Ana Rita Lopes's picture

Good afternoon,

I need help on a topic related to risk management in ARCM.
The risk management cycle is currently as follows:
- Risk Owner performs the risk assessment;
- Risk Reviewer reviews the risk assessment (accept or reject);
- Risk Manager monitors all evaluations;

The question is this: If the Risk Reviewer wants to refuse the evaluation and comment on the reason for the refusal, how can this be done? There is no field for Reviewer to write.

When we are talking about other components (for example the tests to the controls, audit, incidents and losses,...), when the Reviewer decides to reject, becomes MANDATORY to fill in the field "comment / reviewer remark", but in Risk Management there is no field to fill in (neither obligatory nor optional).

My client is a very complex organization and in each risk assessment cycle, there is a strong probability of rejection of evaluations, however the Reviewer should indicate (in a comment, or something similar) the reason for rejection. BUT currently, when the Reviewer reject a risk, send an e-mail (outside of ARIS) to inform the Owner, what was the reason for rejection. Which is not correct and is unsustainable in the long run, considering that everything should be centered on the ARIS / ARCM platform.

Is there any possibility to configure this?

 

Thank you!

Ana Rita Lopes

Tags: ARIS ARIS GRC ARIS Risk & Compliance Manager