Implementing corrective and preventive actions in risk assessment software

Many IT companies are faced with an alarming rate of risks in their businesses. This can be a result of lack of experiences to control re-occurrence and prevent new risks according to the previous projects experience. On the other hand, Corrective and Preventive Actions (CAPA) are known concepts for learning from experiences to avoid non-conformities. The successful implementations of CAPA in different systems have convinced the authors to use CAPA in Risk Assessment Process to decrease the likelihood and impact of risks by learning from the past. To achieve this, our application should survey and rank the possibility and effect of risks, as well as their related elements (such as assets, threats, safeguards, vulnerabilities and team accountability). After each appearance of a risk, the system should review and correct the ranks. It must perform a Root Cause Analysis (RCA). Another requirement for the system is to be able to find similar items. The system can distinguish the similarities by categorizing risk related elements according to their properties and finding possible comparable substances. In addition, this system also uses its data to produce useful high level recommendations and other required documents. By applying this model and after identifying all weaknesses, the value of risks abates dramatically. This Corrective Action and Preventive Actions in Risk Assessment (CAPRA) has been successfully designed and implemented as a web based application.