HI @AndreaTaylor 

• Risk manager completes a risk assessment and needs a way to handle/treat the risk
• GRC user seeks a policy exception for which a compliance manager refers the exception request for a formal risk assessment to be followed by a risk acceptance process if required
• The risk determined needs to be dispositioned in one of the following ways

–Mitigate the risk à Action: Deploy mitigating control(s)

–Accept the risk à Action: Business owner understands and signs off on the risk

–Avoid the risk à Action: Reject the risk and deploy measure(s) to avoid risk

–Transfer the risk à Action: Transfer risk to another party or entity

• During the review phase, the Risk Manager reviews all the risk details and the risk assessment to ensure the risk is being managed effectively and all relevant information has been captured, including any mitigating actions.
• If satisfied, the risk can be approved and moved to ‘Monitor’ state or return to ‘In Draft’ if required.

• During the Monitor state, risks are continuously monitored via manual and/or automated key risk indicators. Where an indicator fails, issues are automatically created by the system. Remediation tasks can be created for the issues and assigned to users for completion. These can be tracked to ensure sufficient mitigation is in place.
• Additionally, where there are indicator and control failures, the calculated risk factor for any linked risks may be altered. This in turn may impact the calculated risk which helps organizations to keep a constant view of the risks in real-time.

• Risk can be retired when the risk is no longer valid, but the organization wants to keep a system of record for audit purposes.
• Retired risks can be reactivated by clicking on the ‘Activate’ action button which moves the risk back to the ‘Draft’ state.