GRC risk approval best practices

M4XMU3 · a month ago

Hello Community!

We have an existing process where we can order external ressources via a catalog item. Now we want to add risk assessment to this process.

I already have

an attestation which the requester has to answer after committing the request
a risk assessment which calculates the inherent risk based on attestation answers
approval configuration with two levels which create approvals for different departments, based on the risk rating (low/ medium/ high)

Depending on approval / rejection the order will be executed or aborted.

My question is about best practice setup:

1️⃣ Should I use the risk assessment for risk calculation and approval process? (This was my first setup, as the RA process has a state "awaiting approval".)

2️⃣ OR should I use the RA only for risk calculation and use the risk as the base for my approval process?

Thank you in advance! 🙂

Max

M4XMU3 · an hour ago

I stick with approval on risk assessment. Process now works fine.

Maybe in the future we can even enhance the process to add residual risk assessment if the approval after inherent assessment was denied. If this is not a wrong understanding of the named components. 😄

View solution in original post

ab_2511 · 4 weeks ago

I believe GRC Risk calculation may not be the ideal approach here, as it's primarily designed work with Risks, Entities, and Controls. I'm curious how it would apply to RITMs. Are you creating entities for each RITM?

M4XMU3 · an hour ago

I forgot to mention that for each RITM an entity is created, yes.

M4XMU3 · an hour ago

I stick with approval on risk assessment. Process now works fine.

Maybe in the future we can even enhance the process to add residual risk assessment if the approval after inherent assessment was denied. If this is not a wrong understanding of the named components. 😄