Risk Shield User Reference Manual Risk Shield Version 5.0 ... - PicNet

Risk Shield User Reference Manual 

Risk Shield Version 5.0 

5 November 2008 

© 2008 PicNet Pty Ltd - All rights reserved www.RiskShield.net

Contents 

Description 

Page Number 

1 About Risk Shield 6 

2 Risk Shield Concepts and Functions 7 

2.1 Risk Shield Interface 

2.2 Risk Shield Hierarchies 

2.2.1 About Hierarchical Items in Risk Shield 

2.2.2 Company Tiers 

2.3 Standard Symbols 

2.4 General Functionality 

2.4.1 Sorting 

2.4.2 Copy/Move 

2.4.3 Hierarchy Filtering On/Off 

2.4.4 Re-ordering of items 

3 Getting Started 

3.1 Setting up Risk Shield for your Enterprise 

3.2 Setting up Company Structure 

3.3 Setting up Risk Shield Users 

7 

7 

9 

9 

11 

11 

11 

12 

3.3.1 Adding New Users 

3.3.2 Assign Access Levels 

4 Administration Module 

4.1 System Administration 

14 

14 

4.1.1 Alerts Settings 

4.1.2 Clean Up Admin Lists 

4.1.3 Companies Details 

4.1.4 Company Structure 

4.1.5 Control Efficiencies 

4.1.6 Control Mitigation Strategies 

4.1.7 Deleted Entities History 

4.1.8 External Users 

4.1.9 Home Page 

4.1.10 Import Data 

4.1.11 On Demand Account Details 

4.1.12 User Administration 

4.1.13 User Rights 

4.1.14 Access Rights 

4.1.15 Changing Risk Shield Users Password 

4.1.16 Searching for Users 

4.1.17 Work Flow States 

4.2 Administration – Register 

4.2.1 Categories 

4.2.2 Controls 

19 


4.2.3 Risk Criteria 

4.2.4 Risk Matrix Component 

4.2.5 Risk Matrix Ratings 

4.2.6 Risk Status 

4.2.7 Risk work Flow Settings 

4.3 Administration – Hazards 

22 

4.3.1 Hazard Categories 

4.3.2 Locations 

4.4 Administration – Threat Risk Analysis (TRA) 

22 

4.4.1 Threat Security Concerns 

4.4.2 Threat Matrix Component 

4.4.3 Threat Matrix Threat Ratinsg 

4.4.4 Criticalities / Threats / Vulnerabilities & Asset/ 

4.5 Administration – Emissions 

4.5.1 Emissions Types and Factors 

4.5.2 Country / State 

4.5.3 Thresholds 

4.6 Administration – Advanced Risk Analysis (ARA) 

4.6.1 Casual Pathways 

4.6.2 Categories 

4.6.3 Contributing Factors 

4.6.4 Controls 

4.6.5 Emergency Responses 

4.6.6 Measures 

4.6.7 Risk Criteria 

4.7 Administration – Incidents 

24 

25 

26 

4.7.1 Authority Reports 

4.7.2 Consequences 

4.7.3 Estimates 

4.7.4 Incident Severities 

4.7.5 Incident Types 

4.7.6 Incident Work Flow Settings 

4.7.7 Injured Body Parts 

4.7.8 Injury Types 

4.7.9 Locations 

5 Risk Register Module 

5.1 Controls Sub Tab 

5.2 Analysis Sub Tab 

5.3 Actions Sub Tab 

5.4 Work Flow Sub Tab 

5.5 Attachment Sub Tab 

28 

29 

6 Hazard Module 32 


7 Work Plan Module 

7.1 Work Plan Sub Tab 

8 Threat Risk Analysis Module 

8.1 Threats Sub Tab 

8.2 Vulnerabilities Sub Tab 

8.3 Risks Sub Tab 

9 Emissions Management Module 

9.1 Actions Sub Tab 

9.2 Attachments Sub Tab 

9.3 Risks Sub Tab 

10 Incidents Module 

10.1 Incidents Sub Tab 

11 Advanced Risk Analysis Module 

11.1 Bow Tie Diagram 

33 

33 

35 

35 

36 

36 

37 

38 

38 

38 

39 

39 

41 

42 

12 Actions Module 43 

13 Reporting 

13.1 Integrated Analytics Report 

13.1.1 Risk Profile Summary (Monte Carlo) 

13.1.2 Repetitive Risk Analysis – Summary 

13.1.3 Register Risk Summary at a Glance (Weighted) 

13.1.4 Register Risk Summary (Weighted) 

13.1.5 Register Risk Detail 

13.2 Register Reports 

13.2.1 Register Summary at a Glance 

13.2.2 Register Summary 

13.2.3 Register Detail 

13.2.4 Register Controls 

13.3 Hazards Reports 

13.3.1 Hazards Summary 

13.3.2 Hazards Details 

13.4 Work Plans Reports 

13.4.1 Work Plans Summary at a Glance 

13.4.2 Work Plans Summary 

13.5 TRA Reports 

13.5.1 TRA Summary at a Glance 

13.5.2 TRA Asset List 

13.5.3 TRA Threat / Vulnerability List 

44 

48 

52 

53 

53 

54 


13.5.4 TRA Detailed Report 

13.6 Emissions Report 

13.6.1 Emissions Summary at a Glance 

13.6.2 Emissions Summary 

13.6.3 Emissions Detailed Report 

13.7 Incidents Reports 

13.7.1 Incidents Summary Report 

13.7.2 Incidents Detailed Report 

13.8 ARA Reports 

13.8.1 ARA Summary Report 

13.8.2 ARA Detailed Report 

13.8.3 ARA Actions & Emergency Response Report 

13.9 Actions Reports 

56 

56 

57 

57 

14 Risk Management Glossary 58 

15 Risk Shield Introductory Videos 58 

16 Risk Shield Pocket 58 


1. About Risk Shield 

Risk Shield provides a comprehensive risk management solution for your enterprise. It 

has been designed to assist risk managers in the assessment of all aspects of risks: 

their severity, potential impacts and consequences. 

Risk managers can access and utilise Risk Shield’s core functionality through a standard 

web browser. Some functions however require the following applications to make full use 

of Risk Shield’s functions: 

Application Required For Reference 

Microsoft Excel 

Business Impact Analysis Section 4.7 

templates 

Microsoft Visio Bow-Tie diagrams Section 11.2 

About this manual 

This manual is targeted towards helping risk managers to understand and utilise Risk 

Shield’s features. A general understanding of risk management is assumed. 

There are two main components to this manual: 

• An overview of Risk Shield’s concepts and functions (Section 2) 

• A brief “Getting Started” guide (Section 3) 

• Details of Risk Shield’s features (Sections 4 to 14) 

In addition, there is an extensive risk management glossary (link) in Section 15. 

© 2008 PicNet Pty Ltd - All rights reserved www.RiskShield.net - 6 -

2. Risk Shield Concepts and Functions 

Risk Shield is a modular application. It offers a core suite of functionality, onto which you 

can add various modules in accordance with your enterprise’s needs. Each major 

function or module has its own tab in the Risk Shield interface. The image below shows 

the full collection of Risk Shield tabs, with all optional modules loaded. 

2.1. Risk Shield Interface 

Function/Tab 

Home 

Register 

Hazards 

Work Plans 

TRA 

Emissions 

Incidents 

Adv. Risk Analysis 

BCP 

Actions 

Reports 

Admin 

Description 

Links to news and key links 

Lists all risks 

Risk associated with particular hazard 

Risk associated with projects or processes 

Threat Risk Analysis 

Carbon Risk Management 

Incident Management 

Advanced Risk Analysis and Bow Ties 

Business Continuity Planning 

Action Management 

Reporting 

Administration 

The structure of this document largely follows the sequence of tabs in the 

interface, except that the Admin module is discussed first. 

2.2. Risk Shield Hierarchies 

Most enterprises are hierarchical entities and Risk Shield accommodates these 

structures within its design in various ways. There are general rules for the treatment 

of hierarchical items within Risk Shield, as well as explicit recognition of company 

tiers within the interface. 

2.2.1. About hierarchical items in Risk Shield 

There is one general rule here: 

An entity must have a unique name within its parent. 

For example, a risk must have a unique name in its company tier or step (if in a 

work plan). A control must have a unique name in the parent risk. 

Illustration: “Shortage of staff” is a risk allocated to the Department of 

Mathematics in the Faculty of Science. The same risk name (“Shortage of staff”) 

cannot be repeated in the same Department of Mathematics; however, it can 

exist under the Department of Physics, also belonging to the Faculty of Science. 


Remember: 

• A Control must be unique within a risk. 

• A Work Plan, like risks, must be unique within the same tier. 

• A step name must be unique within a Work Plan. 

• A risk must be unique within a step in a Work Plan. 

• An Incident name must be unique within the same tier. 

2.2.2. Company Tiers 

Risk Shield supports the hierarchical aspect of enterprise structures through 

“company tiers”. Company tiers represent the enterprise’s organisational 

structure from a risk-management perspective. As a rule this perspective closely 

corresponds to the enterprise’s standard organisational charts. 

Users can enter items to any company tier, subject to their security rights. 

Most Risk Shield items allocated to a higher Tier are available to the 

lower Tiers. 

Once the appropriate company tiers have been established for your enterprise, 

the user adds each risk, Incident, Work Plan, etc a specific company tier as the 

entity is created. The company tier is selected from the top bar, just below the 

main system tabs, as illustrated below. 

Click on the downwards pointing arrow on the left of the drop-down menu to 

display all the items already entered in the enterprise. 

Click on the label (e.g. Select Business Unit) on the right of the drop-down menu 

to select a specific layer of that tier. 

Then, depending how many tiers are defined for that company, and depending 

on the user rights, the user can continue selecting specific tiers and layers where 

the items to enter are allocated. 


2.3. Standard Symbols 

The following symbols are standard across Risk Shield. 

Description 

Add an item. 

Copy or move (clone) items from a company layer to another. 

Open in a new browser 

Open/Save to an excel file 

Saves the information on the screen. 

Spell check. 

View the changes made to a risk or incident (History or Audit 

trail). 

Print a risk, incident or other major component. 

Cancel any changes made / go back to a main page (not 

necessarily the same as a browser’s back button) 

A “red asterisk” indicates that the field is compulsory. 

Add new items to a list. 

Search for an item 

Set the recurrence schedule of an action. 

Turn hierarchy filter on. 

Turn hierarchy filter off. 

2.4. General Functionality 

All Risk Shield pages inherit a number of standard behaviours, as described below. 

2.4.1. Sorting 

All summary pages will display lists of items, e.g. lists of risks, incidents, etc. All 

lists can be sorted by pressing the top heading. 

A column in a list can be unsorted, sorted ascending or descending. 

A list can be only be sorted by one column at a time. 

When 

containing 

according to 

sorting by a certain column containing multiple items 

the same name, these items are not subsequently sorted 

any other column. 


2.4.2. Copy/Move 

To copy/move items from one layer to another, drag them. 

To copy/move multiple items, select the parent to copy or move all the 

items below that parent. 

Control-click to select multiple alternative items, or shift-click to select 

multiple continuous items. 

Making sure that the appropriate radio button (Copy/Move) is selected before 

performing the action. 

2.4.3. Hierarchy Filtering On/Off 

To turn the hierarchy filtering on/off within an entity lists, simply click on the 

icon to apply the filtering or click on the 

icon to remove the filtering. 

2.4.4. Re-ordering of items 

When re-ordering items on the list, the item gets inserted and re-orders 

the numbering of the entire lists rather than just swap the numbering of 

the items. 


3. Getting Started 

3.1. Setting up Risk Shield for your Enterprise 

Your Risk Shield consultant will set up an administrator account, which you can then 

use to set up Risk Shield for your enterprise. 

To help you get started, Risk Shield Templates, Default Risk Matrix and Severities, 

Register Risk Status, BIA Templates, Control Efficiencies and Mitigation Strategies 

have been setup by default by Risk Shield. These items can still be modified by the 

Administrator in accordance to the company’s liking. 

But some items still need to be setup. The following items need to be set up initially 

by the Administrator to be able to start using Risk Shield Enterprise: 

• Company Structure 

• Users 

3.2. Setting up Company Structure 

Company Structure allows for the creation of company tiers according to the 

structure that a company wants to follow. Risk Shield allows for an indefinite number 

of tiers and layers of tiers. 

For example the first tier could be the company’s divisions, Tier 2 could be the 

business units within the specified division, Tier 3 could be a functional department, 

etc. This allows for a better management and grouping of risks and incidents being 

entered. 

A risk or incident can be allocated to any company tier. A company tier can have a 

“weight” allocated to it. This weight allows increasing or decreasing the relative risk 

rating of an assessment on the Integrated Analytics “weighted report”. 

A tier can also be an activity or a project, whatever the user would like to define as a 

position or location to store risks, incidents, work plans, etc. 

A company tier can also include the number of employees of that tier. This optional 

value is used in the Advanced Risk Analysis module. 

The following figure displays a simple example of a company structure: 


3.3. Setting up Risk Shield Users 

3.3.1. Add New Users 

To add a new user, click on the Admin tab, then Risk Shield Users. In the form 

that follows, enter the details for the new user, and click on icon. All fields in 

this form are mandatory. 


3.3.2. Assign Access Levels 

You will then assign access levels to the user in the following screen. 

The company tiers are displayed on the left of the screen: select the appropriate 

level for this user. Users should be assigned to the highest possible Company 

Tier that they will have access to. Unless access is removed, the user gets 

automatic access right to all the lower Tiers (children). 

• Click on System Administrator to give the user access to the Admin tab 

• Click on Enterprise Access Level to give the user complete access across 

the enterprise. 

These access levels are explained in greater detail in Section 4.1.14 


4. Administration Module 

The Administration Module helps the user manage the system. In here the user can 

manage the appearance of the home page, set users’ access levels, set up the structure of 

company tiers and much more. The main Administration module screen is depicted below. 

4.1. System Administration 

4.1.1. Alerts Settings 

The Alerts / Notifications section allows users to set notices and alarms in the 

form of emails to alert the creation, update, and deletion of items within different 

modules. Alert settings may be configured for Actions, Risks and Incidents. 

On Create/Update/Delete 

This user will receive alerts of all Actions, Risks or Incidents 

created in the specified Company Tier. 


Action Alert Settings also include the following configurations: 

On Close 

This user will receive alerts of all Actions, Risks or Incidents 

closed in the specified Company Tier. 

On Expire 

This user will receive alerts of all action expiries (due date 

reached) in this Module in the specified Company Tier. 

The user may also select a set of conditions or controls so that only 

specific changes within an item will prompt an alert. More than one 

control may be selected by holding down the control key on the 

keyboard while selecting. 

Risk Shield will also send a Notification in these situations: 

When a User or Notifiable User is assigned to a Risk, Control or 

Action. 

When an action expires/recurs. The person responsible will 

always receive a notification. 

Click on the 

settings. 

icon when finished to save all alert notification 

4.1.2. Clean Up Admin Lists 

At times when redundant data has been entered and duplicated between 

different tiers due to the movement and combining of company tiers, it is 

necessary to remove this duplicated data. Clean Up Admin Lists will search for 

such data and automatically remove them. This should only be used when a 

large amount of data has become disordered. 

When clean up is selected, the system will keep the duplicated item in the higher 

tier, hence the item is available to the lower tiers without being duplicated. 

4.1.3. Companies Details 

This page allows a user to modify specific company details including: 

• Company Name 

• Trading Name 

• Business Number 

• Company Description 

• Phone 

• Address 

• State 

• Postcode 

• Country 


4.1.4. Company Structure 

The company structure section allows for the creation of company tiers according 

to the structure that a company wants to follow. Risk Shield allows for an 

indefinite number of tiers and layers of tiers. This serves as the options in the 

drop-down list. The main screen shows a list of Company Tiers available within 

the system. 

4.1.5. Control Efficiencies 

Control efficiencies are a way of measuring the efficiency of a control or how 

good the control is. It defines the quality of controls. 

Examples: Unsatisfactory, Weak, Moderate, Good and Excellent. 

4.1.6. Control Mitigation Strategies 

Mitigation strategies are decisions to be taken with a risk, including strategies 

such as Risk Reduction, Transfer, Avoidance, etc. 

4.1.7. Deleted Entities History 

Deleted Entities History allows a user to view all items which have been deleted. 

The search tool allows searching for specific items within a specific module, or 

within a specific date period. 

4.1.8. External Users 

External Users (EU) are users that can be notified of pending Actions and control 

responsibilities. These users do no necessarily need to be registered users of 

Risk Shield. 

EU should be allocated to the ‘highest possible’ level in the organisation 

layers. i.e. If a EU is allocated to a Division, the child Department will be 

able to see and use the EU. 

However, if a EU is allocated to a lower level, say a Department level, the 

Division above will not be able to see and use that EU. 

4.1.9. Home Page 

This page allows you to make changes in the “Home Page” section. For 

example, users may re-order the appearance of the sections in the home page, 

or add, delete and make changes to Section names. In addition, you can adjust 

the required security level to view these sections. 

A System Administrator can create new sections to post notes, attach documents 

or indicate links of interest to users of Risk Shield. Each Section can have many 

items. The order of each item and each section can be determined by the 

Administrator by altering the order value on the left. 


Once a Section has been created, the Section Type (Post, Attachments, 

and Links) cannot be changed. 

4.1.10. Import Data 

This page allows you to import data from an excel or cvs file into Risk Shield. The 

CVS Expected Format should be followed when organising data within the file to 

ensure that all data is imported successfully. 

4.1.11. On Demand Account Details 

This page allows the user to login to their Risk Shield On Demand account to 

modify any account information regarding their company. 

4.1.12. User Administration 

This page allows for the creation of users in the system and assigning access 

levels to them. It also allows you to edit, delete and clone a user. 

A Search function is also available to user’s to save time in locating a particular 

user. User’s can be search by their first name, last name and email. 

4.1.13. User Rights 

System Administrator 

System Administrator can add, modify and delete Company Tiers, Users, 

User Rights, Alert Settings, Assets, Corporate Objectives, Control 

Efficiencies, Control Mitigation Strategies, the Home Page layout and its 

content, the Risk Matrix and Incident Severities. 

Enterprise Access Level 

Enterprise Access Level provides Manager Rights in Risk Shield across 

all Company Tiers. 

4.1.14. Access Rights 

Security Level 

None: Access to corresponding section is disallowed. 

View: User may only view items and entries made in the corresponding 

section. 


Edit: User: User may add, edit, delete, etc any items within the 

corresponding section but may not add new list items (e.g. adding a new 

control) while entering information. 

Manager: User may add, edit, delete, etc any items within the 

corresponding section, including list items. 

Reporting 

Reporting Security is set by using the Reporting Checkbox beside each 

module. 

4.1.15. Changing Risk Shield Users Password 

To change users’ password, click on the Username right next to the “Logoff” 

button as shown below. 

Enter new password and confirm, and click on 

changes made. 

icon when ready to save the 


4.1.16. Searching for Users 

By default, Risk Shield displays all the users in the Enterprise. 

To search the lists of users saved in the system, simply enter the First Name, 

Last Name or Email in the search boxes as shown below. 

Click on the 

icon to begin the search. 

4.1.17. Work Flow States 

This page allows a user to add, edit or delete work flow states when a notification 

of a specific event has occurred. 

4.2. Administration – Register 

4.2.1. Categories 

A risk may be labelled as being a part of a certain category, and the category list 

may be defined in this section. 

4.2.2. Controls 

Define lists of controls that may be applied to any risk. Controls are the mitigation 

strategies defined to reduce the risk. 

Risk Shield Templates are preloaded with many Controls and other items 

that can save the user many hours of data entry. Below is a list of 

controls available. 

Controls should be allocated to the ‘highest possible’ level in the 

organisation layers. i.e. If a Control is allocated to a Country, the child 

State level will be able to see and use that Control. 

However, if a Control is allocated to a lower level, say a State level, the Country 

level above will not be able to see and use that Control. 


4.2.3. Risk Criteria 

Allows the user to add new Risk Criteria that can be applied to any risk. It also 

allows making changes in the Risk criteria that can be associated for each risk. 

You can also change the order of the risk criteria for viewing purposes. 

Risk Criteria are also known as Assessment Types, i.e. the dimensions under 

which each risk is assessed. For instance, REPUTATION could be one Risk 

Criteria. SAFETY could be another. 

A risk assessed for Reputation could have a HIGH rating but a LOW rating from 

a Safety perspective. 

Risk Criteria should be allocated to the ‘highest possible’ level in the 

organisation layers. i.e. If a Risk Criteria is allocated to a Division, the 

child Department will be able to see and use that Risk Criteria. 

However, if a Risk Criteria is allocated to a lower level, say a Department level, 

the Division above will not be able to see and use that Risk Criteria. 

Care should be taken not to create duplication of Risk Criteria between tiers. The 

safest mechanism is to allocate the criteria to the highest possible Tier. 

The menu label “Risk Criteria” can be customized by the according to 

user preference. 

4.2.4. Risk Matrix Component 

This allows the user to make changes to the Risk Matrix, defining its own 

Probabilities, Consequences and Ratings. Each item can be defined as a word 

and a numeric value. The numeric values are used for the semi-quantitative 

analysis. Ratings can also have a colour associated to them. 

To start editing the risk matrix, click on the Admin tab, then Risk Matrix Axis. 

The drop-down menu near the top of this screen has three options: 

• Likelihood 

• Impact 

• Risk Rating 


4.2.5. Risk Matrix Ratings 

This allows the user to make changes to the Risk Matrix Ratings used to assign 

each risk, overriding the value entered in the axis. 

Now we need to apply ratings to the matrix values. To do this, click on the Admin 

tab, then Risk Matrix Ratings. The matrix values you entered will now display in 

a matrix. 

4.2.6. Risk Status 

This allows the user to make changes to the risk status used to assign each Risk 

entered in the system. It also allows the user to edit and delete existing risk 

status in the system. 


4.2.7. Risk Work Flow Settings 

This allows a user to specify certain settings to notify a user when a specific 

condition has occurred with regards to a risk. 

When adding a new Risk Work Flow Setting, there must be an existing 

user from the User Administration list in order for the External User list to 

populate. 

4.3. Administration – Hazards 

4.3.1. Hazard Categories 

This allows the user to create new categories which hazards may be assigned to. 

4.3.2. Locations 

This allows the user to create new hazard locations and input specific details 

concerning it, such as the region, and contact person(s) regarding a specific 

hazard location. 

4.4. Administration – Threat Risk Analysis (TRA) 

4.4.1. Threat Security Concerns 

This allows flexibility for the user to edit default threat security concerns in the 

system or make additions to the list. 

4.4.2. Threat Matrix Component 

The threat matrix component allows user to customise the contents and order of 

the listings under each component – Capability / Intent / Threat Rating (Labels). 

However, users are not allowed to amend the labels. 

Amendments made to this will be reflected in the following section 4.4.3. 


4.4.3. Threat Matrix Threat Ratings 

Users are able to customise the threat ratings in each dropdown list as shown 

above. 

4.4.4. Criticalities / Threats / Vulnerabilities & Asset/Threat/Threat Sub 

Types 

Users are able to populate data under individual sections which will be reflected 

in the TRA module for selection. 


4.5. Administration – Emissions 

4.5.1. Emissions Types and Factors 

Users are able to customise the Emissions Names, Descriptions, Order of the 

tables, Factors values and Input Units. 

Edit Name of table 

and description 

Change order of the table 

Edit Emissions 

Factor Value/Input 

Unit/Factor Unit 

Or 

Add additional 

Emissions Factor 


4.5.2. Country / State 

Users are able to add or edit Country and (or) State. 

4.5.3. Thresholds 

Users are able to edit the values of Facility Emission Threshold and Company 

Emission Threshold. 

4.6. Administration – Advanced Risk Analysis (ARA) 

4.6.1. Casual Pathways 

These are pathways leading to a risk. 

In Admin, this item should be allocated at the highest possible tier so it 

can be used by the lower tiers. 

4.6.2. Categories 

A risk may be labelled as being a part of a certain category, and the category list 

may be defined in this section. 


4.6.3. Contributing Factors 

Contributing factors are the influencing factors that may take you to a particular 

pathway. Allows the user to add, edit and delete contributing factors that may 

lead to risks happening. 



4.6.4. Controls 

This section is exactly the same as the Administration - Risk Register – Controls. 

Please refer to Section 4.2 (ii) for more details. 



4.6.5. Emergency Responses 

Allows the user to add new emergency responses which can then be actioned 

when a particular risk occurs. It also allows the user to edit and delete existing 

emergency responses in the system. 



4.6.6. Measures 

Allows the user to manage a risk by assigning a measure into it. 



4.6.7. Risk Criteria 

This section is exactly the same as the Administration - Risk Register – Risk 

Criteria. Please refer to Section 4.2 (iii) for more details. 



4.7. Administration – Incidents 

4.7.1. Authority Reports 

Provides a list of external authority reports where different fields within that report 

may be defined. When an incident is reported and recorded and an authority 

report is required, the defined fields within that report are automatically filled. 

4.7.2. Consequences 

Provide lists of possible outcomes when an incident occurs. 

Examples: Customer loss, Death, Downtime, Financial loss, etc. 


4.7.3. Estimates 

Allows the user to determine the estimate cost and time or any impact when an 

incident occur. 

Examples: Annual Operating Cost, or Recurring Cost ($), Time lost due to injury 

(days), Time required to repair (days), etc. 

4.7.4. Incident Severities 

Allows the user to define severity levels that are used to determine the severity of 

an incident. 

Examples: Insignificant, Minor, Moderate, Major and Catastrophic 

4.7.5. Incident Types 

Provide you a list of different incident types that can be use to classify different 

incident. 

Examples: Environmental, Equipment failure, Illness, Injury, etc. 

4.7.6. Incident Work Flow Settings 

This allows a user to specify certain settings to notify a user when a specific 

condition has occurred with regards to an incident. 

4.7.7. Injured Body Parts 

Provide a list of all the possible body parts that can be associated with injuries as 

a result of an incident occurring. 

Examples: Ankle (L, R, Both), Arm (Upper, or Entire L, R, Both), etc. 

4.7.8. Injury Types 

Provide a list of different injury types that may occur. This list covers both 

possible physical and mental injuries that can be associated to the outcome of a 

risk. 

Examples: Back, External Effects, Multiple Injuries, Open Wounds, etc. 

4.7.9. Locations 

Define list of locations where incidents could occur. 

Example: Head Office Building, Street, Information Management Branch, etc. 

4.7.10. Root Contributing Factors 

Provide a list of contributing factors that may lead to an incident happening. 

Helps the company overcome future incident from occurring if they take these 

factors in consideration in the future. 

Example: Careless, Fire Allowed, Gas Available, etc. 


4.7.11. Signatories 

Provide a list of all the users who are authorized to sign off the investigation. 

Example: Manager, Supervisor, etc. 

4.7.12. Treatment Providers 

Provide a list of treatment providers available for the company to use in case an 

incident occurs. 

Example: Ambulance, Cardiac Rehabilitation, Dialysis Centre, etc. 

4.8. Administration – Business Continuity Plan 

4.8.1. BIA Templates 

This page allows an administrator to upload a selection of templates that will then 

be used by users to create their Business Impact Analysis. Help the company 

obtain all the necessary information when creating a Business Impact Analysis. 

Risk Shield templates provide at least three templates that a company 

could use, one for IT, one for a Service Unit of any company and one for 

Manufacturing. 

The Administrator may customize and reload these templates or add new ones. 

To create new BIA templates, use Excel and save the template in XML 

format, before uploading it to Risk Shield. 


5. Risk Register Module 

Risk Register is the base module in Risk Shield. At first it displays all the risks saved in 

the system as shown below. The user can add new risks to the system. Risk name and 

the person identified it are mandatory fields. The rest like, Risk Description, Person(s) 

Responsible and other fields are optional. It also allows the user to edit and delete any 

risks saved. 

5.1. Controls Sub Tab 

This tab provides a list of controls that could be applied to the risk. Controls are the 

mitigation strategies defined to reduce the risk. 

Risk Shield Templates are preloaded with many Controls and other items 

that can save the user many hours of data entry. 

5.2. Analysis Sub Tab 

This section is to analyse a risk within its “analysis context”. The context of the 

analysis is entered and the probability and consequence, for each risk criteria is 

selected, resulting on the risk rating as per the risk matrix. This analysis should be 

done for the inherent risk (current) and for the residual risk (after applying the 

controls). 


5.3. Actions Sub Tab 

This tab provides a list of Actions or tasks needed to be done. It can be associated to 

any user and can set the status, priority and due date accordingly. 


5.4. Work Flow Sub Tab 

This section lists any previous and current work flow notifications for the current risk. 

Notifications may be accessed, edited and accepted or rejected here. All work flow 

notifications for the specific risk are retained even when completed. 

5.5. Attachment Sub Tab 

Risk Shield uses its own technique to attach files or URLs to its system. 1 The 

maximum size allowed by the standard Risk Shield configuration is 8 MB; the file can 

be of any type. 

URLs can be of any format addressable by your web browser. i.e. It can be 

an internal URL pointing to your intranet or an external URL of the format 

www.picnet.com.au (for example). The URL is not validated by Risk Shield. It 

is the user’s responsibility to check the validity of the URL loaded. 

1 This technique is known as DocFlex®, another trademark of PicNet Pty Ltd (Risk Shield’s 

parent company). 


6. Hazard Module 

The Hazard Module allows the definition of all hazards and the risks associated with a 

particular hazard. 


7. Work Plan Module 

A Work Plan can be used for a Project, a Job Safety Statement, etc. It describes a 

number of steps. Each step has risks (that can be analysed) and controls for each risk. It 

needs the Risk Register Module to operate. 

The risks are automatically loaded into the register. At first it displays the entire work 

plan saved in the system as shown below. It allows the user to add new work plan to the 

system. Work Plan (Activity) name is a mandatory field. The rest like, Work Plan 

(Activity) Description, Version and other fields are optional. It also allows the user to edit 

and delete any work plan saved. 

7.1. Work Plan Sub Tab 

Here the user may enter specific details concerning a work plan. 


After saving the work plan, a new screen will be displayed as shown below, with 

additional tabs. 


8. Threat Risk Analysis Module 

Threat Risk Analysis is vital to ensure corporations identify and manage risk. The 

methodology of threat risk analysis begins with identifying your asset. 

8.1. Threats Sub Tab 

Once your asset has been recorded, Risk Shield allows you to assign threats to the 

asset, and classify them under threat types and subtypes of your choosing. 


8.2. Vulnerabilities Sub Tab 

Once the threats to the asset have been identified, Risk Shield allows you to identify 

and record the vulnerabilities to your asset with relation to the identified threat. 

8.3. Risks Sub Tab 

After the asset, threats, and vulnerabilities have been recorded, Risk Shield then 

allows you to identify the risks that will emerge from the threats and vulnerabilities 

previously entered. 


9. Emissions Management Module 

With a greater focus in today's world on reducing CO2 emissions, companies are now 

required to monitor and report their own CO2 emissions. Having high emission levels 

may increase the risk of both polluting the environment as well as a loss of company 

reputation and penalties. 

Tick relevant 

emissions type 

relevant to this 

facility so as to 

reduce the tabs 

shown above. 

Under each Emissions Factor tab, users are able to add value and the system will have 

the Full Fuel Cycle calculated. 

In the main Facility tab, users are able to select, by ticking the boxes, the Emissions 

Type which is relevant to this facility so the irrelevant ones will not appear in the tabs 

above. 


9.1. Actions Sub Tab 

User can create actions and delegate an external user to follow up on the action. 

9.2. Attachments Sub Tab 

Allows user to attach additional document(s) that is(are) relevant to the facility. 

9.3. Risks Sub Tab 

This section allows you to enter additional risks associated with the incident, and is 

exactly the same as the Risk Register – Section 5. 


10. Incidents Module 

As part of a risk management process, Risk Shield also helps organisations to track and 

manage incidents. At first it displays all the Incidents saved under which division, 

business unit and department the user is working on, as shown below. 

Users with the right access can record incidents, its witnesses, contributing factors, 

actions taken and requested as well as assessing its financial/non-financial implications. 

Effective incident management ensures appropriate preventive and corrective actions 

are adopted to minimise potential risks. 

10.1. Incidents Sub Tab 

This will bring the user to a new screen as shown below. Here the user can enter 

details about the incident. Name, severity, date/time occurred, date/time reported are 

mandatory fields and the rest are optional. 


After saving the incident, a new screen will be displayed as shown below, with 

additional tabs. 


11. Advanced Risk Analysis Module 

ARA (Advanced Risk Analysis) is suitable for users who require an advanced risk 

assessment tool and for the creation of Business Continuity Plans. Incorporated into 

Advanced Risk Analysis is the Bow Tie Diagram generator which allows risk managers 

to draw up complicated risks, its causal pathways, contributing factors, controls, 

outcome, emergency responses, etc. in a diagram in just seconds. 

The ARA is most suitable for low probability/high consequence risks. 

At first it displays all the risk saved in the system (As shown below). The user can add 

new risks to the system. Risk name is a mandatory field. The rest like, Risk Description, 

Asset(s) and other fields are optional. It also allows the user to edit and delete any risks 

saved. 

This will bring the user to a new screen as shown below. Here the user may enter 

specific details concerning a risk. After which, the user may continue to enter other 

details in the other sub tabs. 


11.1. Bow Tie Diagram 

To generate a Bow Tie Diagram, simply click on the 

button as shown below. 

Below is a sample Bow-Tie Diagram that can be generated through Risk Shield. 

You will need Microsoft Visio Professional 2003 or higher, and Risk Shield 

Add-on to Visio to generate the Bow-Tie Diagram. 


12. Actions Module 

Action Management is a search feature that lets you search through all the actions 

saved in the system. At first it displays the entire actions saved in the system as shown 

below. It also allows the user to edit and delete any actions saved. 

Actions are entered for each risk, incident or BIA. The Action Management 

module is available to all users with rights to enter those actions. 


13. Reporting 

This module helps you to generate reports and graphs for the other modules. The report 

engine is created dynamically using the user-defined metrics created under the 

Administration module. These reports can be generated in both Excel format for 

download or simply display on your web browser for better interactivity. 

At first it displays lists of all the possible reports that can be generated through the 

system as shown below. 


In order to print the background colours and heat charts properly on the reports 

generated, make sure the “Print background colors and images” is ticked under Printing 

settings in Internet Explorer. 

To check this in Internet Explorer 6: Click on Tools –> Internet Options –> Advanced 

(tab) –> Printing. 


To check this in Internet Explorer 7: Click on Tools –> Internet Options –> Advanced 

(tab) –> Printing. 


The Target List 

The Target List allows you to select what part of the Risk or Incident you want to search. 

This may give options such as the name and description of the Risk or Incident. When 

the target list has many items it will always include the 'Any' choice. This means that the 

search is applied to any of the targets in the list. 

The Search Terms 

The Search Terms allowed in the Risk Shield Reporting Engine are quite flexible whilst 

being easy to use. These are: 

Phrase Search 

You can search for a phrase by using quotes ("). For Example: Searching Risk 

Names for the terms - [Rope Burn] will match any risk with the word Rope or burn 

or both in their name. However Searching for the term ["Rope Burn"] will match 

risk with the phrase 'Rope Burn' in their name only. 

Must Match 

To include a term that must be matched use the plus (+) symbol prior to the word 

or phrase. For Example: Searching for [+Rope +Burn] will match all risks that 

have both the words Rope and Burn in their name. 

Excluding Words 

To exclude a word or a phrase from the results you can use the minus (-) 

symbol. For Example: Searching for [Rope -Burn] will match all risks that include 

the word 'Rope' but not the word 'Burn'. 

Capitalisation 

Capitalisation is always ignored in reporting searches. 


13.1. Integrated Analytics Reports 

This module allows the reporting and analysis of risk profile, repetitive risks and risk 

register by weighting. 

13.1.1. Risk Profile Summary (Monte Carlo) 

This report aims to present results to the analyst/manager in a clear and concise 

fashion by using graphical output wherever possible and keeping the statistical 

output to a minimum. This report can give the analyst/manager a profile of the 

consequence, probability and overall risk rating of the enterprise/organisation. 

This table shows the different statistical results from the just run simulation, 

contrasting results for profiling of existing controls vs new controls. 

Mean: 

This is the arithmetic mean / average of the sample population. 

Mode: 

Is the most frequent value occurred from the sampling. 

Measure of Spread: Standard Deviation 

This represents the deviation of the values from the mean, the greater the value 

the more spread the values are from the mean. Minimum, Maximum & Range are 

also measure of spread. 

Skewness 

Describes the asymmetry of the distribution relative to the mean. A positive 

skewness indicates that the distribution has a longer right-hand tail (skewed 

towards more positive values). A negative skewness indicates that the 

distribution is skewed to the left. 


Contour Charts: 

The contour chart shows in the Y-axis the number of times (Frequency Count) a 

single outcome was of a particular value. While the X-axis shows the estimated 

overall probability of a particular risk materialising. This probability rating is taken 

from your particular risk matrix. In this example min is 1 and max is 5. As an 

example, when the simulation is run for this risk, with the new controls, the value 

3.1 (representing the probability) was sampled 80 times. 

What is this chart telling me 

• Most values returned from the simulation run with the existing controls are 

well above "3.5", thus indicating a high overall probability of an undesired event 

happening. 

• The modal inherent probability is ~3.8 while the modal residual probability 

is around 3.65. Also the residual probability graph is shift to the left of the 

inherent so overall probability of a risk occurring is decreased after the 

implementation of the new controls. 

• The simulation tells me that when implementing the new controls a slight 

decrease in the probability of a risk materialising. The sampled distribution does 

not appear to follow that of a Normal Distribution. 

• The contour chart shows in the Y-axis the number of times (Frequency 

Count) a single outcome was of a particular value. While the X-axis shows the 

estimated overall probability of a particular risk materialising. This probability 

rating is taken from your particular risk matrix. In this example min is 1 and max 

is 5. 


As an example, when the simulation is run for this risk, with the new controls, the 

value 3.1 (representing the probability) was the output of the simulation on 60 

occasions. 

CDF: Cumulative Distribution Function: 

From the above graph we can say that inherently, 80% of risks have a probability 

of 3.9 or lower. After applying controls the 80% of the risks have a probability of 

3.7 or lower, there is a slight improvement (lowering of probabilities). 

The cumulative distribution function (cdf) is the probability that a given value on 

the Y-axis (percentage) to take on the corresponding value from the X-Axis or 

lower. 


13.1.2. Repetitive Risks Analysis – Summary 

This report shows risks that occur more than once for the given selection. By 

default the report is sorted by the number of occurrences in descending order. 

The concept of this report is to inform management of the potential higher 

exposure of a risk identified by many within the organisation, however its rating. 

13.1.3. Register Risk Summary at a Glance (Weighted) 

Weighted reports are identical to the normal risk register reports, however, the 

weight defined to each company tier is applied in the rating calculation for those 

tiers. 

13.1.4. Register Risk Summary (Weighted) 



tiers. 

13.1.5. Register Risk Detail 



tiers. 


13.2. Register Reports 

Users can generate a summary or detailed report on Risks recorded under the 

Company Tiers for which the user has access to in Risk Register module. 

The Risk Register can also be analysed using the optional External Analytics 

module. This gives OLAP (Online Analytical Processing) capabilities to the Risk 

Register. Below is the criteria screen used to generate Register Risk Summary at a 

Glance, Register Risk Summary and Register Risk Detailed reports. 

13.2.1. Register Summary at a Glance 

Allows the user to generate an overview report on Risks recorded under the 


13.2.2. Register Summary 

Allows the user to generate a summary report on Risks recorded under the 


13.2.3. Register Detail 

Allows the user to generate a detailed report on Risks recorded under the 



13.2.4. Register Controls 

Allows the user to generate report on Register Risks Controls recorded under the 


Below is the criteria screen used to generate the Register Risk Controls report. 

13.3. Hazards Reports 

13.3.1. Hazards Summary 

Allows the user to generate a summary report on Hazards recorded under the 

Company Tiers for which the user has access to in Hazards module. 

13.3.2. Hazards Details 

Allows the user to generate a detailed report on Hazards recorded under the 

Company Tiers for which the user has access to in Hazards module. 

13.4. Work Plans Reports 

13.4.1. Work Plans Summary at a Glance 

Allows the user to generate an overview report of the risks entered under a work 

plan format. 

13.4.2. Work Plans Summary 

Allows the user to generate a summary report of the risks entered under a work 

plan format. 


13.5. TRA Reports 

13.5.1. TRA Summary at a Glance 

Allows the user to generate an overview report of the threats and vulnerabilities 

involving the Asset. 

13.5.2. TRA Asset List 

Allows the user to generate an overview report of the Assets. 


13.5.3. TRA Threat / Vulnerability List 

Allows user to generate a list of Threats / Vulnerabilities with options to filter 

fields such as Threat Type, Capability, Threat Rating, etc. 

13.5.4. TRA Detailed Report 

Allows the user to generate a detailed report on the TRA module. 


13.6. Emissions Reports 

13.6.1. Emissions Summary at a Glance 

Allows the user to generate an overview report of Facilities and its Full Fuel 

Cycle recorded under the Company Tier. Report shows amount of Facility 

Emission Threshold against Company Emission Threshold. 

13.6.2. Emissions Summary 

Allows the user to generate a summary report of the Emission Types within the 

Facilities recorded under Company Tier. 

13.6.3. Emissions Detailed Report 

Allows the user to generate a detailed report of the Emission Types within the 

Facilities recorded under Company Tier, including the breakdown of Scopes. 

13.7. Incidents Reports 

Users can generate a summary or detailed report on Incidents recorded under the 

Company Tiers for which the user has access to in Incident Management module. 

The Incident Management Module can also be analyzed using the optional External 

Analytics module. This gives OLAP capabilities to the Incident Management Module. 

13.7.1.Incidents Summary Report 

Allows the user to generate a summary report on Incidents recorded under the 



13.7.2.Incidents Detailed Report 

Allows the user to generate detailed report on Incidents recorded under the 


13.8. ARA Reports 

Users can generate a consolidated report on Actions Taken and Requested under 

the Company Tiers for which the user has access to across the Risk Register, 

Advanced Risk Analysis, Incident Management and Business Continuity Planning 

modules. 

13.8.1. ARA Summary Report 

Allows the user to generate a summary report on Actions Taken and Requested 

under the Company Tiers for which the user has access to across the Risk 

Register, Advanced Risk Analysis, Incident Management and Business 

Continuity Planning modules. 

13.8.2. ARA Detailed Report 

Allows the user to generate a detailed consolidated report on Actions Taken and 

Requested under the Company Tiers for which the user has access to across the 

Risk Register, Advanced Risk Analysis, Incident Management and Business 


The Action Management reports are available to all users with rights to 

enter those actions. 

13.8.3. ARA Actions & Emergency Response Report 

Allows the user to generate Actions and Emergency Response for each ARA. 

13.9. Actions Reports 

Users can generate a consolidated report on Actions Taken and Requested under 

the Company Tiers for which the user has access to across the Risk Register, 

Advanced Risk Analysis, Incident Management and Business Continuity Planning 

modules. 

13.9.1. Actions Summary Report 





13.9.2. Actions Management Detailed Report 





The Action Management reports are available to all users with rights to 

enter those actions. 


14. Risk Management Glossary 

Available on line at: 

http://www.riskshield.com.au/Portals/1/Glossary/GlossaryA.htm 

15. Risk Shield Introductory Videos 

High quality introductory videos of Risk Shield are available on line at: 

http://www.riskshield.com.au/Resources/RiskShieldVideos/tabid/85/Default.aspx 

16. Risk Shield Pocket 

A basic version of Risk Shield Risk register for Pocket PC (Windows Mobile PDA) is 

available via: 

http://www.riskshield.com.au/Products/RiskShieldPocket/tabid/63/Default.aspx

Risk Shield User Reference Manual Risk Shield Version 5.0 ... - PicNet

Create successful ePaper yourself

Delete template?

Save as template?