Skip to main content

Risk Management: End-to-End Workflow

Complyance Support
Updated

Introduction

The Risks module gives you a clear view of your risk profile and makes it easy to track, manage and review tasks.

You’ll find the Risk module in the left-hand sidebar of Complyance. There are two key areas to be aware of:

  • Risk dashboard: Provides the visibility into the status and breakdown of your risks.
  • Risk register: Your centralized risk register, consolidating all risks in one place.

This article walks through the full end-to-end risk lifecycle - from where a risk originates, through defining it, planning and approving treatment, assigning the work, reviewing it on a cadence, and finally closing it out.

 

Risk intake - where risks come from

Risks usually originate elsewhere before they reach your register. Common sources are:

  • Control findings – a gap against a control (surfaced automatically by an AI agent if enabled, or raised manually e.g. from an internal audit)
  • Vendor gaps – issues from a vendor assessment or questionnaire
  • Internal or external audits and assessments
  • Manual entry – raised directly by a risk owner or analyst

Not every finding needs to become a risk: quick fixes are best handled as a task, while anything needing longer-term tracking should be escalated to a risk.

 

 

Raising and defining a new risk

To raise a risk from a control finding:

If your environment has the relevant AI agent (e.g. the NIST CSF agent), findings can be surfaced for you automatically as you upload evidence. Findings can also be raised manually - for example, from an internal audit. See our guide on how to raise findings manually here: Manual Findings: Reporting Findings

  1. Open the control 
  2. Open the Findings tab
  3. Click Create a Risk.
  4. The new risk opens with context pre-populated from the originating finding and control.

 

To raise a risk from a vendor finding:

If your environment has the relevant AI agent (e.g. the Questionnaire Review agent), findings can be surfaced for you automatically as vendors submit questionnaires. 

  1. Open the Questionnaire
    1. Either from the Vendor record, by clicking on the Questionnaires tab 
    2. Or from the Questionnaire, by clicking on the Vendors tab
  2. Open the Findings tab
  3. Locate the relevant finding and click the Create a Risk icon
  4. The new risk opens with context pre-populated from the originating finding 

 

To raise a net new risk manually:

Navigate to your risk register in Complyance, this is found on the left-hand sidebar of Complyance.

  1. In the top right-hand corner, click the button ‘+ New Risk
  1. The new risk will open, and you can go through this to add all the relevant information:
  • Description – A detailed description of the risk (you can use platform AI to enhance or regenerate this).
    • You can use platform AI to draft or enhance this.
  • Inherent and Residual Risk Scores – Generated from the risk level configuration in the Risk level tab
  • Category – A customizable field for your risk categories.
  • Owner – The user responsible for the risk; they will receive notifications for changes and upcoming reviews.
  • Frequency – How often the risk must be reviewed.
  • Last Reviewed – The date of the most recent review (this will be filled in once you have completed your first review).
  • Next Reviewed - The date of the next review.
  • Treatment Strategy - This is how you plan to action the risk (Pending, Accept, Avoid, Mitigate, Monitor or Transfer)
  • Treatment – The treatment will be 'Pending' until your treatment strategy is achieved and then the treatment is in place (Accepted, Avoided, Mitigated, Pending, or Transferred).
  • Treatment Details – Notes on the treatment plan. AI can generate, enhance, or shorten treatment details. 
  • Custom Fields – Add custom fields to track additional attributes, such as:
    • Financial impact (e.g., < $500k, $500k–$1M, $1M–$3M, $3M+)
    • Confidentiality, availability, integrity score

Once you have filled out all the details, your new risk is created, and at the top of the drawer, you’ll see the unique Risk ID (e.g., Risk / R0001) and its current status.

 

Setting your inherent and residual risk levels

To set your risk levels:

  1. Open the risk and select the Risk Level tab on the right-hand side of your risk
  2. Assign scores from your pre-configured values for: 
    1. Inherent Impact and Inherent Likelihood - to calculate your Inherent Risk 
    2. Residual Impact and Residual Likelihood - to calculate your Residual Risk 
  3. Complyance automatically generates the Inherent and Residual Risk scores from your configured matrix.
  4. Go to the Details tab to see your calculated scores 

Note: Inherent risk is the level before mitigation; residual risk is what remains after controls and treatment are applied. 

To change how levels and the matrix are configured, see How to Configure your Risk Matrix

 

 

Planning risk treatment

Tracking risk treatment is a critical part of risk management as it ensures that risks are not just identified - they are actively being managed, reduced, and monitored over time. 

In Complyance there are processes in place to ensure there is clear ownership of the risk, actionable outputs to mitigate the risk and controls in place to show the actions you are taking to treat the risk.

In your risk drawer there are 3 categories aligning to treatment: Treatment strategy, Treatment and Treatment details

Each category corresponds to a different phase of treating the risk:

  • Treatment strategy: How you to plan to treat the risk (Pending, Accept, Avoid, Mitigate, Monitor, Transfer)
  • Treatment: How the risk has been treated (Pending, Accepted, Avoided, Mitigated, Transferred)
  • Treatment details: Actions you will take to treat the risk (This can also be built out using the platform AI)

The 'Treatment strategy' and 'Treatment' are automatically populated with 'Pending' until you update them. 

 

Using AI to draft your risk treatment plan 

The AI treatment plan gives you a contextualized head start - it is not meant to replace your judgement. It drafts from best-practice sources and the regulations already in your environment and adapts to the treatment strategy you choose.

To generate a treatment plan with AI

  1. Update the Treatment strategy field (e.g. from Mitigate to Accept).
  2. Hover over the Treatment details and select Ask AI (if the field is empty)
  3. Review the updated steps, then select Accept.
  4. To update or improve an existing risk treatment plan click any of the options: 
    1. Regenerate
    2. Improve
    3. Shorten
    4. Lengthen
    5. Simplify

Note: When a risk is created from a finding, the AI description and plan are contextual - they draw on the originating control and evidence rather than starting blank. The more detail on the record, the richer the output. 

See Using AI to Create or Edit a Risk Treatment Plan

 

 

When your treatment details have been created you can then start to assign tasks to turn your treatment plan into actionable outputs for the appropriate team members.

 

Creating tasks and assigning owners

Once your treatment details are ready, you can turn them into trackable tasks.

To create tasks from your treatment plan:

  1. Hover over the treatment plan text. A checkbox titled Create task appears in the top-right corner.
  2. Click it - Complyance AI generates suggested tasks based on your plan.
  3. Tick the relevant tasks and click Create.

Note: The Create task button only appears when the plan is a bulleted or numbered list. All AI-generated plans are structured this way, so it will always appear.

 

To assign and track tasks:

  1. Open the Tasks tab of the risk.
  2. Select a task and assign a team member (they don't need to be the risk owner).
  3. Set the due date, priority, and description.

  4. Track status across all risks from the Task Center.

     

For more information on assigning tasks, please read the ‘Using AI to Create Tasks from the Risk Treatment Plan’ article.

 

Linking Risks to their mitigating controls

From your risk drawer you can also monitor the controls that are in place related to that specific risk.  To link controls to the risk: 

  1. Navigate the right-hand navigation of the risk drawer and select 'Controls'. 
  2. Click Link primary control or Link secondary control 
  3. Review the AI suggestions or search for the control you want to link 
  4. Select the control 
  5. Click Link 

For more information on linking controls to risks, please read How to Link Risks to Controls and Vendors

 

This will pull on the validity of the controls and if a control is 'at risk' this will draw through on the risk details. When you have linked controls to risks, this can be a helpful reporting metric as it will highlight risks with immediate vulnerabilities. 

 

Approvals throughout the risk lifecycle

Risk approvals create a formal, documented sign-off trail. An approval can be raised at several points in the workflow:

  • When a new risk is raised and defined (to lock it into the register)
  • When a treatment strategy or plan is agreed
  • When risk levels change (e.g. to confirm a reduction in residual risk)
  • At closure

To raise an approval:

  1. Open the risk and select the Approvals tab.
  2. Click Request a new approval.
  3. Complete the details 
    1. Reason 
    2. Name and Description 
    3. Expiration date
  4. Assign the Approver / Approvers and the approval due date 
  5. Confirm whether all approvers need to approve - or just one
  6. Attach any relevant or supporting documents 
  7. The approver can review, comment, request more information, or push back within the flow.

For the full step-by-step, see How to Send a Risk Approval

 

 

Reviewing risks and risk treatment

Risk reviews keep your treatment plans effective and relevant. The frequency depends on the type and severity of the risk — most are reviewed annually, but critical risks may need more frequent assessment. 

Complyance sends built-in notifications based on the risk's frequency and the last review date, so you never miss one.

To review a risk:

  1. Open the Risk Register and select the risk due for review.
  2. Review the risk as you usually would 
    1. Confirm the risk details, levels, and treatment are still accurate.
    2. Review the status of tasks from the Tasks tab
    3. Check the Approvals tab to confirm any required approval is still valid and hasn't expired.
  3. Log the review from the Reviews tab to update the status and the Last Reviewed date.

For more guidance on risk reviews, see How to Review a Risk

 

 

Closing a risk

Closing a risk keeps your register focused. Once closed, a risk stays visible in your register but no longer generates review notifications.

Before closing a risk, open the record and update the Treatment field from 'Pending' to the action taken:

  • Accepted – Leadership has agreed the risk is within tolerance and will take no further action.
  • Avoided – The source of the risk has been removed, eliminating the threat.
  • Transferred – Responsibility has shifted to a third party (e.g. insurance or outsourcing).
  • Mitigated – Controls have been implemented to reduce the risk to an acceptable level.

You can also send an approval to document the reason for closing a risk - raise an approval at closure so the sign-off, and the rationale behind it, are formally logged against the risk. See How to Send a Risk Approval

To close out a risk 

  1. Go to the risk register and click the three dots on the far right of the risk you want to close
     
  2. Alternatively, you can open the risk record and click the three dots at the top right of the risk
  3. Select Close out risk 
  4. The risk closure details are logged in the History tab 

For more information on closing out risks, please read the ‘How to Close out a Risk’ article.

 

 

Still have questions? Reach out to our support team via the Support Center for assistance.

Related articles