- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-28-2023 06:18 AM
Hello, we are currently working on implementing the GRC plugin in our organisation, specifically the risk management module. Part of our plan is to apply generic risk templates (defined as risk frameworks + statements) to entities, thus generating risks. Those risk templates stem from different sources such as the ISO 27005, BSI Grundschutz, etc. .
What we have noticed is that there is no possibility for risk owners to tag a generated risk as "not applicable". Since this occurs quite often (because the risk team will usually not know which risks make sense for which entity) this makes using common risk templates very cumbersome for the risk owners.
From what I have seen a risk could be retired, but from a semantical point of view this is not the same as explicitly tagging a risk as “not applicable”.
Did anyone run into a similar problem? How would you solve such an issue?
Thanks and BR
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-29-2023 12:58 AM
Hi @--AH-- ,
The best individual to determine which risks are appropriate and which are not is, in my opinion, the risk manager.
You can search for a solution similar to the one below for your circumstance, where Owners are aware of the applicability of risk but Risk Managers are not.
1. If the owner feels that the risk is not appropriate, leave it in draft state. Alternatively, include a space for the owner to check if they believe the risk is not relevant (custom field - Check box).
2. Create a flow to retire the risk which has been in draft form for longer than thirty days or as needed. OR create a flow to trigger daily to retire the risk if "Not Applicable" (custom field) flag is TRUE, .
Regards,
Aakash
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-29-2023 12:58 AM
Hi @--AH-- ,
The best individual to determine which risks are appropriate and which are not is, in my opinion, the risk manager.
You can search for a solution similar to the one below for your circumstance, where Owners are aware of the applicability of risk but Risk Managers are not.
1. If the owner feels that the risk is not appropriate, leave it in draft state. Alternatively, include a space for the owner to check if they believe the risk is not relevant (custom field - Check box).
2. Create a flow to retire the risk which has been in draft form for longer than thirty days or as needed. OR create a flow to trigger daily to retire the risk if "Not Applicable" (custom field) flag is TRUE, .
Regards,
Aakash
