Risks register entries in MRT

The risk management Guidance Risks register entries in MRT

Published: 28 July 2022

The following are screen snips from the risks and issues tool in MRT. They show how existing risks are displayed on the summary page, the functionality on the tabs, how to enter or update a risk and when emails are automatically generated. Log in to MRT from the link on Go2: https://mrt.cfa.nhs.uk/

Image showing MRT Login screen
Log in to MRT using the link provided

You will then be presented with the following screen and options.

Image showing MRT Issues page
  • My Actions Displays a list of objectives that you are the owner of
  • Business Units list Displays a list of objectives for each Business Unit
  • Corporate plans Presents links to Priority Action Areas and Core Business Plan
  • Risks and Issues Select this tab to display a summary of open risks / issues
  • Quick links Select relevant tab to create or view issues / view all risks
  • Go to risks

The summary of risks or issues will be displayed by selecting the ‘Go to risks/ issues’ tab.

Image showing Risks overview page
  • Inherent Risk Score as calculated from probability x impact
  • Residual Risk Score is the score expected after action taken
  • Go to issues: Select to view all issues
  • Quick links: Select relevant tab to create or view risks
Image showing Risks overview page

Summary of Risks

Image showing Risks overview page

Create a Risk

Image showing create risk select risk type input
  • Select tab to create a new risk
  • Select risk type from the drop down menu – see risk types and descriptions below

Risk Types and Descriptions

  • Service disruption: Risks that may jeopardies the organisation's continuing existance, operation of its functions or could lead to a loss of stakeholder confidence.
  • Legal/Regulatory/Compliance & Finance: Risks that may cause any breach of statute, regulation, professional standards, or affect the organisation's overall financial strength and long term viability.
  • Personal Information/Bulk Data: Risks that could adversely affect the organisation's reputation, credibility compliance or stakeholder confidence in the processing of personal data.
  • Safety Health & Environment:Risks that would adversely affect the health and wellbeing of staff and visitors in the workplace resulting in a breach of regulatory and legislative standards.
  • Reputation Credibility:Risks that coudl exposethe organisation to additional scrutiny e.g. in respect of decisions on policy, information security, employee conduct or organisational culture.
  • Technology/Cyber threats: Risks/threats that could expose the organisation to harm or loss resulting from breaches of or attacks on its information systems or technical infrastructure.

Continue through the options to complete the fields, naming the risk and adding details.

Selecting yes on the yes/no buttons as indicated will open up further options.

It may be helpful to add that you must complete one section and either hit return or place the cursor outside of the field before the next section will open.

Image showing create risk select risk type input additional fields.
  • Select the type of Risk: See risk type descriptions above
  • Is the risk linked to an Issue: If yes: select the issue from the options.
  • What is the name of the Risk: Provide a name for the risk
  • Give details of the risk:Describe the nature of the risk

Select risk ownership from the drop down menu as required: The owner is the most senior manager who may delegate risk management and action to others.

Image showing risk ownership section
  • Select an SMT risk ownership: Who is the owner of the risk? List includes all members of SMT
  • Selet LT Risk Management: Who manages the risk? List includes all members of LT
  • Select an Actionee: Who will take action towards the risk? List includes all members of CFA staff
  • Is the Risk Active: What is the current status of the risk?

You must always complete the Cause: Event: Effect of the Risk

Image showing risk casuse event and effect section

Continue to inherent risk scores section. An inherent risk is one that is unmitigated or changed by any risk management action we might decide to take. The score will populate automatically by calculating the probability x the impact.

Image showing inherent Risk score input section
  • Probability of risk occurance: Almost Certain : Score 5 – see descriptions below
  • Impact of this risk occurring: Score 3 – See descriptions below
  • Inherent risk score: Score populated automatically by calculating the probability x the impact. A score of over 9 triggers to LT for automatic review scores of over 12 triggers to ARC for automatic review

Probability Descriptions

  • 1 Rare
  • 2 Unlikely
  • 3 Moderate
  • 4 Likely
  • 5 Almost Certain

Impact Descriptions

  • 1 Insignificant
  • 2 Minor
  • 3 Moderate
  • 4 Major
  • 5 Catastrophic

Score Calculation Information

probability X Impact = calculated score

Score 1-5:
Score 6-10: Scores over 9 triggers to LT for automatic review
Score 11-15: Scores over 12 triggers to SMT for automatic review
Score 16-20:
Score 21-25:

Image showing risk proximity, existing controls and risk action section
  • Risk Proximity: What time scale is it likely that the risk will occur? Options are:
    • Within 1 week
    • Within 1 month
    • Within 3 months
    • Within 6 months
    • Within 1 year
  • Existing controls: What are the current existing controls that are in place?
  • Risk Action: What action will be taken
Image showing progress review date and deadline date inputs
  • Progress review date:What date will action progress be reviewed?
  • Deadline date:By what date will action be complete
Image showing date input calander view

Progress review and deadline dates to be selected from calendar.

Image showing Assurance sources Details input fields
  • First Line: (SMT/LT) internal day-to-day controls procedures identified and assessed to mitigate the risk.
  • Provide details about the 1st line of defence, who is responsible for it and any links to supporting evidence.

  • Second Line: SMT/LT/RML monitor the effective management of their risks.
  • Provide details about the 2nd line of defence, who is responsible for it and any links to supporting evidence.

  • Third Line: Independent internal audit to provide comprehensive assurance.
  • Provide details about the 3rd line of defence, who is responsible for it and any links to supporting evidence.

Image showing Select risk responce input
  • Terminate: Terminate the activity giving rise to the risk.
  • Reduce: Reduce the level by implementing further action.
  • Accept: No option to reduce.
  • Pass: Transferring the risk elsewhere.
  • Share: Form a partnership to manage/reduce the risk.
Image showing residual risk scores inputs

Create Risk: select to confirm creation of risk.

Image showing risk creation confirmation buttons

Notification email

Image showing the email generated after a risk has been created

An email is generated from MRT to notify that the risk has been created. And the risk will now display in the summary

To update the progress of a risk

Image showing quick link to view my Risks

In the Quick links Select View my risks

Image showing my risks over view

Select the risk ID

Image showing risk details summary

View Risk Details

Image showing update risk button
Select to update the risk button is located at the bottom of risk details page

The box below will be presented for completion.

Image of the update risk screen showing current scores and new update inputs for text and latest scores
  • Notification will be received that the risk has been updated.
  • The progress updates will be displayed within the individual risk as shown below.
Image showing update sumary text for an updated risk

Progress update will be displayed within the individual risk

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!