Risk Acceptance

David347 · ‎06-08-2022

We are setting up GRC and using OOTB as much as possible but we have a slightly different response to our Risk Acceptance workflow.

The OOTB behaviour is that the response approach of 'Accept' for a risk requires an approval from the risk owner.

We would like to extend the approval logic where the risk has an impact to the enterprise and residual risk scoring.

Example if the risk impacts a local area then risk owner can accept but if that risk impact threat rating is higher than say 16 out of 20, or it effects multiple business areas then it needs to be escalated to a senior level for review.

We are being advised that this falls into 'pro-code' customisation. But from the standard approach below it does look like the enterprise escalation is standard?

David347 · ‎06-13-2022

How much effort is it to add additional levels of approval. The code you used seems relatively straight forward but would this be considered a big change.

Our organisation is against using things outside of the box due to system upgrades. Personally I do not see the risk of the above as its a table reference. Although schema's change that doesnt happen very often.