Topics Map > Office of Cybersecurity > Cyber Risk Management & Compliance
Topics Map > Office of Cybersecurity > Tools and Software > OneTrust

OneTrust - Risk Management Workflow Stages

You can use risk management workflows within OneTrust to track risks from the time they are identified to the time they are mitigated or accepted.

Below you'll find information on each risk management workflow stage.

Risk Workflow

Workflow Stages


The workflow begins once a risk has been identified and requires a review.


In the Evaluation stage, the scoring and quantification is set based on the level of risk observed by the business. If a risk was identified by risk-flagging rules within an assessment, the scoring and quantification details are pre-filled. The risk approver chooses to treat, reduce, or reject the risk based on the business' risk appetite. If no treatment is necessary, the approver can advance the workflow to the Monitoring stage and select an outcome. If the approver decides to treat the risk, they will create a treatment plan that includes completing specific tasks, assigning a risk owner, and adding controls to mitigate the risk. The approver can add additional owners as needed and the owners will receive a notification.


Once a risk advances to the Treatment stage, an email is generated to the risk owner.

The email notifies the risk owner that they have been assigned a risk and includes a link to the risk workflow. In the Treatment stage, the risk is actively mitigated by the risk owner. During this time, tasks are completed, control statuses are updated, and the treatment plan is executed. Risk owners can Submit the treatment or Request Exception from the approver. The treatment status is updated using the system workflow.

Treatment Status


In Progress

The risk owner is actively working on a risk. They can submit a treatment to the risk approver or request an exception.

Exception Requested

The risk owner requests an exception. The risk is closed in the chosen state and will not be mitigated further.

The risk approver can grant the exception or send the risk back to the risk owner. Sending the plan back to the risk owner will reset the treatment status to In Progress.

Under Review

A treatment plan is submitted by the risk owner and is awaiting review by the risk approver.

The risk approver can approve the treatment plan or send the plan back to the risk owner. Approving the risk will move the risk to the Monitoring stage. Sending the plan back to the risk owner will reset the treatment status to In Progress.

Exception Granted

The risk approver has granted the exception requested by the risk owner. The risk is closed in the chosen state and will not be mitigated further.


The risk owner completes the treatment plan and the plan is approved by the risk approver. The risk is mitigated and remains in the monitoring state.


During the Monitoring stage, the risk is in a closed state. In this stage, an outcome is selected, and the remaining risk level can be set based on the mitigation activities completed. Although the risk is not actively being worked on, it is being monitored. A risk approver can select an outcome from the Result options listed below.




The risk level or score is at or below your risk appetite and no treatment is required.


The risk was avoided by changing the processing activity, asset, or vendor so that the risk is no longer relevant. You can also develop an alternate strategy to avoid the risk.


A risk is identified but is being ignored due to a lack of understanding or funding.


The risk completed a defined treatment process to reduce the impact or probability of a risk event occurring.


The processing activity, asset, or vendor the risk was related to was deemed too risky to continue and is rejected. The risk is not deleted for audit purposes.


The risk is transferred to a third-party (insurance) to reduce the impact of the risk.

KeywordsRisk Management Workflow, Cyber Risk Management & Compliance, OneTrust   Doc ID109481
OwnerPeter V.GroupCybersecurity
Created2021-03-02 13:44:55Updated2021-11-16 10:23:58
SitesOffice of Cybersecurity
Feedback  9   1