Treatment & safeguards on a risk
The risk detail page has a "Treatment & safeguards" panel that summarises what is being done to monitor, reduce, transfer, avoid, or accept the risk. Manually recorded safeguards (formerly called "controls") are optional in this MVP — the more important governance signals are risk ownership, treatment decision, review date, linked evidence, and follow-up issues. Each manual safeguard records a name, optional reference, status (planned / declared / partial / evidenced / not applicable), owner, next review date, description, evidence expectation, and notes. Manual entry lives under an Advanced toggle so it does not dominate the page.
Open a risk detail page and scroll to Treatment & safeguards. If safeguards already exist they appear under "Recorded safeguards" with name, status, owner, and review date — click Edit details to change description, evidence expectation, or notes. Expand "Advanced: link safeguards manually" to tick suggested safeguards (code-generated from the risk's category and anchor) or to manually add a custom safeguard. Owner / admin / director users can manage safeguards on any risk; managers can manage safeguards only on risks they own (risk owner or review owner). Removed safeguards are soft-removed and can be restored. Each linked safeguard with a next review date appears in Cadence as a "Risk control review" item.
Recording a safeguard is a governance note — that the organisation intends a measure to support treatment of a risk — not proof that the safeguard works. Cleverer should increasingly infer safeguards from linked assets, policies, evidence, training, and issues, so manual safeguard entry is collapsed under Advanced and clearly optional. Adding a safeguard does not create issues, send notifications, or contact external services. Effectiveness testing, evidence linking, framework mapping, and automatic residual-rating inference remain later phases.
Later phases should connect risks to existing policies, evidence, tasks, and issues so users do less manual recording. Full Control Library expansion (Phase 5), Exception / Acceptance Register (Phase 6), risk-aware attestation (Phase 7), and risk-driven issue creation are still deferred. The Phase 4 MVP is the relationship layer that future phases can build on without a data migration.
