Risk

Risk fundamentals

The shared concepts that underpin Risk Register, FMEA, and JHA — one matrix, one set of control types, one rule for what happens when you import a risk into another module.

For
Anyone scoring risks anywhere in the system
Find it at
Used by Risk Register, FMEA, JHA, MOC, Exemptions
Reading time
6 min

In one sentence

QFormance scores risk in one place — a configurable matrix shared by Risk Register, FMEA, and JHA — and treats imports into MOC, Exemptions, and the rest as forks so each module can adapt without polluting the source.

Three things to remember
  • One matrix, three modules. Configure the dimensions and thresholds once. Every module that scores risk reads from the same scheme.
  • Inherent − residual = what your controls bought you. Score before controls, score after, and the delta is the value of the mitigation.
  • Imports are forks, not links. When MOC pulls in a register risk, edits in the MOC don't change the original. The register stays the source of truth.

The shared matrix

Risk in QFormance is scored on Likelihood × Impact, where the dimensions and thresholds are configured once at Admin → Risk Management and then read from by every module that needs to score risk.

SettingConfigured atUsed by
Dimensions (Safety, Quality, Financial, Reputational, etc.)Admin → Risk Management → DimensionsRisk Register, JHA, FMEA, MOC, Exemptions
Likelihood and Impact scalesAdmin → Risk Management → ScalesAll scoring surfaces
Threshold colors (Green / Amber / Orange / Red)Admin → Risk Management → ThresholdsAll scoring surfaces
Matrix size (3×3, 5×5, etc.)Admin → Risk Management → MatrixAll scoring surfaces

The 5×5 default works for most orgs. Customize when your scoring scheme is genuinely different — and remember it changes everywhere at once.

The Admin → Risk Management → Matrix page with dimensions, scales, and thresholds

FMEA scoring is the matrix plus one extra dimension

FMEA uses the same matrix, plus Detection as a third axis. The product is the Risk Priority Number (RPN):

RPN = Severity × Occurrence × Detection

Severity and Occurrence map to the matrix's Impact and Likelihood dimensions. Detection is unique to FMEA — how likely is it that the failure is caught before it affects a customer? Lower-detection (harder to catch) means higher RPN, even at the same Severity × Occurrence.

See FMEA for the per-row table and revised-RPN flow.

Inherent vs residual scoring

Every risk is scored twice:

ScoreWhat it captures
InherentWhat the risk would be without controls. The bare exposure.
ResidualWhat the risk is after your controls. The mitigated exposure.

The delta is the visible value of your controls. A small delta means your controls aren't actually buying much; a big delta means they're doing real work.

For FMEA, the equivalent pattern is the revised RPN — score the row, take the action, set revised S / O / D, and the new RPN tells you whether the action moved the needle.

Controls

The same controls component is used by Risk Register, JHA, and FMEA. It supports:

TypeWhat it does
PreventiveStops the failure from occurring (training, design changes, interlocks)
DetectiveCatches the failure when it does occur (inspection, monitoring, alarms)
CorrectiveReduces impact once the failure has occurred (recovery procedures, rework)
MitigatingReduces severity but doesn't fix the root cause (PPE, redundancy)
AdministrativeProcedural controls — SOPs, work instructions, approvals

For FMEA, the default subset is Preventive and Detective only — configurable at Admin → FMEA Settings.

Linking controls to documents

Each control can reference:

  • An internal document — link to a specific approved version of an SOP, work instruction, or procedure that defines the control.
  • An external document — for regulations, customer specs, or industry standards your control is based on.

Internal-document links freeze to the approved version at the time the link was made. If the document is later revised, the control still references the version it was built against — the audit trail is preserved.

Watch out for: orphaned controls

If a controlled document a control references is marked Obsolete, the control still works (it points at the frozen version) but the active document picker won't suggest it any more. Keep an eye on this when retiring documents — see Documents.

Risks flow both ways

The register isn't a one-way export. Risks flow out when other modules need to import an existing risk, and flow in when a module discovers a new risk that should be tracked org-wide. Both directions are deliberate; both are recorded in the activity log.

Out of the register: imports as forks

Risks from the Risk Register can be imported into:

  • MOC — for the risk assessment on a change
  • JHA — as a hazard risk on a task
  • FMEA — as a process-step risk
  • Exemptions — as the risk assessment on a deviation

When a module imports a register risk, it gets a fork, not a live link.

Why imports are forks

Each module needs to adapt risks to its context — a register risk imported into a JHA might gain task-specific controls that don't make sense back in the register. Forking keeps the register clean while letting the receiving module do its job.

  • Edits in the receiving module don't change the original. The register entry is unaffected.
  • The fork knows where it came from. Activity logs reference the source register risk, so reviewers can trace back.
  • Scoring stays consistent. The fork is scored on the same matrix — only its content can drift.

Into the register: pushing residual risk from an NCR

When a root cause analysis reveals a systemic exposure that should be tracked beyond the lifetime of the NCR, you push it to the register from the NCR's Root Cause Analysis tab — Capture Residual Risk.

What happens when you click the button:

  1. AI drafts a risk title, description, and 2–4 suggested controls based on the NCR's root cause text, corrective actions, and recorded losses.
  2. The draft is calibrated against your org's configured monetary thresholds and risk matrix bands — so the proposed risk level (low / medium / high / critical) reflects how your org actually scores risk, not a generic default.
  3. You can edit the title, description, controls, and risk level before submitting. Re-draft with AI regenerates the suggestion.
  4. Confirm — QFormance creates a first-class Risk Register entry and an entity link from the NCR to the new risk.
  5. The NCR's Links tab shows the connection.

The button is disabled until root cause text exists and hidden once the NCR is closed.

What the new register risk can do

Because it's a normal register entry, the risk can be imported (as a fork) into any other module — MOC, JHA, FMEA, Exemptions — using the standard "Import from Register" flow.

  • One NCR can drive a register risk and an FMEA refresh and an MOC, all referencing the same source.
  • Reviewers see the full chain in the activity log: NCR → register risk → forked module records.

For the full per-NCR walk-through, see Non-conformances → Capture Residual Risk.

Periodic review

Both register risks and JHA hazards have review intervals — set per category at Admin → Risk Management → Categories. Once a risk is past its review date, it surfaces in the relevant register with an overdue review badge.

A periodic review records:

  • Who reviewed
  • When
  • Any changes noted (or no change)
  • Optional rescore

The activity log preserves the full review history, so the auditor can see how a risk has evolved over time.

Where each module fits

ModuleWhat it scoresBest for
Risk RegisterOrg-level risks and opportunitiesHigh-level enterprise risk; the source of truth for cross-module imports
FMEAProcess steps and failure modesProcess / design risk with the Detection dimension
JHATasks and hazardsTask-level safety; ground-floor hazard analysis
MOCA specific changeRisk assessment as part of change-control approval
ExemptionsA specific deviationRisk assessment that drives exemption approval routing

If a risk is best understood at multiple levels — an enterprise risk that also has a task-level hazard, for example — start in the Risk Register and import into the more specific module from there.

Deleting risk records

Risks, FMEAs, JHAs, MOCs, and Exemptions can all be deleted while they're still in a pre-approval state. Delete sends the record to Trash for 90 days; restore brings it back in full. Approved / closed / archived records in any of these modules are permanent and can't be deleted directly — see each module's article for the specifics.

A risk that's still linked to an open MOC, FMEA, or NCR is blocked from delete until the linkage is cleared. See Soft-delete for the broader pattern.

Was this helpful?
Suggest an edit →