Issue Management – Building Registers

Having previously discussed the relevance of an issue management program, this article will speak to the importance of documenting issues and how you can include essential details in your register. We highlight the different types of registers, essential register elements, and how to build them.

Registers for Issue Management

To best evaluate, analyze, and resolve issues, a comprehensive issue management program will have multiple types of registers including business objectives, incidents, issues, and risks. In this article we focus on the following registers:

  • Risk register
  • Non-conformance registrer
  • Issue register

Building a Risk Register

One important step in building a centralized issue management program is to formalize a risk management process describing how your organization identifies, categorizes, assesses, treats, and monitors risks. This process should create a set of requirements that all departments can follow on how risks associated with internal and external threats should be managed. There are many approaches to risk management, in this article, we will keep it simple and use a common example.

A risk register is the final documented outcome of executing a risk management process. Most risk register templates share these commonly used elements:

Risk Identification IDA name or ID number to identify the risk.
Risk OwnershipEach risk needs to be assigned to a team member who becomes a risk owner. The risk owner must have the technical ability and the authority to deploy the appropriate response to the risk.
Risk DescriptionA brief explanation of the risk.
Associated ThreatIt is useful to associate risks to internal and external well-known threats.
Risk CategoryCategories could be based on the source of risk (as described in the first article of this series).
Risk Analysis MethodologyThe purpose of conducting a risk analysis is to determine the probability (likelihood) and impact (criticality) of a risk. It is useful to assign a score based on these factors.
Risk PriorityThe risk priority is determined by the final score (likelihood x impact) associated to each risk score to each risk. You can create a nominal prioritization standard based on these results, such as critical, high, medium, and low priority risks.
Risk Response PlanEach risk needs a risk response plan to mitigate its effect which must include any associated tasks and resolution dates.

After assessing each risk your company faces, you may end up with something similar to the risk register below.

A Risk Register in StandardFusion

Building a Nonconformity Register

A nonconformity (NCR) is a type of issue that originates from internal assessments or external audits. When a nonconformity occurs, you must thoroughly document it and follow procedural steps until this issue can be closed.

There are a few key items to  include in your nonconformity register:

Description: You must document all specific deviations or work that fails to meet the quality standard. This document allows the compliance department and the issue owner to understand the nature of the issue and take action to correct the nonconformity and eliminate the cause. The NCR description should detail:

  • The standard or regulation
  • The requirement/control affected by the nonconformance
  • What went wrong to cause the NCR
  •  Pieces of evidence reviewed

Criticality: There are two types of nonconformances: major and minor. A major nonconformance is classified when there is an absence or a complete breakdown in your Management System based on the required controls. A minor nonconformance is defined as a finding with no substantial consequences to the Management System that will not result in a failure or majorly weaken it.

Ownership:  Determine process owners who will assess and work on the NCR and in its associated procedures.

Root-Cause Analysis (RCA): A root cause is defined as a factor that caused a nonconformance and should be permanently eliminated through process improvement. The root cause is the core issue that must be identified using one of the available techniques, such as: fishbone analysis, 5 Whys, Pareto chart, among others.

Corrective Action: is the activities taken to eliminate the cause of a process nonconformity and it might include immediate actions taken or a comprehensive plan to correct the issue based on its root cause.

Issue Registers

An issue register is the documentation of all the issues directly connected to the results of the risk identification exercises established as part of your management program. Much like the previously mentioned registers, this document must connect to the escalated risks and includes description, category, cause, probability of occurring, impact on objectives, proposed responses, owners, and status of said Issues.

All the issue register components must be documented and communicated within the organization to ensure consistent reporting across the different departments and leaders will document, assess, and manage their individual issues.

Getting the Work Done

Now that we have covered the key components of different registers, in the next article we will discuss the key role of ownership, various assessment techniques, and how these two fundamental components aid in issue work prioritization.