Skip to main content

Risk End-to-End Workflow

Complyance Support
Updated

Introduction

The Risks module gives you a clear view of your risk profile and makes it easy to track, manage and review tasks.

You’ll find the Risk module in the left-hand sidebar of Complyance. There are two key areas to be aware of:

  • Risk dashboard: Provides the visibility into the status and breakdown of your risks.
  • Risk register: Your centralized risk register, consolidating all risks in one place.

When a new risk becomes apparent you can upload a new risk to your Risk Register. This article describes the full end-to-end workflow from raising a risk to closing out a risk.

 

Raising a New Risk

Navigate to your risk register in Complyance, this is found on the left-hand sidebar of Complyance.

  1. In the top right-hand corner, click the button ‘+ New Risk
  1. The new risk will open, and you can go through this to add all the relevant information:
  • Description – A detailed description of the risk (you can use platform AI to enhance or regenerate this).
  • Inherent and Residual Risk Scores – Generated from the risk level configuration.
  • Category – A customizable field for your risk categories.
  • Owner – The user responsible for the risk; they will receive notifications for changes and upcoming reviews.
  • Frequency – How often the risk must be reviewed.
  • Last Reviewed – The date of the most recent review (this will be filled in once you have completed your first review).
  • Treatment Strategy - This is how you plan to action the risk (Pending, Accept, Avoid, Mitigate, Monitor or Transfer)
  • Treatment – The treatment will be 'Pending' until your treatment strategy is achieved and then the treatment is in place (Accepted, Avoided, Mitigated, Pending, or Transferred).
  • Treatment Details – Notes on the treatment plan. AI can generate, enhance, or shorten treatment details. For more detail on how to fill out your treatment details please review the article: Using AI to Create or Edit a Risk Treatment Plan
  • Custom Fields – Add custom fields to track additional attributes, such as:
    • Financial impact (e.g., < $500k, $500k–$1M, $1M–$3M, $3M+)
    • Confidentiality, availability, integrity score

Once you have filled out all the details, your new risk is created, and at the top of the drawer, you’ll see the unique Risk ID (e.g., Risk / R0001) and its current status.

 

Tracking Risk Treatment

Tracking risk treatment is a critical part of risk management as it ensures that risks are not just identified - they are actively being managed, reduced, and monitored over time. In Complyance there are processes in place to ensure there is clear ownership of the risk, actionable outputs to mitigate the risk and controls in place to show the actions you are taking to treat the risk.

In your risk drawer there are 3 categories aligning to treatment: Treatment strategy, Treatment and Treatment details

Each category corresponds to a different phase of treating the risk:

  • Treatment strategy: How you to plan to treat the risk (Pending, Accept, Avoid, Mitigate, Monitor, Transfer)
  • Treatment: How the risk has been treated (Pending, Accepted, Avoided, Mitigated, Transferred)
  • Treatment details: Actions you will take to treat the risk (This can also be built out using the platform AI)

The 'Treatment strategy' and 'Treatment' are automatically populated with 'Pending' until you update them. 

When your treatment details have been created you can then start to assign tasks to turn your treatment plan into actionable outputs for the appropriate team members.

 

To create a Task from your treatment plan:

  1. Hover over the treatment plan text. A small checkbox will appear in the top-right corner titled Create task.

    Note: The Create tasks button will only appear if a treatment plan is structured in a bulleted or numbered list. All AI-generated treatment plans are structured in this way so this will always appear

  1. Click this checkbox. Complyance AI will generate a list of suggested tasks based on your treatment plan.
  2. Review the AI-generated tasks. Select the ones that are relevant by ticking the checkboxes.
  3. Once you're happy with your selection, click the blue Create button.
  4. These tasks are now live and can be managed from the Tasks tab of the risk.
  5. Assign a team member to each task (they do not have to be the risk owner).
  6. Set:
    • Due dates
    • Priority
    • Task description
  7. Track task status via the Task Center.

 

For more information on assigning tasks, please read the ‘Using AI to Create Tasks from the Risk Treatment Plan’ article.

From your risk drawer you can also monitor the controls that are in place related to that specific risk. To link controls to the risk, navigate the right-hand navigation of the risk drawer and select 'Controls'. Here you can select relevant controls for the risk. For more information on linking controls to risks, please read How to Link Risks to Controls and Vendors

This will pull on the validity of the controls and if a control is 'at risk' this will draw through on the risk details. When you have linked controls to risks, this can be a helpful reporting metric as it will highlight risks with immediate vulnerabilities. 

 

Reviewing Risk Treatment

Risk reviews ensure that your treatment plans remain effective and relevant, helping your organization stay ahead of evolving threats and uncertainties. This process supports informed decision-making, reinforces accountability, and promotes continuous improvement.

The frequency of reviews depends on the type and severity of the risk. Most risks are reviewed annually, but critical risks may require more frequent assessment.

Complyance has in-built notifications based on the frequency set for the risk and the last review date. This ensures you meet regulatory expectations by never missing a review and encourages proactive risk management.

You can begin a review by navigating to the Risk Register from the left-hand sidebar in Complyance, then selecting the risk due for review.

For more information on reviewing risks, please read the ‘How to Review a Risk’ article.

 

Closing a Risk

Closing a risk helps keep your risk register focused and up to date. Once a risk is closed, it will remain visible in your register, but you will no longer receive review notifications.

To close out a risk in platform, open the risk you want to close out. Now that the treatment plan has been complete you can update the 'Treatment' field from 'Pending' to the action you have taken.

  • Accepted – Leadership has agreed the risk is within tolerance and will not take further action.
  • Avoided – The source of the risk has been removed, eliminating the threat entirely.
  • Transferred – Responsibility for the risk has been shifted to a third party, such as through insurance or outsourcing.
  • Mitigated – Controls have been implemented to reduce the risk to an acceptable level.

For more information on closing out risks, please read the ‘How to Close out a Risk’ article.

 

 

Still have questions? Reach out to our support team via the Support Center for assistance.

Related articles