/risk/register (or /risk/{company}/register
per client).
When to use it
- A finding won’t be fixed and the client formally accepts the residual exposure.
- You need a client-countersigned record of that decision for audit evidence.
- You want a branded, printable Risk Acceptance binder for an audit or review.
- You need to track when accepted risks come due for re-review, renewal, or revoke.
- You want to see accepted risk for one client or across all clients from HQ.
Creating and countersigning
From a source record (a POA&M, a scan finding, an NCSR action), open the Mark as Risk Accepted modal, which pre-fills the source and a default review date. Justification is required. Then the client countersigns one of two ways:- In person — capture initials and a signature on an iPad at create time; the record is accepted immediately.
- Client portal — the client logs in, reviews the request (logged as a “viewed” event), and e-signs.
Lifecycle
Records move through pending → accepted → under review, with Renew (bumps the review date), Revoke, and Resolve actions — each writing to an append-only audit trail. The register lists active items with due-soon counts and filters by module, status, and review window.Good to know
- Accepted risks carry a review-due date; the register surfaces due-soon items so nothing lapses silently. (There’s no automatic “expired” state — reviewing due items is a deliberate action.)
- The printable Risk Acceptance form is a branded, invoice-style binder using the client’s brand color.
