TraceUnified
Product Traceability Industries Pricing
Resources
Why TraceUnified Documentation Compare Security & compliance
Book a demo Try for free

Assess & treat a risk

An end-to-end walkthrough — create a risk on the ISO 14971 model, score it, add a mitigation, and re-evaluate and accept the residual.

This guide takes one hazard from identified to accepted. It uses the universal item actions from Working with items where they apply, and focuses on the risk-specific judgments. For the concepts behind each step, see Risk registers, Scoring risk, Mitigations, and ALARP & residual risk.

Create a risk

A risk is an item that captures a hazard and the harm it could cause, on the ISO 14971 model.

Before you start Open the Risks module in your project.

  1. Create a risk the usual way — + Add, or right-click in the tree and choose Add Item.
  2. Describe the chain that defines it: the hazard, the hazardous situation in which it's exposed, and the harm that could result.
  3. Complete the remaining fields your risk type requires, and save.

Result A risk record exists in the register, ready to assess.

Score the risk

Scoring places the risk on your matrix so its acceptability is determined consistently, not by opinion.

  1. Set the Severity of the harm and the Probability of it occurring, using the values defined for your project.
  2. The risk matrix combines them into a risk level and an acceptability band — typically Acceptable, ALARP, or Unacceptable.

Result An initial risk level, color-coded on the matrix. This is the risk before any controls. See Scoring risk for matrix configuration and FMEA.

Add a mitigation

Mitigations are the controls that reduce a risk — and they’re tracked, not just noted.

  1. On the risk, choose Add Mitigation and describe the control.
  2. Link the mitigation to the requirement, design element, or test that implements and verifies it, so the control is traceable.
  3. When the control is in place and verified, have it reviewed and choose Approve Mitigation.

Result The mitigation is recorded against the risk with its status, and linked to the work that delivers it.

Re-evaluate & accept the residual

After a control is in place, the risk that remains — the residual — must be re-scored and judged.

Before you start The mitigation should be approved and in place.

  1. Re-evaluate the risk: when prompted, re-score Severity and Probability to reflect the control's effect.
  2. Review the residual risk level on the matrix.
  3. If it's acceptable — or reduced as far as reasonably practicable — choose Accept Residual Risk and record the justification.

Result The risk carries both its initial and residual scores, the acceptance decision is recorded with its rationale, and the audit trail shows the full hazard-to-acceptance history.

Note If a linked requirement or design element later changes, the risk may flag for re-assessment — keeping your risk file honest as the system evolves.

Where to go next

To connect risk to the rest of the thread, see Linking risk.

Was this helpful?