Guide to Operational Risk Management in AmpliFlow

Welcome to our guide for conducting operational risk management with AmpliFlow as part of your certification work.

This guide aims to help you get started with our operational risk analysis module and ensure that the process is conducted smoothly and efficiently.

Operational risk management exists to understand how your organization is affected by different events and what actions are required to manage them. It is a central requirement in all management system standards (ISO 9001, 14001, 27001, 45001) and an excellent tool to use as a starting point for information classification, supplier assessments, and crisis management.

Risk management is a systematic way to identify, prioritize, and take action to manage existing or potential events that could negatively affect your employees, resources, and business opportunities.

Why is risk management important?

"Risk management is like the brakes on your car. Their function is to slow down your car's speed, but their purpose is to enable you to drive fast safely."— Joakim Stenström, Senior Consultant AmpliFlow

When applied correctly, risk management can also create new opportunities and business development. When you identify and manage risks that your competitors haven't thought of, it can become a competitive advantage in relation to your customers.

Building Understanding

Start by building your understanding of the field by reading these articles:

• What is risk management?
• What is operational risk management?
• What is an impact matrix?

Note: AmpliFlow uses the term "impact matrix," but the article above explains the same concept under the name "severity matrix." Impact can be used for both something positive and something negative, while severity is often interpreted as only negative.

Prerequisites

Before you begin with operational risk management, we recommend that you have completed:

• Process mapping - you need to understand your processes to identify risks within them
• Impact matrix - you need to have defined your impact areas and what different levels mean

How should it be done?

A significant portion of the work is already complete, thanks to our ready-made template for operational risk analysis and a simple mathematical model for risk calculation.

AmpliFlow's risk management model consists of 4 stages:

1. Risk Identification - Identify existing and potential events through "What if...?" analysis
2. Risk Analysis - Analyze risks through impact grading and likelihood assessment
3. Risk Treatment - Manage risks through likelihood-reducing measures
4. Risk Monitoring - Monitor risks through environmental analysis and regular reviews

What you need to do now:

1. Assign permissions to those who will work with operational risk analysis. (Note: English KB article not available - see system settings)
2. Verify that your impact matrix is complete with the impact areas (financial, environmental, safety, reputation, etc.) relevant to your organization.
3. Conduct risk identification by reviewing your process maps step by step. For each process step, use the "What if...?" method and ask questions such as: "What if we fail to register and manage non-conformities and improvement actions?" Then describe potential consequences, e.g.: "We make the same mistakes repeatedly, resulting in unnecessary time and cost. Employee and customer dissatisfaction, deteriorated team morale." Register both new risks and risks you've already identified with established preventive procedures. Why? New employees need knowledge about relevant risks and how you work preventively to reduce the likelihood or consequence of a risk.
4. For each risk you identify, consider whether this risk also represents an opportunity. If so, register an improvement suggestion on how you can benefit from how you've managed this risk. Why? If you've managed a risk that could affect your customers but your competitors haven't even thought about that risk, it may be possible to strengthen your relationship with existing customers or even gain more customers by informing them about the risk and explaining how you've addressed or minimized it.
5. For each identified risk, verify that it is real and that you've specified the correct process step. Merge duplicates but retain all unique text about potential consequences.
6. Conduct risk analysis for each real risk by assessing impact and likelihood. Specify which impact areas (Quality, Environment, Occupational Health and Safety, Information Security, Financial, etc.) are affected. Use your defined impact levels from the impact matrix. The total impact will be the highest value among your gradings. Then assess likelihood based on how often the event has occurred or could potentially occur.
7. Identify actions to manage the risks. Focus particularly on red-flagged risks (unacceptable) where you must establish changes to reduce likelihood. For yellow-flagged risks (acceptable with actions), identify appropriate likelihood-reducing measures. Green-flagged risks (acceptable) normally require no additional actions.
8. Document current controls and identify preventive actions for each risk requiring treatment.
9. Assign responsible persons and set deadlines for the actions.
10. Establish routines for risk monitoring. At least once per year (schedule this in your annual calendar): identify events and trends in your environment that constitute threats or opportunities, conduct trend analysis of customer feedback, non-conformities and improvement suggestions, conduct new "What if...?" analysis to identify new risks, review your yellow-flagged risks and their likelihood, and take action on any new red-flagged risks.
11. Update the information page in Operational Risk Analysis where you describe how you work with risk management and who is responsible and involved.
12. Review and check off the control points (final step) in the checklist.
13. If you're working with an AmpliFlow consultant, notify them that the work is ready for review.

Tips for Successful Implementation

• Ensure that everyone working with risk management understands what it is and why the work is being done. Use the analogy: "Risk management is like the brakes on your car - their function is to slow down the car, but their purpose is to enable you to drive fast safely."
• Conduct risk identification in group sessions where different perspectives and experiences can illuminate risks from different angles. Involve employees from different parts of the organization.
• Create an improvement suggestion template called "Risk observation" to make it easier for your staff to register a risk when they discover it in daily work.
• Use the "What if...?" method systematically through your process maps. Ask questions for each process step and document both events and consequences.
• Remember to describe risk scenarios concretely - "Supplier X delivers defective raw material that stops production" instead of "Supplier problem."
• If the work is divided, be clear about the division of responsibilities. Each risk should have an owner.
• Set a clear timeline and schedule any progress meetings now.
• Communicate results to internal stakeholders - the risk matrix (beta) provides a visual overview.
• Link the risk register to your non-conformities and improvement suggestions - when something goes wrong, check whether the risk was identified.
• Use real data from previous incidents when assessing likelihood and occurrence.
• Be realistic with likelihood reduction - few actions completely eliminate risk.
• Establish an annual calendar for risk monitoring. At least once per year: review environmental trends, analyze non-conformities and improvement suggestions, conduct new "What if...?" analysis, and update likelihood assessments for existing risks.
• Schedule quarterly reviews to keep the risk register current and capture new risks early.

The "What if...?" Method for Risk Identification

"What if...?" analysis is an effective method for identifying risks by asking hypothetical questions about what could go wrong. The method works well in group sessions where different perspectives can illuminate risks that might otherwise be missed.

How to conduct the analysis:

1. Prepare: Gather people with different roles and perspectives in the organization. Have your process maps available.
2. Brainstorm: For each process step, formulate questions directly in AmpliFlow in the process step itself or write them down on e.g. post-it notes if you are working in a group according to the pattern "What if...?" followed by a potential event. Examples:
   • "What if we fail to register and manage non-conformities and improvement actions?"
   • "What if our main supplier goes bankrupt?"
   • "What if our IT platform is hacked?"
   • "What if key personnel become ill simultaneously?"
3. Describe consequences: For each identified event, describe the potential consequences as concretely as possible. Example: "We make the same mistakes repeatedly, leading to unnecessary time and cost. This creates dissatisfaction among employees and customers and deteriorates team morale."
4. Document: Register all identified risks and consequences in the risk register. Don't be too critical at this stage - it's better to capture too many risks than to miss important ones.
5. Clean and consolidate: After the brainstorming session, review and merge duplicates. Retain all unique information about consequences even when merging risks.
6. Validate: Determine whether each risk is real for your organization and whether you've linked it to the correct process step.

This method helps you systematically identify both obvious and hidden risks in your processes. By involving different perspectives, you get a more complete risk picture.

How Risk Calculation Works

AmpliFlow uses a simple mathematical model:

Risk score = Total impact × MAX(Likelihood, Occurrence)

The system uses the highest value of likelihood and occurrence (not multiplication of both). This provides a conservative assessment where the worst factor determines the outcome.

Total impact is determined by the highest value among your impact gradings. If you grade a risk as financial impact 3, environmental impact 5, and safety impact 2, the total impact becomes 5.

Updated risk score is calculated automatically when you specify preventive actions:

Updated risk score = Risk score × (100 - Likelihood reduction%) / 100

Color-coding of risks:

AmpliFlow uses color-coding to visualize risk levels and help you prioritize:

• Red-flagged risks (high risk score): Unacceptable risks where you must establish changes to reduce the likelihood or impact. These risks require at least actions and/or monitoring that reduce these risks to yellow.
• Yellow-flagged risks (medium risk score): Risks that can be accepted if you have implemented probability or impact reduction measures or equivalent controls.
• Green-flagged risks (low risk score): Acceptable risks that we don't need to do anything more about.

NOTE! You cannot have any risks marked red, i.e. "Unacceptable risks" at the certification audit step 2, so ensure that you have at least implemented measures that allow you to assess that you have reduced the probability or impact enough that the risk is marked yellow.

Example:

• Risk: "IT system stops functioning during power outage"
• Likelihood: 3, Occurrence: 2, Total impact: 4
• Risk score = 4 × MAX(3,2) = 4 × 3 = 12
• Action: Install UPS (likelihood reduction 80%)
• Updated risk score = 12 × (100-80)/100 = 12 × 0.2 = 2.4

The Risk Matrix (beta)

AmpliFlow displays your risks in an interactive chart where:

• The X-axis shows updated risk score (higher value = greater risk)
• The Y-axis shows updated likelihood
• Each bubble represents a risk
• Color indicates risk level (green-yellow-red gradient)
• Hover over bubble to see details
• Click bubble to open and edit

The chart is in beta and is continuously being developed.

Explanation of Each Column

• Risk number: Automatically generated by the system for each new risk. Used to reference specific risks in discussions and follow-up.
• Affected process steps: Link the risk to specific steps in your process maps. This makes it possible to display risks directly in the process maps and helps owners understand which risks exist in their part of the organization. You can select multiple process steps if the risk affects several parts of the process. This field is only available if you have process mapping enabled.
• Risk scenario: Describe concretely what can happen. Avoid vague formulations - "Supplier X delivers defective raw material that stops production for 3 days" instead of "Supplier problem."
• Potential consequences: What happens if the risk occurs? Examples: "Production stoppage for 3 days," "Loss of certification," "Customer complaint." This helps you prioritize correctly and understand the risk's significance.
• Realistic: Mark whether the risk scenario is realistic for your organization (Yes/No). This is used to filter out theoretical risks that aren't relevant in practice.
• Impact/Impact gradings: Assess how much damage the risk can cause if it occurs (1-5). Depending on your configuration, you use either a single impact value or separate gradings for different areas (financial, environmental, safety, reputation, etc.) that you define in your impact matrix.
  • If you use impact gradings (multiple areas): The system automatically calculates the total impact as the highest value among your gradings. Example: Financial impact 3, Environmental impact 5, Safety impact 2 gives total impact 5. In the table view, this is shown as "Total impact grading."
  • If you use simple impact (one value): You directly enter an impact value 1-5. In the table view, this is shown as "Impact."
• Comments (impact): Explain why you assessed the impact as you did. Example: "Environmental impact 5 because spillage could reach groundwater and require remediation according to environmental legislation." This creates understanding for the assessment.
• Occurrence: How often have similar events occurred historically (1-5)? Use real data from non-conformities and previous incidents when possible.
• Likelihood: Assess how likely it is that the risk will occur (1-5). 1 = very unlikely (less often than every 10 years), 3 = possible (every 2-5 years), 5 = very likely (several times per year).
• Comments (likelihood): Explain why you assessed the likelihood as you did. Example: "Likelihood 4 because the supplier has had quality problems 3 times in the past year." This justifies the assessment.
• Risk score: Calculated automatically according to the formula: Total impact × MAX(Likelihood, Occurrence). Shows how serious the risk is. This is a calculated field that you don't fill in manually.
• Risk reduction: Concrete preventive actions to reduce the risk. Be specific: "Install UPS Model X by March 31, 2025" instead of "Improve power supply." Actions can aim to reduce likelihood or limit impact.
• Responsible: Assign a responsible person who has insight into the area and authority to implement the actions. The responsible person keeps the assessment current and ensures that actions are implemented.
• Date: When should the action be completed? Set realistic dates based on the action's complexity and the risk's severity. Higher risk = faster action.
• Estimated likelihood reduction (%): How much does the likelihood decrease when the action is completed? Be realistic - backup systems might provide 80% reduction, an additional supplier perhaps 60%. Document assumptions in the comment fields.
• Updated risk score: Calculated automatically based on likelihood reduction according to the formula: Risk score × (100 - Likelihood reduction%) / 100. Shows how the risk changes after your actions. This is a calculated field that you don't fill in manually.
• Status: Mark progress for the action (planned, ongoing, completed, postponed). Postponed actions require justification in the comment fields.
• Highlighted risk: If you have process mapping enabled, you can choose to highlight the risk in the process maps. This makes the risk more visible to the process teams and marks that it is particularly important to monitor in the specific process.

How to Link Risk Management to Other Processes

Non-conformities: When a non-conformity occurs, check whether the risk was identified. If not, add it to the risk register.

Supplier assessments: Identified supplier risks should be in the risk analysis with concrete actions.

Stakeholder analysis: Risks linked to your stakeholders (customers, authorities, society) should be documented.

Customer requirements: Risks of not meeting customer requirements should be identified and managed.

Management by objectives: Set goals for risk reduction that you follow up in the management team. Example: "Reduce the number of risks with score above 15 from 8 to 0 before certification." Red-flagged risk scores = unacceptable risks where we must establish a change so we can reduce the likelihood of them occurring. Yellow-flagged risk scores = risks we can accept if we've implemented likelihood-reducing actions or equivalent. Green-flagged risk scores = acceptable risks that we don't need to do anything more about.

Information classification (ISO 27001): Use your impact gradings to determine what classification different types of information should have. If a risk has high impact on security or business-critical information, it needs special protection.

Crisis management: High-risk scenarios can form the basis for your crisis management plan.

Management review: Have the risk matrix as a standing item on management team meetings. The visual overview makes it easy to discuss the risk situation.

By following this guide, we hope you will have a smooth and efficient experience with operational risk management in AmpliFlow. If you have any questions or need additional support, please don't hesitate to contact our support team.

Contact:

• Website: www.ampliflow.se/support
• Email: support@ampliflow.se

‍