We've updated our risk management process. The latest change introduces a "treatment in progress" status, indicating the team is currently undertaking mitigation tasks. Additionally, we've refined a few risk statuses for better accuracy, aligning them with ISO and NIST recommendations and incorporating valuable feedback received.

Use Cases

  1. Improved Visibility: The new "Treatment in Progress" status improves visibility into ongoing risk mitigation efforts. This allows stakeholders to monitor the progress of mitigation tasks and allocate resources more efficiently.
  2. Dynamic Risk States: The feature that allows transitioning between different risk states based on user actions (such as creating mitigation tasks or adding residual risk) mirrors the dynamic nature of risk management. This provides the flexibility to adapt to changing circumstances and requirements.

What’s New?

A risk is considered to be in an "Open" state immediately after creation before any risk assessment has been conducted.

Screenshot 2024-05-15 at 12.56.09 PM.png

Users can initiate the initial risk assessment and link any existing mitigating controls to the risk. Following this step, the risk is deemed to be in an "Assessed" state.

Screenshot 2024-05-15 at 12.58.13 PM.png

Screenshot 2024-05-15 at 12.58.13 PM.png

Users have the option to either create a mitigation task or add residual risk. If a mitigation task is created, the risk is considered to be in "Treatment in Progress" until the risk is closed.

Screenshot 2024-05-15 at 1.00.42 PM.png

Alternatively, if residual risk is added without creating a mitigation task, the risk is considered to be in a "Treated" state.

Screenshot 2024-05-15 at 1.15.15 PM.png

Screenshot 2024-05-15 at 1.14.56 PM.png

If a user adds a mitigation task and closes it, the risk status will change to 'treatment in progress'. If they then add a residual risk, the status will update to 'treated'.

Screenshot 2024-05-15 at 1.12.58 PM.png

Screenshot 2024-05-15 at 1.04.59 PM.png

However, if a user adds a mitigation task after the addition of residual risk, the risk state reverts to "Treatment in Progress" until all the mitigation tasks are completed.

Additionally, we are discontinuing the practice of automatically closing a risk post-residual risk assessment. Now, the risk will stay in the treated state unless a user chooses to close the risk from the actions menu on the risk detail page.

Screenshot 2024-05-15 at 1.13.31 PM.png