Managing risk responses

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing Risk Responses

    Managing risk responses involves selecting strategies to address risks after they have been assessed. Assessors can choose from four main strategies: Accept, Mitigate, Avoid, and Transfer. Each strategy requires the creation of tasks assigned to specific user roles for effective management.

    Show full answer Show less

    Key Features

    • Risk Acceptance: Users outline how they will accept the risk, justify their decision, and seek approval from the risk owner. Once accepted, the risk transitions to the Monitor state and can be reassessed after the designated period.
    • Risk Mitigation: Users create a task to detail their mitigation plan and request a review. They can add new or existing controls during the Draft or Work In Progress states. The risk manager can then approve, revert, cancel, or delete the task.
    • Risk Avoidance: Users provide a plan to avoid the risk and request a review. The risk manager has the same options to respond as in the mitigation process.
    • Risk Transfer: Users outline their plan for transferring the risk and request a review, again allowing the risk manager similar response options.

    Key Outcomes

    Implementing these strategies enables organizations to effectively manage risks by either accepting them with a clear plan, mitigating them with controls, avoiding them through strategic changes, or transferring them to third parties. Understanding and applying these risk response strategies helps ensure that risks are systematically addressed and managed within the organization's framework.

    A risk response is the strategy used to deal with risks after the risks are assessed.

    After risks are assessed, the assessor determines how to approach those risks. To deal with the risks, the assessor can choose from the following types of risk responses or strategies:
    • Accept: Accept the risk as it is.
    • Mitigate: Identify and implement additional controls to mitigate the risk.
    • Avoid: Change the plan to completely avoid the risk.
    • Transfer: Transfer or share the risk with a third party.
    After an assessor identifies the appropriate risk response strategy, they can create risk response tasks and assign them to users with any of the following roles:
    • sn_grc.business_user
    • sn_grc.business_user_lite
    • sn_risk.implementation_business_user (feature role)
    Each strategy is explained as follows:
    Risk acceptance
    When risk users accept a risk, they provide a plan for how they want to accept the risk, provide a justification for accepting the risk, and seek additional approval from the risk owner. Closure of the acceptance task implies you are accepting this risk for that time period. The risk then moves to the Monitor state. After the specified time period is over, you can re-initiate the workflow to assess the risk and then you can again respond to the risk. The risk owner can then respond with one of the following options:
    • Approve
    • Reject
    • Cancel
    • Request more information
    • Decide that it is no longer required
    Risk mitigation
    When risk users choose to mitigate a risk, a risk mitigation task is created. The risk user must provide a plan for how to mitigate the risk and request a review from the risk manager. When the risk mitigation task is in the Draft or Work In Progress state, you can either create more risk-mitigating controls for the risk or add existing controls from the library. The reviewer with the role sn_risk.manager then reviews the plan and selects one of the following options:
    • Close
    • Revert to draft state and provide additional comments
    • Cancel
    • Delete
    Risk avoidance
    When risk users choose to avoid a risk, they provide a plan for how they want to avoid the risk and request a review from the risk manager. The reviewer then reviews the plan and can select one of the following options:
    • Close
    • Revert to Draft state and provide additional comments
    • Cancel
    • Delete
    Risk transfer
    When risk users choose to transfer a risk, they provide a plan for how they want to transfer the risk and request a review from the risk manager. The reviewer then reviews the plan and can select one of the following options:
    • Close
    • Revert to Draft state and provide additional comments
    • Cancel
    • Delete
    Note:
    The risk response workflow is not available for an object assessment.