING AND CONTROLLING:...............................................................................................9
5.0 TEMPLATES ............................................................................................................................10
 DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 4 of 10
TITLE Risk Management

1.0 PURPOSE
Risk Management is defined as the systematic process of identifying, monitoring and managing
potential risks in order to minimize the negative impact they may have on an organization. It includes
maximizing the probability and consequences of positive events and minimizing the probability and
consequences of adverse events to organizational objectives.

Purpose of this document is to ensure appropriate controls are in place by establishing a risk
management framework at organization level.

2.0 SCOPE
This process describes how risk management is structured and performed at RxLogix to ensure risks
are being managed, addressed and controlled at acceptable levels. While risks in an organization
cannot be eliminated, the objective of this process is to minimize the impact of unplanned incidents by
identifying and addressing potential risks before significant negative consequences occur.

3.0 GENERAL
3.1 Definitions
See GDL-001 Glossary for the definitions of terms and abbreviations.

3.2 References
Document ID Document Title
GDL-001 Glossary
GDL-003 Security Incident Guideline
QM-001 Quality Manual
SOP-006 Project Management
SOP-011 Change Management
SOP-009 Validation
SOP-021 Software Development Lifecycle (SDLC)
SOP-022 Document Management Plan
SOP 031 Information Security and Administration
SOP-032 Record Retention
SOP-035 Fast Track Implementation
SOP-047 Information Security Risk Management
SOP-049 Management Review
 DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 5 of 10
TITLE Risk Management

3.3 Roles and Responsibilities

Role Responsibilities
This is usually the respective Lead/Manager within individual
functions.
Risk Owner  Identifying, assessing and mitigating risks.
 Implementing corrective actions.
 Implementing and evaluating controls.
This is usually the respective Function Head.
 Provide a methodology to identify and analyze the financial
impact of the risk to the respective function(s) and hence the
Risk Manager organization.
 Assist in the review of major contracts, proposed facilities,
and/or new program activities for financial and legal
implications.
 Oversee the status of Risks and actions to mitigate them
Management  Guide the organization towards positive impacts by providing
necessary resources to mitigate risks.

4.0 Procedure
Risk Management is the formal process by which risks factors are systematically identified, assessed,
and are responded to accordingly. Risk Management concentrates on identifying and controlling areas
or events that have a potential of causing unwanted change.

The Risk Management workflow in RxLogix consists of the following steps:

1. Identification of Risks
2. Assessment of Risks
3. Potential Risk Treatment options
4. Responding to the Risks –Mitigation and Contingency
5. Monitoring and Controlling
 DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 6 of 10
TITLE Risk Management

4.1 Identification of Risks:

Risks are events that, when triggered, will cause problems. Hence, risk identification can start with the
source of problems, or with the problem itself or probable problems. Risk identification provides the
foundation of risk management.

Identification of right risks at the right time will greatly aid the organization and hence it is important to
document its characteristics. Sources of Risks could be from following areas and not limited to:

 Requirements
 Design
 Validation
 Project Management
 Infrastructure
 Change Management
 Contracts and its implementation
 Personnel etc
 DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 7 of 10
TITLE Risk Management

The intent of this step is to identify the comprehensive and tailored list of future events which could be
uncertain but are likely to have an impact on the achievement of the organizational objectives. Risks
are to be identified as part of initiation and ongoing activities around but not limited to

1. Release / Software Development Lifecycle Management

2. Customer Implementation
3. Hosted Services
4. Infrastructure Management
5. Contract Management
6. Project Management
7. Validation
8. Change Management
9. Human Resource engagement

Each function shall maintain a Risk Register and periodically update them with any foreseen risks as
part of the routine tasks they operate. While identifying risks the following shall be considered:

 Thorough identification of potential risks is critical .

 It is important not be too narrow or constrained.
 It is very important to ensure that the identification process does not just focus on today’s
challenges but rather also considers a diverse range of sources including risk events that are
emerging or in the future.
 It is important to identify actions, scenarios, events and other external agencies that may give
rise to risks.

Once the risks are identified, the risk is elaborated and articulated using the Risk Management Tracker
template.

4.2 Assessment of Risks:

Risk assessment establishes the potential impact of each risk and its probability of occurrence. The
combination of these two factors determines the severity of the risk, which may be positive or negative.

It is important that each function ensures all risks within its scope/boundaries are assessed consistently.
Where risks are shared between functions, good communication is required to ensure all concerned
stakeholders understands the severity of the risks and hence work towards minimalizing the impact.

Risk Manager along with Risk Owner ensures the Severity and Probability of occurrence are duly
updated for each of the risks.
 DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 8 of 10
TITLE Risk Management

Each of the risk has three key parameters – Severity, Probability of Occurrence and Detectability and
these three key parameters are ascertained as below:

Parameter Significance Value and Description

Name

Severity Severity assesses how serious the Value Description

effects would be should the
potential risk occur.
1 Irrelevant
2 Slight
3 Important
4 Critical
5 Disastrous

Probability of occurrence evaluates Value Description

the frequency that potential risk(s) 1 An unlikely probability of occurrence
will occur for a given system or 2 A remote probability of occurrence
Probability situation 3 An occasional probability of occurrence
of 4 A moderate probability of occurrence
Occurrence 5 A high probability of occurrence

Detectability is the probability of the Value Description

failure being detected before the
impact of the failure to the system
or process being evaluated is
detected
Detectability
1 High degree of detectability
2 Good detectability
3 Likely to detect
4 Fair detectability
5 Low or no detectability

Product of Severity*Probability of Value Range Description

Occurrence* Detectability 64 - 125 High Risk
18 - 48 Medium Risk
Risk Rating 1-12 Low Risk

4.3 Potential Risk Treatment Options:

Risk treatment is the action taken in response to the risk assessment, where it has been agreed that
additional mitigation activities are required. Risk treatment is a cyclical process where individual risk
treatments (or combinations of treatments) are assessed to determine if they are adequate to bring the
residual risk levels to a tolerable or appropriate level.

Once risks have been identified and assessed, the potential options available to treat the risk have to
be explored.
 DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 9 of 10
TITLE Risk Management

1. Risk Transfer: Risk Transfer means that the expected/impacted stakeholders transfer whole or part
of the consequences of the risk to another party.

2. Risk Avoidance: Avoid the risk or the circumstances which may lead to losses in another way,
includes not performing an activity that could involve risk. Avoidance may seem the answer to all risks,
but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may
have allowed.

3. Risk Retention: Risk retention implies that the losses arising due to a risk exposure shall be retained
or assumed by the stakeholders or the organization.

4. Risk Control: Risk can be controlled either by avoidance or by controlling the consequence.

Selecting the most appropriate treatment requires balancing the cost and effort of implementation
against the benefits derived from additional risk mitigation. In some cases, further treatment may be
unachievable or unaffordable and the residual risk may need to be accepted and communicated. Risk
Owner may wish to consider how stakeholders can provide support when developing treatment options
or if treatments can be implemented collaboratively. The identified action will be updated in the Risk
Register with Contingency and Mitigation actions , Owners and Target date . These registers shall be
reviewed periodically and discussed in Management Meets as appropriate.

4.4 Responding to the Risks – Contingency and Mitigation

Risk once identified, needs to have a well-defined mitigation and contingency plan.

Mitigation – Mitigation plan includes a set of activities, that have to be carried out so that the probability
of occurrence of risk can be greatly reduced. Mitigation activities towards a risk is a proactive approach.

Contingency Plan – Contingency plan includes a set of activities, that when carried out controls the
business impact/consequences to a great extent. Contingency plan does not change the severity or
probability of occurrence of the risk. Contingency is more of a reactive approach.

4.5 Monitoring and Controlling:

Monitoring and controlling are integral to successful risk management and hence it is important to
conduct monitoring and review activities.
 DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 10 of 10
TITLE Risk Management

This step is about implementing risk response plans, tracking identified risks, monitoring residual risks,
identifying new risk, and evaluating risk tracking effectiveness.

Key objectives of risk monitoring and review include:

• detecting changes in the internal and external environment, including evolving organizational
objectives and strategies

• ensuring the continued effectiveness and relevance of controls and the implementation of treatment
programs

• obtaining further information to improve the understanding and management of already identified risks

• identifying new or emerging risks

• analyzing and learning lessons from events, including near-misses, successes and failures

Monitoring and review can be both periodic and based upon trigger events or changing circumstances.
The frequency of the review process should be in line with the rate at which the risk entity and the
associated operating environment is changing.

Monitoring of risks is also taken up in regular meets such as Stand up meets, Steering Committee
meetings and Management Reviews.

The results and observations from monitoring and review are most useful when well documented and
shared. They may be included in formal risk reports be recorded and published internally and externally
as appropriate and should also be used as an input to reviews of the whole risk management framework.

Ultimately though, the considered and informed acceptance of risk supports better decision making and
is essential to not only with the performance and achievement of objectives of the function and also at
organization level.

5.0 Templates

Below listed controlled templates shall be utilized with respect to Risk Management:

Template ID Template Name

RxL-TMP-RM-001 RAID Log
 Category: SOP
Title: SOP-046 Risk Management

Version State Effective Date Document ID

02 Approved 11-APR-2022 329854
Printed by kapil.wadhwa@rxlogix.com from app.zenqms.com on 27-Mar-2022 at 11:03:25 AM UTC • Page 11 of 11

REVISION HISTORY
Version 01 Effective on 30-Mar-2020
v1.0
Version 02 Effective on 11-Apr-2022
Periodic revision and ported to new template

DOCUMENT ELECTRONIC SIGNATURES

DOCUMENT APPROVAL WORKFLOW
Author Approval
Srividhya Sivakumar
Associate Director I am the author of this document.
Signed 9:31:41 AM UTC 23-Mar-2022
srividhya.sivakumar@rxlogix.com

Required Workflow Steps for this Category

Srividhya Sivakumar Author
Associate Director I am the author of this document.
srividhya.sivakumar@rxlogix.com Signed 9:32:13 AM UTC 23-Mar-2022

Vandeep Singh Sahni Approver

Director, Professional Services I have reviewed and approve this document.
vandeep.sahni@rxlogix.com Signed 9:45:16 AM UTC 23-Mar-2022

Archik Jindal Approver

Associate Director I have reviewed and approve this document.
archik.jindal@rxlogix.com Signed 12:02:52 PM UTC 23-Mar-2022

Additional Steps Added

Jayashree Acharya
Senior Director, Quality I have reviewed and approve this document.
Signed 1:21:24 PM UTC 23-Mar-2022
jayashree.acharya@rxlogix.com