Question - Risk Management Treatment options (due for 46)

Hi All

I am not sure if this is a possible bug or just a case of my logic perception. At the moment we have a risk appetite value set to ‘4’. If I create an asset based risk and the likelihood and impact numbers are equal to or less than 4 then then I should be able to put the risk at ‘accept’ without having to put in a risk exception

Currently I still have to put in a risk exception despite the risk score being essentially acceptable to us ?

Cheers,
John

I don’t know if i am understanding your question, but as I see it, the risk you are accepting still poses a risk, even though it is below the stated appetite.

So you would create a generic exeption with expiration date far into the future, like Dec. 31st 2099, and call it “risk score below appetite” or similar…

This will show in an audit, that you are aware of the risk and that you have chosen a “mitigation strategy” and not overlooked the risk…

Hope this makes sense.

Kind regards
Jonas

For treatment options: accept, avoid, transfer a “Risk Exception” is mandatory. That is something very old (my company works that way) which we plan to override in the coming release.

Similar story happens with “mitigation”. Check the documentation here: https://docs.google.com/document/d/1sGaUiS6fR_oYun6mt7FktSQOdOJ0huXshMBBMOr_4N0/edit#heading=h.dlq2uv3p6mlp

image

I’ll be documenting today many risk module changes. Stay tuned

Regards

See: Features - Risk Treatment Settings (planned for r46)