OneTrust - Risk Management Workflow
You can use risk management workflows to track risks from the time they are identified to the time they are closed.
Below you'll find information on each risk management workflow stage.
IdentifiedThe workflow begins once a risk has been identified and requires a review.
In the Evaluation stage, the scoring and quantification is set based on the level of risk observed by the business. If a risk was identified by risk-flagging rules within an assessment, the scoring and quantification details are pre-filled. The risk approver chooses to treat, reduce, or reject the risk based on the business' risk appetite. If no treatment is necessary, the approver can advance the workflow to the Monitoring stage and select an outcome. If the approver decides to treat the risk, they will create a treatment plan that includes completing specific tasks, assigning a risk owner, and adding controls to mitigate the risk. The approver can add additional owners as needed and the owners will receive a notification.
Once a risk advances to the Treatment stage, an email is generated to the risk owner.
The email notifies the risk owner that they have been assigned a risk and includes a link to the risk workflow. In the Treatment stage, the risk is actively mitigated by the risk owner. During this time, tasks are completed, control statuses are updated, and the treatment plan is executed. Risk owners can Submit the treatment or Request Exception from the approver. The treatment status is updated using the system workflow.
During the Monitoring stage, the risk is in a closed state. In this stage, an outcome is selected, and the remaining risk level can be set based on the mitigation activities completed. Although the risk is not actively being worked on, it is being monitored. A risk approver can select an outcome from the Result options listed below.