Guide to Operational Risk Management in AmpliFlow

Welcome to our guide for conducting operational risk management with AmpliFlow as part of your certification process.

This guide aims to help you get started with our operational risk analysis module and ensure the process is smooth and effective.

Operational risk management exists to understand how your operations are affected by various events and what actions are required to manage them. It is a central requirement in all management system standards (ISO 9001, 14001, 27001, 45001) and a useful tool for information classification, supplier assessments, and crisis management.

Foundational understanding

Start by building your understanding of the area. Read these articles:

• What is risk management?
• What is operational risk management?
• What is an impact matrix?

Note: AmpliFlow uses the term “impact matrix” (påverkansmatris), but the article may explain the same concept under different terminology.

Prerequisites

Before starting with operational risk management, we recommend you have completed:

• Process mapping - you need to understand your processes to identify risks within them
• Impact matrix - you need to have defined your impact areas and what different levels mean

How to do it

A significant part of the work is already done, thanks to the ready-made template for operational risk analysis and a simple mathematical model for risk calculation we’ve provided.

What you need to do now:

1. Assign permissions to those who will work with operational risk analysis.
2. Verify that your impact matrix is complete with the impact areas (financial, environmental, safety, reputation, etc.) relevant to your operations.
3. Identify risk scenarios by reviewing your process maps, supply chains, IT systems, and other critical areas. A tip is to utilize SWOT-analysis.
4. Add risks to the register with concrete descriptions of what could happen.
5. Assess probability, occurrence, and impact for each risk.
6. Document preventive actions.
7. Assign responsible persons and set deadlines for actions.
8. Update the information page in Operational Risk Analysis where you describe how you work with risk management and who is responsible and involved.
9. Review and check off the control points (final step) in the checklist.
10. If you’re working with an AmpliFlow consultant, notify them that the work is ready for review.

Tips for successful implementation

• Ensure everyone working with risk management understands what it is and why it’s done.
• Describe risk scenarios concretely - “Supplier X delivers defective raw materials that halt production” instead of “Supplier problems”.
• If dividing the work, be clear about responsibility distribution. Each risk should have an owner.
• Set a clear timeline and schedule follow-up meetings now.
• Communicate results to internal stakeholders - the risk matrix (beta) provides a visual overview.
• Link the risk register to your deviations - when something goes wrong, check if the risk was identified.
• Use real data from previous incidents when assessing probability and occurrence.
• Be realistic with probability reduction - few actions eliminate risk entirely.
• Schedule quarterly reviews to keep the risk register current.

How risk calculation works

AmpliFlow uses a simple mathematical model:

Risk score = Total impact × MAX(Probability, Occurrence)

The system uses the highest value of probability and occurrence (not multiplication of both). This provides a conservative assessment where the worst factor determines the score.

Total impact is determined by the highest value among your impact gradings. If you grade a risk as financial impact 3, environmental impact 5, and safety impact 2, the total impact becomes 5.

Updated risk score is automatically calculated when you enter preventive actions:

Updated risk score = Risk score × (100 - Probability reduction%) / 100

Example:

• Risk: “IT system fails during power outage”
• Probability: 3, Occurrence: 2, Total impact: 4
• Risk score = 4 × MAX(3,2) = 4 × 3 = 12
• Action: Install UPS (probability reduction 80%)
• Updated risk score = 12 × (100-80)/100 = 12 × 0.2 = 2.4

Risk matrix (beta)

AmpliFlow displays your risks in an interactive diagram where:

• X-axis shows updated risk score (higher value = greater risk)
• Y-axis shows updated probability
• Each bubble represents a risk
• Color indicates risk level (green-yellow-red gradient)
• Hover over bubble for details
• Click bubble to open and edit

The graph is in beta and being continuously developed.

Field descriptions

• Risk number: Automatically generated by the system for each new risk. Used to reference specific risks in discussions and follow-up.
• Affected process steps: Link the risk to specific steps in your process maps. This makes it possible to display risks directly in the process maps and helps process teams understand which risks exist in their part of operations. You can select multiple process steps if the risk affects several parts of the process. This field is only available if you have process mapping enabled.
• Risk scenario: Describe concretely what could happen. Avoid vague formulations - “Supplier X delivers defective raw materials that halt production for 3 days” instead of “Supplier problems”.
• Potential consequences: What happens if the risk occurs? Example: “Production halt for 3 days”, “Loss of certification”, “Customer complaint”. This helps you prioritize correctly and understand the risk’s significance.
• Realistic: Indicate whether the risk scenario is realistic for your operations (Yes/No). This is used to filter out theoretical risks that are not relevant in practice.
• Impact/Impact gradings: Assess how much damage the risk could cause if it occurs (1-5). Depending on your configuration, you use either a single impact value or separate gradings for different areas (financial, environmental, safety, reputation, etc.) that you define in your impact matrix.
  • If you use impact gradings (multiple areas): The system automatically calculates total impact as the highest value among your gradings. Example: Financial impact 3, Environmental impact 5, Safety impact 2 gives total impact 5. In the table view, this appears as “Total impact rating”.
  • If you use simple impact (one value): You directly enter an impact value 1-5. In the table view, this appears as “Impact”.
• Comments (impact): Explain why you assessed the impact as you did. Example: “Environmental impact 5 because spill could reach groundwater and require remediation according to environmental legislation”. This creates understanding of the assessment.
• Occurrence: How often have similar events occurred historically (1-5)? Use real data from deviations and previous incidents when possible.
• Probability: Assess how likely the risk is to occur (1-5). 1 = very unlikely (less than once every 10 years), 3 = possible (every 2-5 years), 5 = very likely (multiple times per year).
• Comments (probability): Explain why you assessed the probability as you did. Example: “Probability 4 because the supplier has had quality problems 3 times in the past year”. This justifies the assessment.
• Risk score: Automatically calculated according to the formula: Total impact × MAX(Probability, Occurrence). Shows how severe the risk is. This is a calculated field you do not fill in manually.
• Risk reduction: Concrete preventive actions to reduce the risk. Be specific: “Install UPS Model X by 2025-03-31” instead of “Improve power supply”. Actions can aim to reduce probability or limit impact.
• Responsible: Assign a responsible person who has insight into the area and authority to implement actions. The responsible person keeps the assessment current and ensures actions are implemented.
• Date: When should the action be completed? Set realistic dates based on the action’s complexity and the risk’s severity. Higher risk = faster action.
• Estimated probability reduction (%): How much does the probability decrease when the action is completed? Be realistic - backup systems might provide 80% reduction, an extra supplier perhaps 60%. Document assumptions in the comment fields.
• Updated risk score: Automatically calculated based on probability reduction according to the formula: Risk score × (100 - Probability reduction%) / 100. Shows how the risk changes after your actions. This is a calculated field you do not fill in manually.
• Status: Mark progress for the action (planned, ongoing, completed, postponed). Postponed actions require justification in the comment fields.
• Highlighted risk: If you have process mapping enabled, you can choose to highlight the risk in process maps. This makes the risk more visible to process teams and indicates it is particularly important to monitor in that specific process.

How to connect risk management to other processes

Deviations: When a deviation occurs, check if the risk was identified. If not, add it to the risk register.

Supplier assessments: Identified supplier risks should be in the risk analysis with concrete actions.

Stakeholder analysis: Risks linked to your stakeholders (customers, authorities, society) should be documented.

Customer requirements: Risks of not meeting customer requirements should be identified and managed.

Goal management: Set goals for risk reduction that you follow up in the management team. Example: “Reduce number of risks with score over 15 from 8 to 3 during 2025”.

Information classification (ISO 27001): Use your impact gradings to determine what classification different information types should have. If a risk has high impact on safety or business-critical information, it needs special protection.

Crisis management: High-risk scenarios can form the basis for your crisis management plan.

Management review: Have the risk matrix as a standing item in management team meetings. The visual overview makes it easy to discuss the risk situation.

By following this guide, we hope you have a smooth and effective experience with operational risk management in AmpliFlow. If you have any questions or need additional support, don’t hesitate to contact our support.

Contact:

• Website: www.ampliflow.se/en/support
• Email: support@ampliflow.se

‍