Risk Register
Record governance risks that may affect systems, data, operations, vendors, or organisation-wide obligations. Risks are long-lived governance records — issues remain the remediation surface.
-
Understanding the Risk Register
The Risk Register records governance risks that may affect systems, data, operations, vendors, or organisation-wide obligations. Risks are long-lived governance records, not remediation tasks: they are identified, treated, reviewed, and either accepted or retired over time. Issues remain the remediation surface — a risk may later create or link to issues, but that workflow is not enabled yet.
-
Recording a risk
Each risk captures title, description, category, likelihood, impact, an anchor (a linked asset or the organisation-wide flag), an optional vendor link, treatment decision, owners, and a next review date.
-
Understanding risk rating bands
Risks use a 5-level likelihood (rare → almost certain) and a 5-level impact (negligible → severe). The combination is mapped to a 4-level band: low / medium / high / critical. The Risk Register MVP does not store or display a numeric 1–25 score — bands only.
-
Understanding risk treatment
Each risk carries a treatment decision: reduce, accept, transfer, avoid, or monitor. Accepting a risk requires a non-empty acceptance note explaining why. The status follows the decision: accept → accepted, monitor → monitored, reduce / transfer / avoid → treating.
-
Manager permissions on risks
Managers can view every risk in the organisation read-only. Managers can edit, start monitoring, retire, restore, mark reviewed, and change treatment only on risks where they are the risk owner or the review owner. Owner, admin, and director users can act on any risk. Learners have no access.
-
Risk activity, Defensibility Timeline, and Cadence
Every governance change to a risk — created, updated, monitoring started, treatment changed, accepted, owner changed, asset/vendor link changed, reviewed, retired, restored — is recorded in an append-only audit log. The risk detail page renders the recent events as an Activity panel. The same events appear under "Risks" in the Defensibility Timeline. Active, treating, accepted, and monitored risks with a next review date appear in Cadence as risk_review items; retired risks are excluded.
-
Risk Register reporting and Evidence Pack
Risk Register summary counts surface on four reporting surfaces: a dashboard tile, a Position Summary section ("Risk Register Oversight"), a board-report section ("Risk Register Coverage"), and the Evidence Pack ("Risk Register"). Counts cover active risks, high/critical residual risks, accepted risks, overdue reviews, and missing owners. The Evidence Pack also exports a per-risk row table and a risk activity summary scoped to recent risk_* audit events.
-
Treatment & safeguards on a risk
The risk detail page has a "Treatment & safeguards" panel that summarises what is being done to monitor, reduce, transfer, avoid, or accept the risk. Manually recorded safeguards (formerly called "controls") are optional in this MVP — the more important governance signals are risk ownership, treatment decision, review date, linked evidence, and follow-up issues. Each manual safeguard records a name, optional reference, status (planned / declared / partial / evidenced / not applicable), owner, next review date, description, evidence expectation, and notes. Manual entry lives under an Advanced toggle so it does not dominate the page.
