Risk Management Statuses

Overview


ZenGRC's risk management process helps risk managers minimize business risk, eliminate threats and decrease vulnerabilities by utilizing statuses available in the application. This documentation provides an overview of how to understand and use statuses for the risk, threat, and vulnerability objects. Due to differences in process, we will not enforce this workflow, but simply recommend it

IMPORTANT

Although the incident object is a part of risk management, its statuses are not the same as the risk, threat and vulnerability objects. This is because incidents belong to the audit workflow. Threats and vulnerabilities follow the same status patterns as risk because they are a core part of risk analysis.

Lifecycle for Risk Items


The risk management workflow utilizes statuses as follows:

  • Draft - The risk is vaguely defined.
  • Identified - The risk is confirmed, and details are added.
  • Under assessment - Risk assessment is kicked off.
  • Assessed - Risk calculation is finalized and risk value is determined.
  • Unfounded - There is no reason to discuss the risk because it's invalid, lacks reasoning, etc.
  • Accepting - The decision to accept the risk has been made and the process is started.
  • Accepted - The risk is accepted as-is.
  • Transferring - The decision to transfer the risk has been made and the process is started.
  • Transferred - The risk is transferred to another department or vendor.
  • Avoiding - Action is being taken to avoid the risk.
  • Avoided - The risk is avoided completely.
  • Remediate - There is enough information to determine that the risk needs to be remediated.
  • In remediation - A risk manager is actively working on the risk.

© 2021 Copyright Reciprocity, Inc.
https://reciprocity.com