Review Updated Risk Treatment Plan

Objective

Automatically alert risk stakeholders and generate a review task whenever a risk's treatment option is updated (e.g., Accept → Mitigate). This workflow ensures changes to risk treatment strategy are reviewed promptly, supporting effective risk governance and maintaining alignment across the security, compliance, and risk teams.

Prerequisites

Before configuring this workflow:

  • You must have Admin or Workspace Manager permissions.
  • Your organization must use risk treatment options such as Accept , Avoid , Mitigate , or Transfer .
  • Notification and task assignment roles must be configured:
    • Email (always available)
    • Slack message (Slack integration required)
    • Microsoft Teams message (Teams integration required)

Workflow Overview

This workflow runs when:

  • Object Type: Risk
  • Scope: All risks
  • Trigger Event: Treatment option changed
  • Action:
    • Create a task to review the updated treatment plan
    • (Optional) Send a notification to risk stakeholders

Step-by-Step Configuration

1. Create the Workflow

  1. Navigate to Settings → Workflows .
  2. Select Create Workflow .
  3. Configure:
    • Name: Review updated risk treatment plan
    • Object Type: Risk

Create Workflow

2. Define the Workflow Scope

  1. Under Start , select All risks .
  2. Click Continue .

Start

3. Select the Trigger

  1. Choose Treatment option changed as the trigger.
  2. Select which treatment option changes should initiate this workflow (e.g., Any change , or specific transitions like Accept → Mitigate ).

Trigger

4. Add Steps

Create Task

  1. Add a Create task step.
  2. Configure the task details:
    • Title: Review updated treatment plan for {{risk_name}}
    • Description:
    Copy
    Copied
    The treatment option for {{risk_name}} has been updated.

Previous Option: {{old_treatment_option}}
New Option: {{new_treatment_option}}

Please review the updated treatment plan and determine if further mitigation, documentation, or approval is required.
    • Assigned To:
      • Risk Owner
      • Risk Reviewer
      • Or a designated role (e.g., Admin, Security Team)
    • Due Date: Set a reasonable timeframe (e.g., 5–7 days from creation).

Create Task

Send Notification (Email Example)

To notify additional stakeholders (e.g., Risk Committee):

  1. Add a Send notification step.
  2. Select a method:
    • Email
    • Slack message
    • Microsoft Teams message
  3. For this example, configure Email .
  4. Example subject and body:

Subject: Risk treatment plan updated: {{risk_name}}

Body:

Copy
Copied
The treatment plan for {{risk_name}} has been updated.

Old Treatment Option: {{old_treatment_option}}
New Treatment Option: {{new_treatment_option}}

A task has been created for follow-up review. Please take any required action.

Send Email

5. Review and Publish

  1. Review:
    • Scope: All risks
    • Trigger: Treatment option changed
    • Steps: Task creation , plus optional notifications
  2. Select Publish to activate.
  3. Save as Draft if internal review is required.

Validation & Testing

To ensure proper setup:

  1. Modify the treatment option of a test risk .
  2. Navigate to Settings → Workflows → Run History to verify the workflow fired.
  3. Confirm:
    • A task was created and assigned correctly
    • Any notifications were delivered
  4. Adjust task details or messaging as needed.