All About Risk Review and Remediation
How does "Risk Review" at the end of an assessment work?
Risk review is a lightweight workflow at the end of every completed assessment that formalizes risk acceptance and remediation activities. If the assessment has a residual risk higher than LOW, you will see a button in the assessment summary to "Review Risk". The action taken and any associated comments get recorded on the relationship. When you click the "Review Risk" button, the following modal appears:
Here are the following actions you can take to address the risk posed by the relationship in question:
Override Risk gives you the option of overriding the Residual Risk value calculated by the VISO TRUST risk model and choosing a different value. Common reasons to override risk include 1) to reflect compensating controls that have or will be implemented by your organization or the third party to address control gaps 2) the context of the relationship is not appropriately reflected in assessment.
Leave a comment will leave a comment on the relationship history. Many clients use this to record executive approvals or other contextual information that is helpful as part of the relationship's audit trail.
Accept Risk accepts the risk of the current relationship, given the results of the most recent risk assessment. The assessment no longer appears in the list of assessments Awaiting Review on the Assessments page.
Request Remediation allows you to send a remediation request to the third party based on the control gaps identified in the latest risk assessment. You must specify a target date for the remediation to be completed. The third party is free to respond with artifacts that satisify the remediation request at any point during the remediation period. Optionally, you can add a comment that will be included in the remediation request and choose whether or not top copy subscribers of the relationship on the remediation request email.
Remediation leverages an automated workflow where you have full visibility into the emails being sent but you don't have to actually write anything or keep track of dates. When a third party responds to a remediation request VISO TRUST automatically creates a new assessment and kicks off a review of the information. That review process is otherwise identical to a regular assessment on the platform.
FAQ:
Remediation
Q: What happens if a vendor fails to respond to a remediation request?
A: Client receives notification via email and the client will be presented with the review risk options again.
Q: Can I revoke a remediation request after it has been created?
A: Yes. This action puts the assessment back into the “Awaiting Review” status
Q: How can I see all my open requests for remediation?
A: Filter the Relationship List Page using the "Remediation Requested" column for all relationships where that column = "Yes" and then click "apply" to filter the page.
Risk Acceptance and Override
Q: Can I remove a risk override?
A: Yes. You can do so by editing the value in the "Review Risk" modal or in the residual risk chip at the top of the relationship page. This resets the residual risk to the original value.
How does Onboarding/Offboarding and Archive relate to risk acceptance?
Risk Review | Onboard/Offboard | Archive | |
Affects license count? | No | Usually affects license count, depending on the contract | Does not affect license count |
When is it relevant? | End of assessment | Can happen any time, regardless of assessment status | Only non-onboarded relationships without open assessments can be archived |
What role is required to do this action? | Org Admin | Org Admin | Org Admin |
Can it be undone? | Yes | Yes | Yes |
