Scribd
Upload
811 views7 pages

IT System Risk Assessment Form

This document contains a computerized system risk profile form. It collects information about software/system details, GxP status, inherent risk factors, exposure to risk in terms of likelihood of failure for both general systems and legacy systems. It assigns risk levels, weights, scores, and weighted scores to various categories to assess the overall risk profile of the system.

Uploaded by

Abhijeet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
811 views7 pages

IT System Risk Assessment Form

This document contains a computerized system risk profile form. It collects information about software/system details, GxP status, inherent risk factors, exposure to risk in terms of likelihood of failure for both general systems and legacy systems. It assigns risk levels, weights, scores, and weighted scores to various categories to assess the overall risk profile of the system.

Uploaded by

Abhijeet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
  • Section A: Software/System Details: Provides details about the software or system including name, business owner, and version information.
  • Section B: GxP Status: Explains the GxP status of the system, essential for determining compliance levels.
  • Section C: Inherent Risk Assignment: Guides users through assigning inherent risk levels to different categories within the system.
  • Section D: Exposure to Risk - General: Covers the likelihood of failure and exposure to generalized risks, providing a framework for assessing threats.
  • Section E: Probability of Detecting Failures: Evaluates the probability of detecting failures based on defined risk levels across different operations.
  • Section F: Consequences of Failure: Assesses the financial and operational impact of potential failures within the system.
  • Section G: Risk Profile Rating: Calculates the overall risk profile score by combining weighted scores from previous assessments.
  • Approval: Includes sections for the approval and sign-off by various system owners and quality assurance personnel.

Computerised System Risk Profile Form

1 SECTION A

SOFTWARE / SYSTEM DETAILS

Software/System Version : (N/A if Not


Name : Applicable)

Business Owner : URS ID no :

Software / System
Description

2 SECTION B

GxP STATUS

Record a 'YES' if the system is GxP and continue filling out the form, and a 'NO' if it is NON-GxP and simply sign in the Approval section
GxP: (Yes/No)

3 SECTION C
Assign a "Weight" as appropriate for the system
INHERENT RISK
Category Assessor Risk Definition Weight Score Weighted
Level Score
GAMP category IT N/A GAMP Category 1 (or equipment) ? 0*

M GAMP Category 3 4
High GAMP Category 4 10
V High GAMP Category 5 10 0
Size IT H DB>1,000 records ? 10
M DB 300 - 1000 records 4
L DB < 300 records 1 0
Complexity IT / H Spreadsheets > 60 calculations ? 10
Engineering and/or logic decisions
Or IT systems with more than 20
screens
Or PLC systems with more than 20
functional blocks
M Spreadsheets 20 - 60 calculations 4
and/or logic decisions
Or IT systems with 5 - 20 screens

Or PLC systems with more than 5 -


20 functional blocks
L Spreadsheets < 20 calculations 1
and/or logic decisions
OR IT systems with less than 5
screens
Or PLC systems with less than 5
functional blocks 0
Locality / Functional Operations H More than 1 location ? 10
Groups M More than 1 functional group in 1 4
location
L Used within 1 functional group 1 0

[Link] Template F002 Ver 01 1 of 7


Computerised System Risk Profile Form
INHERENT RISK (Cont…)
Category Assessor Risk Definition Weight Score Weighted
Level Score
Interfaces IT H System has more than one ? 10
interface or a two way interface or a
real time interface with other
systems
M System has an interface with 4
another system

L System has no interfaces with other 1


systems 0

* For Category 1 and Equipment (Lab or Manufacturing/Packaging) do not continue the


assessment process and follow ad EQ procedure

Total : 0

4 SECTION D

EXPOSURE TO RISK = LIKELIHOOD OF FAILURE (GENERAL)


Category Assessor Risk Definition Weight Score Weighted
Level Score
System Capacity IT H Greater than 50 users ? 10 0
M 10 - 50 users 4
L Less than 10 users 1
Frequency of Use Operations H Average use over year - daily ? 10 0
M Average use over year - weekly 4
L Average use over year - monthly or 1
less
Training risk Operations H No training conducted ? 10 0
M Undocumented training OR no 4
recent training OR no training plan
L Documented training plan OR self- 1
explanatory

[Link] Template F002 Ver 01 2 of 7


Computerised System Risk Profile Form
EXPOSURE TO RISK = LIKELIHOOD OF FAILURE (GENERAL Cont…)
Category Assessor Risk Definition Weight Score Weighted
Level Score
Contingency Provision Operations + H No back-up or disaster plan 2 10 0
IT M Manual or informal back-up 4
L Automatic/routine/procedural 1
Security Controls IT H No significant protection 3 10 0
M Single security procedure 4
L Multiple levels of security 1
procedures
System Modifications Operations + H No change control and system user 3 10 0
IT modifiable
M No change control but system 4
administered
L Change control SOP in place 1

*** LEGACY SYSTEMS - Only complete the following section if the system is a legacy system

EXPOSURE TO RISK = LIKELIHOOD OF FAILURE (LEGACY SYSTEMS)


Category Assessor Risk Definition Weight Score Weighted
Level Score
Ease of Use Operations H Difficult to use and many menu ? 10 0
items
M Difficult to use OR many menu 4
items
L Easy to use, few menu items 1
Performance History Operations + H Frequent or critical problems ? 10 0
IT M Occasional or non-critical problems 4

L Rare non-critical problems 1


Frequency of Change IT/ H Emergency changes made ? 10 0
to System Operations regularly to either data or software
code
M More than 10 Software Changes 4
per annum
L 1 - 10 Software Changes per 1
annum
System Support Operations + H No back-up or primary support ? 10 0
IT person, or dependant on user
knowledge, no support
documentation
M No service contract, but back-up for 4
primary support person exists
L Vendor service contract in place, or 1
original developer employed by
XXXX

*** NEW SYSTEMS - Only complete the following section if the system is a prospective system

EXPOSURE TO RISK = LIKELIHOOD OF FAILURE (PROSPECTIVE SYSTEMS)


Category Assessor Risk Definition Weight Score Weighted
Level Score
New Technology Operations H Technology is new and not ? 10 0
suppported in the company
M New upgrade of technology 4

[Link] Template F002 Ver 01 3 of 7


New Technology Operations ? 0

Computerised System Risk Profile Form


L Mature technology in the company 1
Experience of staff Operations + H New roles and/or unfamiliar ? 10 0
IT technology
M Limited experience 4

L Strong experience in role and 1


technology
Data Migration IT/ H Complex data migration ? 10 0
Operations M Simple data migration 4
L Little to no data migration 1
Cost / time constraints Operations + H No project timeline or strict cost / ? 10 0
IT time constraints
M Limited cost/time constraints 4
L Comfortable with project timeline 1

Total : 0

5 SECTION E

PROBABILITY OF DETECTING FAILURES


Category Assessor Risk Definition Example
Level Weight
N/A N/A L Detection of a fault is perceived to 1
be highly likely
N/A N/A M Detection of a fault is perceived to 2
be reasonably likely
N/A N/A H Detection of a fault is perceived to 3
be unlikely

Weight : 0

[Link] Template F002 Ver 01 4 of 7


Computerised System Risk Profile Form
6 SECTION F

CONSEQUENCES OF FAILURE
Category Assessor Risk Definition Weight Score Weighted
Level Score
Financial impact Operations H System failure would cost > 0 10 0
AUS$100K
M System failure would cost 4
AUS$10K - AUS$100K
L System failure would cost < 1
AUS$10K
Product Supply IT + H Supply seriously affected 0 10 0
Operations M Supply delayed 4
L No delay 0
Effect on brand loyalty Operations H Customer confidence and loyalty 0 10 0
likely to be affected in long term (>
1 year)
M Customer confidence and loyalty 4
likely to be affected in medium term
(> 6 months)
L Customer confidence not affected 0

Safety/Efficacy QA High Class 1 4 15 0


M Class 2 8
L Class 3 1
N/A (Non Non-GxP 0
GxP

Total : 0

[Link] Template F002 Ver 01 5 of 7


Computerised System Risk Profile Form
7 SECTION G

Risk Profile Score = Section C (Total Weighted Score) + Section D (Total Weighted Score) +
Section F (Total Weighted Score)

Risk Profile Score = 0 + 0 + 0

Risk Profile Score = 0

RISK PROFILE RATING

Place a cross (X) against the evaluated Risk Profile


Very High: q High: q Medium: q
Low: q Very Low: q

COMMENTS ON REDUCING RISK PROFILE RATING


Review the Risk Scores and look for obvious ways of reducing and write this in this section. (eg implementing Security
Control, Procedural Control, System Contingency or Change Control) may decrease the risk profile rating greatly

COMPLETED BY

Name Signature

Position Date

[Link] Template F002 Ver 01 6 of 7


Computerised System Risk Profile Form
8 APPROVAL

BUSINESS OWNER

Approved / Rejected Reason (if rejected)

Name Signature

Position Date

SYSTEM OWNER

Approved / Rejected Reason (if rejected)

Name Signature

Position Date

QUALITY ASSURANCE

Approved / Rejected Reason (if rejected)

Name Signature

Position Date

[Link] Template F002 Ver 01 7 of 7

You might also like