I am not sure if this is a possible bug or just a case of my logic perception. At the moment we have a risk appetite value set to ‘4’. If I create an asset based risk and the likelihood and impact numbers are equal to or less than 4 then then I should be able to put the risk at ‘accept’ without having to put in a risk exception
Currently I still have to put in a risk exception despite the risk score being essentially acceptable to us ?
I don’t know if i am understanding your question, but as I see it, the risk you are accepting still poses a risk, even though it is below the stated appetite.
So you would create a generic exeption with expiration date far into the future, like Dec. 31st 2099, and call it “risk score below appetite” or similar…
This will show in an audit, that you are aware of the risk and that you have chosen a “mitigation strategy” and not overlooked the risk…
For treatment options: accept, avoid, transfer a “Risk Exception” is mandatory. That is something very old (my company works that way) which we plan to override in the coming release.