GOV-006 Risk Management Program
Description
A formal enterprise risk management program exists with documented risk tolerance, treatment options (accept, mitigate, transfer, avoid), ownership of risks, and periodic review of risk status. Risk decisions are recorded and traceable to named accountable owners.
Rationale
Identifying risks without a systematic treatment and tracking mechanism leaves the organization unable to demonstrate that known risks are being managed. The program provides the governance layer above individual risk assessments.
Framework Mappings (6)
| GRC-02 | Risk Management Program | full |
| PM-28 | Risk Framing | partial |
| PM-9 | Risk Management Strategy | full |
| GOVERN 1.3 | Risk Management Activity Level Determination | partial |
| MAP 1.5 | Organisational Risk Tolerance | partial |
| CC9.1 | Risk Mitigation | partial |
Evidence (2)
Enterprise risk management policy or framework document defining risk tolerance, treatment options, and ownership model.
Example: Enterprise Risk Management Policy (Confluence / GRC platform), approved by executive management, defining: risk appetite statement, permitted treatment options (accept/mitigate/transfer/avoid), risk ownership assignments, and the review cadence.
Test: Request the ERM policy or framework document. Verify: (1) a risk appetite or tolerance statement is present and quantified or qualified, (2) treatment options are defined, (3) ownership model assigns named roles to risk decisions, (4) a review interval is stated and last review date is within it, (5) management approval is evidenced.
Risk treatment decisions recorded in the risk register with named owners, treatment type, and acceptance or escalation records.
Example: Risk register export (GRC platform / spreadsheet) showing each open risk with: treatment decision type, named accountable owner, target resolution date, and for risk-accepted items a signed acceptance record.
Test: Export the risk register. Verify: (1) every open risk has a treatment decision recorded (accept/mitigate/transfer/avoid), (2) each risk has a named owner, (3) accepted risks have a documented acceptance record with a named approver and date, (4) the register has been reviewed within the defined interval.
Questions (2)
Does your organization have a formal enterprise risk management program with a documented risk tolerance statement and defined treatment options (accept, mitigate, transfer, avoid)?
The ERM program should be governed by an approved policy that states risk appetite, assigns ownership of risks to named roles, and defines the review cadence.
How are risk acceptance decisions documented and authorized in your organization?
Each accepted risk should have a signed or digitally approved acceptance record that names the approver and states the rationale and review date.