Risks

Risks module overview

The Risks module in CalmCompliance helps you assess risks, log hazards, and keep specialist registers in one connected system. You build risk assessments with AI-suggested hazards, link them to locations and assets, manage hazardous materials with QR codes, and run everything through approval and review cycles so the full picture stays current and defensible.

What the Risks module covers

The module is not limited to document-style assessments. It treats hazards, controls, and specialist registers as first-class records tied to real places in your organisation.

  • Risk assessments β€” structured documents that capture hazards, risks, and the controls in place. You can create them from scratch, from a reusable template, by uploading an existing PDF, or as a dynamic on-the-fly assessment. See Create a risk assessment.

  • Hazard registers β€” assessments use Matrix Sections to score each hazard for severity and likelihood. An assessment can contain multiple Matrix Sections so you can group hazards by topic, location, or activity. Each hazard has a stable link that survives republishing. See View and edit a risk assessment item.

  • Specialist registers β€” first-class records for things like hazardous materials, each with its own QR code so anyone can scan and open the full record and attached safety data sheets. See Add hazardous material sections to a risk assessment and Add an image gallery to a risk assessment for how linked records fit into assessments.

  • Controls and actions β€” each risk item documents existing controls and planned mitigation controls. You can create follow-up tasks directly from a hazard to assign work and track completion. See Add controls and actions to a risk assessment.

  • Connected locations and assets β€” assessments and hazards are linked to locations and assets so risk is not an abstract document but something attached to a real place.

AI assistance

AI suggests hazards and risk items as you build an assessment, so you are less likely to miss a scenario. If you upload an existing PDF risk register, AI can read it and populate the items for you to review. The suggestions are a prompt, not a decision: you choose what is relevant and retain human judgement on every line.

Scoring and matrices

Risk items are scored against a configurable matrix. You can choose a 3Γ—3, 4Γ—4, 5Γ—5, or custom matrix to match your organisation’s risk framework. The assessment page rolls up scores across all Matrix Sections so you can see the highest-priority items quickly.

Approvals, reviews, and distribution

Risk assessments support multi-stage approval workflows. You can set an approval workflow and review schedule on each assessment so the right people sign off before it goes live, and it comes back for review on a schedule. Distribution sends assessments to the people who need to see them, with every step recorded for the audit trail. See Set up approvals and review policies for risk assessments.

Drafts, publishing, and versions

You work on an editable draft, then publish when the assessment is ready. Published and historical versions are read-only, which protects the audit trail. You can publish with an optional effective date and expiry date to control when a version is current. For how versioning affects editing, see Working with risk assessment versions.

Roles and permissions

Risks uses three module roles: Member, Manager, and Admin. Unlike most modules, Members can create and edit risk assessments directly. Managers can also create templates, approve assessments, export and distribute, manage hazardous materials, and access dashboards. Admins add the ability to delete risk content and cancel distributions. Roles are assigned per site in Settings > User Management. For the full permission table, see Risks roles and access.

How Risks fits into the platform

Risk assessments and hazards connect to the rest of CalmCompliance. They are linked to locations and assets, can reference published documents from the document library, feed into Distribution & Reviews for scheduled read-and-sign cycles, and appear as evidence in Standards when proving a requirement is met site by site. Everything shares one system, so the risk picture stays joined up with the places, people, and documents it concerns.

Was this helpful?