Request risk reduction for findings

Release version: Australia

Updated June 4, 2026

1 minute to read

Create a risk reduction request for multiple vulnerable items at once by using the Bulk Edit dialog to specify a desired risk rating and compensating controls.

Before you begin

All vulnerable items you plan to select must map to the same vulnerability. Risk reduction is not available when items from multiple different vulnerabilities are selected.

Risk reduction must be enabled on the vulnerability before you can request it for the associated items.

Role required:

Procedure

Navigate to Workspaces > Security Exposure Management Workspace.

Note:
The selected records must be in the Open, Under Investigation, or Awaiting Implementation state.
On the List page, under Host Vulnerable items, open the Active or All list.
In the list, select the check box for each vulnerable item to include in the risk reduction request.
Select Bulk edit.
In the Bulk Edit dialog, in the Deferred section, select Mitigating Control in Place as the reason.
Select the Request for Risk Reduction check box.
Optional: Select the Request for Deferral check box to also submit a deferral alongside the risk reduction request.
Optional: In the Desired risk rating field, select the target risk rating.
In the Compensating controls field, select the controls that mitigate the vulnerability.
In the Short description field, enter a summary of the risk reduction justification.
In the Work notes field, enter supporting details.
Select Update.
A Remediation Task is created for the selected items and enters an In review state. Approval requests are raised for the risk reduction and, if selected, for the deferral.

What to do next

Approvers at each configured level must approve the risk reduction and deferral requests. After all approvals are complete, the Remediation Task transitions to Deferred state and the risk ratings on the affected items are updated to reflect the approved desired rating.