Manager permissions on risks
Managers can view every risk in the organisation read-only. Managers can edit, start monitoring, retire, restore, mark reviewed, and change treatment only on risks where they are the risk owner or the review owner. Owner, admin, and director users can act on any risk. Learners have no access.
As a manager, open the Risk Register list to see all risks. Open a risk you do not own — the detail page renders read-only. Open a risk you do own — edit, start monitoring, retire/restore, mark reviewed, and treatment actions all become available.
Read-all preserves manager visibility into the organisation's governance position; edit-owned-only preserves accountability. The same pattern applies to the Asset Register.
Managers cannot create new risks in the MVP. Add-risk affordances appear only for owner / admin / director.
