It would be great if I can configure at least 1 Internal Controls or 1 Security Policy must be in place to consider a risk as treated. By adding the and/or feature everybody can choose it’s own best-practice.
you mean 1 as a condition based on a number ? because at least one could be mapped to “mandatory” on those fields.
I hadn’t thought of it that way but I meant that at least a Internal Control or Security Policy must be in place.