Professional Documents
Culture Documents
Risk Management
Version: 2.0
Confidentiality
This document contains proprietary information. Unauthorized copying or disclosure is
prohibited.
RxLogix firmly believes in maintaining the highest principles of professional ethics and
adheres to the confidentiality agreements of the respective parties. RxLogix has demonstrated
the ability to develop quality solutions while maintaining full confidentiality.
DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 2 of 10
TITLE Risk Management
Revision History
2.0 Srividhya Sivakumar 23-Mar-2022 Periodic revision and ported to new template
A Signature page is added automatically by the ZenQMS at the end of the document. Therefore, the
page number of the document (‘N’ Page numbers) will reflect as N+1 upon printing via ZenQMS.
DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 3 of 10
TITLE Risk Management
Table of Contents
1.0 PURPOSE ..................................................................................................................................4
2.0 SCOPE .......................................................................................................................................4
3.0 GENERAL ..................................................................................................................................4
3.1 DEFINITIONS .............................................................................................................................4
3.2 REFERENCES ............................................................................................................................4
3.3 ROLES AND RESPONSIBILITIES ...................................................................................................5
4.0 PROCEDURE .............................................................................................................................5
4.1 IDENTIFICATION OF RISKS: .........................................................................................................6
4.2 ASSESSMENT OF RISKS: ............................................................................................................7
4.3 POTENTIAL RISK TREATMENT OPTIONS: .....................................................................................8
4.4 RESPONDING TO THE RISKS – CONTINGENCY AND MITIGATION ....................................................9
4.5 MONITORING AND CONTROLLING:...............................................................................................9
5.0 TEMPLATES ............................................................................................................................10
DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 4 of 10
TITLE Risk Management
1.0 PURPOSE
Risk Management is defined as the systematic process of identifying, monitoring and managing
potential risks in order to minimize the negative impact they may have on an organization. It includes
maximizing the probability and consequences of positive events and minimizing the probability and
consequences of adverse events to organizational objectives.
Purpose of this document is to ensure appropriate controls are in place by establishing a risk
management framework at organization level.
2.0 SCOPE
This process describes how risk management is structured and performed at RxLogix to ensure risks
are being managed, addressed and controlled at acceptable levels. While risks in an organization
cannot be eliminated, the objective of this process is to minimize the impact of unplanned incidents by
identifying and addressing potential risks before significant negative consequences occur.
3.0 GENERAL
3.1 Definitions
See GDL-001 Glossary for the definitions of terms and abbreviations.
3.2 References
Document ID Document Title
GDL-001 Glossary
GDL-003 Security Incident Guideline
QM-001 Quality Manual
SOP-006 Project Management
SOP-011 Change Management
SOP-009 Validation
SOP-021 Software Development Lifecycle (SDLC)
SOP-022 Document Management Plan
SOP 031 Information Security and Administration
SOP-032 Record Retention
SOP-035 Fast Track Implementation
SOP-047 Information Security Risk Management
SOP-049 Management Review
DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 5 of 10
TITLE Risk Management
Role Responsibilities
This is usually the respective Lead/Manager within individual
functions.
Risk Owner Identifying, assessing and mitigating risks.
Implementing corrective actions.
Implementing and evaluating controls.
This is usually the respective Function Head.
Provide a methodology to identify and analyze the financial
impact of the risk to the respective function(s) and hence the
Risk Manager organization.
Assist in the review of major contracts, proposed facilities,
and/or new program activities for financial and legal
implications.
Oversee the status of Risks and actions to mitigate them
Management Guide the organization towards positive impacts by providing
necessary resources to mitigate risks.
4.0 Procedure
Risk Management is the formal process by which risks factors are systematically identified, assessed,
and are responded to accordingly. Risk Management concentrates on identifying and controlling areas
or events that have a potential of causing unwanted change.
1. Identification of Risks
2. Assessment of Risks
3. Potential Risk Treatment options
4. Responding to the Risks –Mitigation and Contingency
5. Monitoring and Controlling
DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 6 of 10
TITLE Risk Management
Identification of right risks at the right time will greatly aid the organization and hence it is important to
document its characteristics. Sources of Risks could be from following areas and not limited to:
Requirements
Design
Validation
Project Management
Infrastructure
Change Management
Contracts and its implementation
Personnel etc
DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 7 of 10
TITLE Risk Management
The intent of this step is to identify the comprehensive and tailored list of future events which could be
uncertain but are likely to have an impact on the achievement of the organizational objectives. Risks
are to be identified as part of initiation and ongoing activities around but not limited to
Each function shall maintain a Risk Register and periodically update them with any foreseen risks as
part of the routine tasks they operate. While identifying risks the following shall be considered:
Once the risks are identified, the risk is elaborated and articulated using the Risk Management Tracker
template.
It is important that each function ensures all risks within its scope/boundaries are assessed consistently.
Where risks are shared between functions, good communication is required to ensure all concerned
stakeholders understands the severity of the risks and hence work towards minimalizing the impact.
Risk Manager along with Risk Owner ensures the Severity and Probability of occurrence are duly
updated for each of the risks.
DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 8 of 10
TITLE Risk Management
Each of the risk has three key parameters – Severity, Probability of Occurrence and Detectability and
these three key parameters are ascertained as below:
Once risks have been identified and assessed, the potential options available to treat the risk have to
be explored.
DOCUMENT NUMBER
Standard Operating Procedure SOP-046
STATUS EFFECTIVE DATE VERSION NUMBER PAGE NO
Effective 11-Apr-2022 2.0 9 of 10
TITLE Risk Management
1. Risk Transfer: Risk Transfer means that the expected/impacted stakeholders transfer whole or part
of the consequences of the risk to another party.
2. Risk Avoidance: Avoid the risk or the circumstances which may lead to losses in another way,
includes not performing an activity that could involve risk. Avoidance may seem the answer to all risks,
but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may
have allowed.
3. Risk Retention: Risk retention implies that the losses arising due to a risk exposure shall be retained
or assumed by the stakeholders or the organization.
4. Risk Control: Risk can be controlled either by avoidance or by controlling the consequence.
Selecting the most appropriate treatment requires balancing the cost and effort of implementation
against the benefits derived from additional risk mitigation. In some cases, further treatment may be
unachievable or unaffordable and the residual risk may need to be accepted and communicated. Risk
Owner may wish to consider how stakeholders can provide support when developing treatment options
or if treatments can be implemented collaboratively. The identified action will be updated in the Risk
Register with Contingency and Mitigation actions , Owners and Target date . These registers shall be
reviewed periodically and discussed in Management Meets as appropriate.
Mitigation – Mitigation plan includes a set of activities, that have to be carried out so that the probability
of occurrence of risk can be greatly reduced. Mitigation activities towards a risk is a proactive approach.
Contingency Plan – Contingency plan includes a set of activities, that when carried out controls the
business impact/consequences to a great extent. Contingency plan does not change the severity or
probability of occurrence of the risk. Contingency is more of a reactive approach.
This step is about implementing risk response plans, tracking identified risks, monitoring residual risks,
identifying new risk, and evaluating risk tracking effectiveness.
• detecting changes in the internal and external environment, including evolving organizational
objectives and strategies
• ensuring the continued effectiveness and relevance of controls and the implementation of treatment
programs
• obtaining further information to improve the understanding and management of already identified risks
• analyzing and learning lessons from events, including near-misses, successes and failures
Monitoring and review can be both periodic and based upon trigger events or changing circumstances.
The frequency of the review process should be in line with the rate at which the risk entity and the
associated operating environment is changing.
Monitoring of risks is also taken up in regular meets such as Stand up meets, Steering Committee
meetings and Management Reviews.
The results and observations from monitoring and review are most useful when well documented and
shared. They may be included in formal risk reports be recorded and published internally and externally
as appropriate and should also be used as an input to reviews of the whole risk management framework.
Ultimately though, the considered and informed acceptance of risk supports better decision making and
is essential to not only with the performance and achievement of objectives of the function and also at
organization level.
5.0 Templates
Below listed controlled templates shall be utilized with respect to Risk Management:
REVISION HISTORY
Version 01 Effective on 30-Mar-2020
v1.0
Version 02 Effective on 11-Apr-2022
Periodic revision and ported to new template