Skip to main content

Workflow States

Every risk assessment moves through specific states. Here’s what each state means:
Work in progress. You can save incomplete information and return later.
Submitted and waiting for review. The checker will verify or decline it.
Approved by checker. Asset owners can now add their action plans.
Rejected by checker. Review the feedback and make corrections before resubmitting.
All asset owners have submitted their action plans. Waiting for maker approval.
Action plans approved. Asset owners can begin remediation work.
Action plans need improvement. Asset owners must revise and resubmit.
Work is complete. Asset owner has requested closure.
Risk is fully resolved and closed.

Step 1: Create Risk Assessment

Option A: Save as Draft

Use this when you don’t have all the information yet.
1

Click Save as Draft

Fill in whatever information you have. Missing fields are okay.
2

Return Later

Come back anytime to complete and submit.

Option B: Submit Directly

Use this when you have all the required information ready.
1

Fill All Required Fields

Complete risk name, description, assets, impacts, and findings.
2

Click Submit

Risk goes directly to Initiated status for review.
Required fields: Risk name, description, at least one asset, impact ratings, control effectiveness, and at least one finding.

Step 2: Submit Draft (If Saved as Draft)

When your draft is complete and ready for review:
1

Open Your Draft

Navigate to the draft you want to submit.
2

Click Submit Draft

System validates all required fields are complete.
3

Risk Moves to Initiated

The checker is notified to review your submission.

Step 3: Checker Review

This step only happens if your organization has checker approval enabled. If disabled, skip to Step 4.

Option A: Checker Approves

1

Checker Reviews

Checker examines the risk assessment for accuracy and completeness.
2

Click Verify

Risk moves to Verified status. Asset owners are notified to add action plans.

Option B: Checker Declines

1

Checker Identifies Issues

Checker finds problems with the risk assessment.
2

Provides Feedback

Checker enters a decline reason explaining what needs to be fixed.
3

Risk Moves to Declined

You receive a notification with the feedback.

Step 4: Update Declined Risk

If your risk was declined, here’s how to fix it:
1

Review Feedback

Read the checker’s decline reason carefully.
2

Make Corrections

Update the risk assessment based on the feedback.
3

Click Update and Resubmit

Risk returns to Initiated status. The checker reviews it again.

Step 5: Asset Owners Add Action Plans

Once the risk is verified (or initiated if no checker approval), asset owners create their plans.
1

Asset Owner Opens Finding

Each person assigned to a finding receives a notification.
2

Create Action Plan

Describe specific steps to address the risk. Example: Install security patches, enable MFA, update policies.
3

Set Target Date

Choose a realistic completion date.
4

Click Submit

Your plan is saved. When ALL asset owners submit their plans, the risk automatically moves to Plan Proposed.
Both action plan and target date are required. You cannot submit without both.

Step 6: Maker Reviews Plans

Option A: Accept Plans

1

Maker Reviews All Plans

Check that action plans are specific, realistic, and adequate.
2

Click Accept Plans

Risk moves to Plan Accepted. Asset owners can begin remediation work.

Option B: Reject Plans

1

Maker Identifies Issues

Plans are too vague, unrealistic, or inadequate.
2

Provides Feedback

Enter a rejection reason explaining what needs improvement.
3

Risk Moves to Plan Rejected

Asset owners receive notification to revise their plans.

Step 7: Asset Owners Revise Plans (If Rejected)

1

Review Rejection Reason

Read the maker’s feedback.
2

Update Action Plan

Make the requested improvements.
3

Click Submit

Updated plan is saved. When all owners resubmit, risk returns to Plan Proposed.

Step 8: Implement Remediation

1

Asset Owners Execute Plans

Complete the actions described in your action plan.
2

Document Progress

Add notes and attach evidence of completion (screenshots, reports, etc).
3

Verify Completion

Ensure all tasks are finished and documented.

Step 9: Propose Closure

When remediation work is complete:
1

Asset Owner or Risk Owner Reviews

Confirm all action items are complete.
2

Click Propose Closure

Risk moves to Closure Proposed. The maker is notified.

Step 10: Close Risk

1

Maker Reviews Completion

Verify all action plans were executed and documented.
2

Add Closure Notes (Optional)

Document final outcome, lessons learned, or follow-up actions.
3

Click Close Risk

Risk moves to Closed status. The workflow is complete.
Closed risks remain in the system for audit and compliance purposes.

Quick Reference

Who Does What

Risk Maker:
  • Creates and submits risks
  • Updates declined risks
  • Accepts or rejects action plans
  • Closes risks
Risk Checker:
  • Reviews submitted risks
  • Verifies or declines with feedback
Asset Owner:
  • Creates action plans for assigned findings
  • Implements remediation
  • Proposes closure when work is complete

Common Scenarios

Flow: Draft → Initiated → Verified → Plan Proposed → Plan Accepted → Closure Proposed → ClosedTotal steps: 7-10 depending on revisions

Notifications

You’ll receive email and in-app notifications at key steps: Risk Makers get notified when:
  • Risk is verified or declined
  • All action plans are proposed
  • Closure is proposed
Risk Checkers get notified when:
  • New risk awaits review
  • Declined risk is resubmitted
Asset Owners get notified when:
  • New finding is assigned
  • Action plan is rejected

Tips for Success

For Risk Makers

Use drafts for complex assessments. Address all feedback before resubmitting. Review plans carefully before accepting.

For Risk Checkers

Review within 24-48 hours. Provide specific feedback. Be consistent in your criteria.

For Asset Owners

Create specific, measurable plans. Set realistic dates. Document your work thoroughly.

For Everyone

Use comments to collaborate. Attach evidence. Keep information current.

Troubleshooting

Problem: Submit button is disabledSolution: Complete all required fields. Look for red validation errors on the form.
Problem: Waiting too long for checkerSolution: Contact the checker directly or escalate to admin if urgent.
Problem: Update button not availableSolution: Only Draft and Declined risks can be edited. Other states are locked.
Problem: Submit button disabledSolution: Both action plan text and target date are required.

Configuration

Admins can enable or disable checker approval in Entity Configuration. This setting only affects new risks, not existing ones.

Risk Assessment Basics

Learn fundamentals of risk assessment

User Management

Set up roles and permissions

Asset Management

Manage assets linked to risks

Reports

Generate workflow reports