Risk activity, Defensibility Timeline, and Cadence
Every governance change to a risk — created, updated, monitoring started, treatment changed, accepted, owner changed, asset/vendor link changed, reviewed, retired, restored — is recorded in an append-only audit log. The risk detail page renders the recent events as an Activity panel. The same events appear under "Risks" in the Defensibility Timeline. Active, treating, accepted, and monitored risks with a next review date appear in Cadence as risk_review items; retired risks are excluded.
Open a risk to see its Activity panel near the bottom of the detail page. Open Defensibility Timeline and filter by Risks to see governance events across the whole register. Open Cadence to plan upcoming risk reviews alongside policy, vendor, and asset reviews.
Activity is a governance record that something happened, not proof that the risk is gone. Treatment notes, acceptance notes, and retire reasons are deliberately not exposed in the activity feed or the timeline — only that a note was supplied. Cadence surfacing makes sure risk reviews are planned alongside other recurring governance work, rather than slipping out of sight.
Risk Register summary counts now also appear on the Compliance dashboard, Position Summary, board report, and Evidence Pack alongside the Asset Register. Treatment & safeguards (Phase 4 MVP) is live; full Control Library expansion, Exception / Acceptance Register, risk-aware attestation, and risk-driven issue creation remain later phases.
