Manage Risk Sources
Link findings, reports, and identified hazards to your risk & hazard register.
1 What's on this page
The Manage Risk Sources page acts as a central hub for converting findings, reports, and identified hazards into formal risk register items. It displays all potential risk sources from your quality, safety, security, and management of change activities, allowing you to assign hazards, assess risks, and link them to your risk & hazard register.
What you see here
- Risk sources table: All findings, reports, and identified hazards that need review and linking
- Search & filters: Filter by QSS section, source type, linked status, hazard, or team member
- Link column: Shows linking status and provides buttons to link sources to risk register items
- Hazard assignment: Assign hazards to sources that don't yet have one
- Risk assessments: View initial and residual risk levels with colour-coded badges
- Exclude option: Mark sources that should never be linked to the register
Key concepts
- Risk source: A finding, report, or identified hazard that represents a potential risk to your operations
- Linking: The process of connecting a risk source to a risk & hazard register item for tracking and management
- Hazard: The underlying hazard category that the risk source relates to (e.g., "Loss of Control", "Fatigue")
- Initial risk: The risk level before any mitigations or corrective actions are applied
- Residual risk: The risk level after mitigations and controls are in place
Pending linking by default: The page defaults to showing risk sources with "Pending Link" status—sources that need your attention to be linked to the risk register. You can change this filter to view excluded, linked, or sources without hazards.
Source types included: Risk sources can come from various QSS activities including audit findings, safety reports, security reports, dangerous goods reports, and management of change identified hazards. Each source type requires hazard assignment and risk assessment before linking.
2 Understanding the risk sources table
The main table displays all risk sources with comprehensive information about each item. The table columns provide quick access to key information and actions:
Table Columns
| Column | Meaning | Actions Available | Notes |
|---|---|---|---|
| Link | Shows the linking status and action button. Displays the register item code if linked, "No Hazard" if hazard not assigned, "Excluded" if marked for exclusion, or a "Link" button if ready to link. | Link to register, unlink if already linked | Sources must have a hazard assigned before they can be linked. |
| Code | The unique identifier for the risk source (e.g., audit finding code, report code, MoC hazard code). | Click to view source details | Code format varies by source type. Sortable column. |
| Type | The category of risk source: Reports, Report Findings, Audit Findings, or MoC Identified Hazards. | None | Filter by this to focus on specific source types. |
| Created (UTC) | The date when the risk source was created in the system. | None | Displayed in UTC timezone. |
| Description | A brief summary of the issue, finding, or hazard. Long descriptions are truncated with a badge to view full text. | Hover to view full text | Varies by source type—may be finding description, report summary, or hazard description. |
| Section | The QSS section this source belongs to: Quality, Safety, Security, or Dangerous Goods. | None | Determines which compliance framework applies. |
| From | The parent item that generated this source (e.g., audit code for findings, MoC code for hazards). Shows "Standalone" for standalone findings. | None | Provides traceability to the originating activity. |
| Hazard | The assigned hazard name. Shows "Assign Hazard" button if not yet assigned. | Assign or change hazard | Required before linking. Hazard determines risk assessment parameters. |
| Root cause | The identified root causal factor contributing to the risk source. | None | Populated from the source's causal factor analysis. |
| Impacted | The impacted parties or areas affected by this risk source (e.g., "Flight Crew", "Passengers", "Aircraft Systems"). | Hover to view all | Multiple impacted parties shown in popover with bullets. |
| Initial risk | The risk index before mitigations, shown as a colour-coded badge (green, yellow, amber, red). | None | Based on likelihood and consequence ratings. Set during risk assessment. |
| Residual risk | The risk index after mitigations, shown as a colour-coded badge. | None | Should be lower than initial risk after effective controls. |
| Team | Badge showing assigned team members. Green badge with group icon if team assigned, grey badge with single user icon if none. | Hover to view team | Team members responsible for managing this risk source. |
| Status | The primary status of the source item (e.g., "Open", "Closed", "Pending Review"). | None | Status comes from the underlying finding, report, or MoC item. |
| Exclude | Shows current exclusion status or buttons to include/exclude the source from linking. | Exclude or include | Excluded sources are marked as "never to be linked" and won't appear in pending link view. |
3 Search and filter risk sources
Use the search and filter tools to narrow down the list of risk sources to those that need your attention. The filters work together to help you focus on specific categories, statuses, or assignments.
Search bar
The search bar at the top-left searches across multiple fields:
- Code: Search by finding code, report code, or MoC hazard code
- Description: Search within the description text of sources
- Hazard name: Find sources by their assigned hazard
- Root cause: Search by causal factor name
- Section: Search by QSS section (Quality, Safety, Security, Dangerous Goods)
Filter options
The filter section below the search bar provides structured filtering:
Standard Filters
- QSS Section: Filter to Quality, Safety, Security, or Dangerous Goods sources
- Source Type: Show only Reports, Report Findings, Audit Findings, or MoC Identified Hazards
- Linked Status: Filter by Pending Link (default), Excluded, Linked, or No Hazard
- Hazard: Select a specific hazard to see all sources assigned to it
- Team Member: Filter to sources assigned to a specific team member
Filter Tips
- Use Linked Status = Pending Link to focus on items requiring action
- Combine QSS Section + Source Type to review specific audit or report categories
- Filter by Hazard to see all sources contributing to a particular risk area
- Use Team Member to review items assigned to your colleagues
- Clear all filters by clicking the clear/reset button in the filter section
Items per page
When the filtered list contains 16 or more items, a dropdown appears in the filter section allowing you to change the number of items displayed per page (15, 30, or 45). Use this to show more items at once when reviewing large lists.
4 Assign a hazard to a risk source
Before a risk source can be linked to the risk & hazard register, it must have a hazard assigned. The hazard categorises the type of risk and determines the risk assessment parameters.
When to assign a hazard
You need to assign a hazard when:
- The Hazard column shows an "Assign Hazard" button (indicating no hazard is currently assigned)
- The Link column shows "No Hazard" (the source cannot be linked without one)
- You're processing new findings or reports that have just been added to the system
- You need to change the hazard category because the risk was initially miscategorised
Steps to assign a hazard
- Click "Assign Hazard": In the Hazard column, click the "Assign Hazard" button for the risk source
- Select from hazard library: A window opens showing your organisation's hazard library organised by categories (e.g., Flight Operations, Maintenance, Ground Operations)
- Choose the hazard: Select the most appropriate hazard that describes the risk source's underlying issue
- Perform risk assessments: Once the hazard is assigned, you'll be prompted to perform initial and residual risk assessments (see below)
- Save: Confirm to save the hazard assignment and risk assessments
Choose carefully: The hazard you assign determines how the risk is categorised in your risk register and which risk matrix is used for assessment. If you need to change the hazard later, you can click on the hazard name in the table to reassign it, but this will require re-performing the risk assessments.
Risk assessments after hazard assignment
After assigning a hazard, you must complete two risk assessments:
Initial Risk Assessment
Assess the risk before any mitigations or corrective actions are applied:
- Likelihood: How likely is this hazard to occur? (e.g., Rare, Unlikely, Possible, Likely, Almost Certain)
- Consequence: What is the potential impact if it occurs? (e.g., Negligible, Minor, Moderate, Major, Catastrophic)
- Risk Index: Automatically calculated from likelihood and consequence using your risk matrix
Residual Risk Assessment
Assess the risk after existing or planned mitigations are in place:
- Likelihood: How likely after controls are applied?
- Consequence: What is the impact after controls?
- Risk Index: Should be lower than initial risk if mitigations are effective
- Residual risk informs whether the risk is acceptable or requires further action
5 Link a risk source to the register
Once a risk source has a hazard assigned and risk assessments completed, you can link it to the risk & hazard register. Linking adds the source to a formal register item that tracks all related sources, mitigations, and monitoring activities.
When the Link button appears
The "Link" button in the Link column becomes available when:
- A hazard has been assigned to the risk source
- Initial and residual risk assessments have been completed
- The source is not excluded
- The source is not already linked to a register item
Steps to link a risk source
- Click "Link": In the Link column, click the "Link" button for the risk source
- Choose linking option: A window opens with two possible scenarios:
- Link to existing item: If a risk register item already exists for this hazard, you can add this source to it. The window shows existing register item details.
- Create new item: If no register item exists for this hazard, a new one is created automatically. You can set additional details like controls and tolerability.
- Review impacted parties: The source's impacted parties are automatically copied to the register item if they're not already included
- Set controls and tolerability: For new register items, specify:
- Existing controls and mitigations
- Planned controls or corrective actions
- Risk tolerability level (acceptable, tolerable with review, intolerable)
- Assign responsible persons: Add team members responsible for monitoring and managing this risk
- Save: Confirm to link the source to the register item. The Link column now shows the register item code with an unlink icon.
Multiple sources, one register item: A single risk register item can have multiple risk sources linked to it. For example, if several audit findings all relate to the same hazard ("Fatigue Management"), they can all be linked to one register item. This consolidates risk management rather than creating duplicate entries.
After linking
Once linked, the risk source:
- Displays the risk register item code in the Link column (e.g., "RHR-2025-042")
- Changes its linked status from "Pending Link" to "Linked"
- No longer appears in the default view (which shows only pending links)
- Becomes part of the formal risk management process tracked in the Risk & Hazard Register page
- Can be unlinked if needed by clicking the unlink icon next to the register item code
6 Unlink a risk source from the register
If a risk source was linked incorrectly or needs to be reassessed independently, you can remove the link between the source and the risk register item.
Steps to unlink a source
- Locate the linked source: Find the risk source in the table. The Link column shows the register item code with a red unlink icon ().
- Click the unlink icon: Click the unlink icon next to the register item code
- Confirm unlinking: A confirmation window appears asking you to confirm the unlinking. Review the message to ensure you're unlinking the correct source.
- Confirm: Click the confirm button to remove the link
What happens after unlinking
When you unlink a source:
- The link between the risk source and register item is removed
- The source's linked status changes back to "Pending Link"
- The Link column shows the "Link" button again (if hazard and assessments are still valid)
- The source is removed from the register item's list of linked sources
- The source's hazard, risk assessments, and other attributes remain unchanged
- You can re-link the source to the same or a different register item later
Unlinking does not delete: Unlinking only removes the relationship between the risk source and the register item. It does not delete the source, the register item, or any associated data. The source returns to "Pending Link" status and can be re-linked if needed.
7 Exclude sources from linking
Not all findings, reports, or identified hazards need to be linked to the risk register. You can exclude sources that don't represent significant risks or that should be managed outside the formal risk register process.
When to exclude a source
Consider excluding a risk source when:
- The finding or report represents a minor administrative issue rather than a significant risk
- The source is a duplicate of an existing linked source
- The issue has been resolved completely and doesn't require ongoing risk management
- The source relates to a one-time event that won't recur and has already been addressed
- Your risk management policy specifies certain finding types should not be tracked in the register
Steps to exclude a source
- Locate the source: Find the risk source you want to exclude in the table
- Click "Exclude": In the Exclude column (far right), click the "Exclude" button (red button with arrow icon)
- Wait for update: A spinner appears briefly while the system updates the source's status
- Verify exclusion: The Exclude column now shows "Include" (yellow button), indicating the source is excluded
What happens when excluded
When a source is excluded:
- The Link column changes to show "Excluded" instead of a link button
- The source's linked status changes from "Pending Link" to "Excluded"
- The source no longer appears in the default Pending Link view
- To see excluded sources, change the Linked Status filter to "Excluded"
- The source cannot be linked to the register while excluded
Re-including an excluded source
If you excluded a source by mistake or circumstances change:
- Filter to excluded: Set Linked Status filter to "Excluded" to see excluded sources
- Click "Include": In the Exclude column, click the "Include" button (yellow button with arrow icon)
- Wait for update: A spinner appears while the system updates the status
- Verify: The source returns to "Pending Link" status and the "Exclude" button reappears
8 View risk source details
Each risk source in the table is linked to its full details from the originating activity. Click the code in the Code column to open a read-only view of the complete source information.
What you see in source details
The details window varies by source type:
Audit Findings
- Finding code and description
- Originating audit details
- Compliance reference and category
- Auditor notes and observations
- Corrective action requests (if any)
- Status and closure information
Reports & Report Findings
- Report code and title
- Report type (safety, security, dangerous goods)
- Occurrence details and narrative
- Contributing factors
- Findings and recommendations
- Investigation status
MoC Identified Hazards
- Hazard code and description
- Originating management of change item
- Proposed change details
- Hazard analysis and assessment
- Mitigations and controls planned
- Approval and implementation status
The details view is read-only from this page—you cannot edit the source from here. To make changes to the underlying finding, report, or MoC hazard, navigate to the appropriate page (Findings & RFI Register, QSS reports, or Management of Change).
Context for linking decisions: Reviewing the full source details helps you make better decisions about hazard assignment, risk assessment, and whether to link or exclude the source. Understanding the complete context ensures appropriate risk management.
9 Understanding risk source types
Risk sources come from different QSS activities throughout your organisation. Understanding the source types helps you identify where risks are being identified and how they should be managed.
Reports
Complete reports submitted for safety occurrences, security incidents, or dangerous goods events:
- Created from: QSS report submission process
- Examples: Air safety reports, ground incident reports, security breach reports
- When to link: When the overall report represents a systemic or recurring risk
- Team: Typically includes the investigator and responsible manager
Report Findings
Individual findings or causal factors identified within a report:
- Created from: Report investigation findings
- Examples: Root cause findings, contributing factor findings
- When to link: When a specific finding represents a distinct risk requiring management
- Relationship: Multiple findings can come from one report
Audit Findings
Non-conformances or observations identified during quality audits:
- Created from: Internal or external audits
- Examples: Procedure non-compliance, documentation gaps, training deficiencies
- When to link: When the finding represents a compliance risk or systemic issue
- Corrective actions: Often include formal corrective action requests
MoC Identified Hazards
Hazards identified during management of change processes:
- Created from: Management of change hazard analysis
- Examples: New procedure hazards, equipment change risks, process modification risks
- When to link: When the change introduces a new or modified risk requiring ongoing management
- Proactive identification: These are identified before implementation
10 Permissions and access
Access to the Manage Risk Sources page requires specific permissions. Users without the required permissions will see a "Not Authorised" message.
Who can access this page
The page requires the following permission:
- Manage Risk Sources - Full: Full access to manage risk sources, including viewing, assigning hazards, performing assessments, linking, and excluding sources
Typical user roles
This page is typically used by:
- Quality managers: Processing audit findings and quality-related sources
- Safety managers: Managing safety report findings and hazards
- Security managers: Handling security-related findings and risks
- Risk managers: Overseeing the entire risk source linking process across all QSS sections
- Compliance officers: Ensuring all relevant findings are properly assessed and linked
Permission needed: If you need access to this page, contact your system administrator or accountable manager to request the risk management permissions. Explain which QSS section you need to manage (Quality, Safety, Security, or all) so they can grant appropriate access.