OneTrust - Risk Management Workflow Stages

You can use risk management workflows within OneTrust to track risks from the time they are identified to the time they are mitigated or accepted.

Below you'll find information on each risk management workflow stage.

Risk Workflow

Workflow Stages

Identified

The workflow begins once a risk has been identified and requires a review.

Evaluation

In the Evaluation stage, the scoring and quantification is set based on the level of risk observed by the business. If a risk was identified by risk-flagging rules within an assessment, the scoring and quantification details are pre-filled. The risk approver chooses to treat, reduce, or reject the risk based on the business' risk appetite. If no treatment is necessary, the approver can advance the workflow to the Monitoring stage and select an outcome. If the approver decides to treat the risk, they will create a treatment plan that includes completing specific tasks, assigning a risk owner, and adding controls to mitigate the risk. The approver can add additional owners as needed and the owners will receive a notification.

Treatment

Once a risk advances to the Treatment stage, an email is generated to the risk owner.

The email notifies the risk owner that they have been assigned a risk and includes a link to the risk workflow. In the Treatment stage, the risk is actively mitigated by the risk owner. During this time, tasks are completed, control statuses are updated, and the treatment plan is executed. Risk owners can Submit the treatment or Request Exception from the approver. The treatment status is updated using the system workflow.

Treatment Status

Description

In Progress

The risk owner is actively working on a risk. They can submit a treatment to the risk approver or request an exception.

Exception Requested

The risk owner requests an exception. The risk is closed in the chosen state and will not be mitigated further.

The risk approver can grant the exception or send the risk back to the risk owner. Sending the plan back to the risk owner will reset the treatment status to In Progress.

Under Review

A treatment plan is submitted by the risk owner and is awaiting review by the risk approver.

The risk approver can approve the treatment plan or send the plan back to the risk owner. Approving the risk will move the risk to the Monitoring stage. Sending the plan back to the risk owner will reset the treatment status to In Progress.

Exception Granted

The risk approver has granted the exception requested by the risk owner. The risk is closed in the chosen state and will not be mitigated further.

Approved

The risk owner completes the treatment plan and the plan is approved by the risk approver. The risk is mitigated and remains in the monitoring state.

Monitoring

During the Monitoring stage, the risk is in a closed state. In this stage, an outcome is selected, and the remaining risk level can be set based on the mitigation activities completed. Although the risk is not actively being worked on, it is being monitored. A risk approver can select an outcome from the Result options listed below.

Result

Description

Accepted

The risk level or score is at or below your risk appetite and no treatment is required.

Avoided

The risk was avoided by changing the processing activity, asset, or vendor so that the risk is no longer relevant. You can also develop an alternate strategy to avoid the risk.

Ignored

A risk is identified but is being ignored due to a lack of understanding or funding.

Reduced

The risk completed a defined treatment process to reduce the impact or probability of a risk event occurring.

Rejected

The processing activity, asset, or vendor the risk was related to was deemed too risky to continue and is rejected. The risk is not deleted for audit purposes.

Transferred

The risk is transferred to a third-party (insurance) to reduce the impact of the risk.