Risk Management Process
How It Works
Clarion follows a structured risk management process aligned with ISO 27005 and ISO 31000. Every risk moves through a clear lifecycle, so nothing falls through the cracks.
Lifecycle Stages
1. Identified
The risk has been recognized but not yet analyzed.
How you get here: You create a new custom risk (risks from the library skip this stage).
What to do next: Review the risk and set its likelihood and impact scores to move it to Assessed.
2. Assessed
The risk has been analyzed — you've set the likelihood, impact, and chosen a treatment strategy.
How you get here: Set the likelihood and impact scores, then choose a treatment approach (Mitigate, Accept, Transfer, or Avoid). Risks added from the library start here automatically.
What happens: The inherent risk score is calculated and the risk appears on the heatmap and in your KPIs.
Where it can go next: In Treatment, Accepted, or Closed.
3. In Treatment
You're actively working to reduce this risk. Controls are being linked and treatment plans are underway.
How you get here: Move the risk to treatment, assign an owner, and set a due date.
What happens:
- Compliance controls are linked with reduction weights
- Your residual score updates automatically as controls pass or fail
- Treatment notes capture your mitigation plan
- The due date keeps your team on track
Where it can go next: Monitored (when treatment is done) or Closed.
4. Monitored
Treatment is complete and the residual risk is within your appetite. The risk is now under ongoing observation.
How you get here: Confirm that treatment actions are done and the residual score is acceptable.
What happens:
- The residual score continues to update automatically as your control posture changes
- A review date reminds you when it's time to re-evaluate
- If a linked control starts failing, you may need to move the risk back to treatment
Where it can go next: Closed or back to In Treatment if conditions change.
5. Accepted
Your organization has formally decided to accept this risk. No further treatment is planned.
How you get here: Choose "Accept" as the treatment strategy and document the reason in the Treatment Notes field.
What happens:
- The risk stays visible in the registry and on the dashboard
- Your acceptance justification is recorded for audit purposes
- The audit trail captures who accepted the risk and when
Where it can go next: Closed, or back to Assessed if you need to re-evaluate.
Important for Audits
ISO 27001 auditors will look for formal acceptance records. Always document the reason for acceptance in Treatment Notes and make sure the risk owner has acknowledged the decision.
6. Closed
The risk is no longer relevant — it's been fully mitigated, the threat no longer exists, or the business context has changed.
How you get here: Close the risk with a final note explaining why.
What happens:
- The risk is excluded from active KPIs and the heatmap
- It stays in the registry for historical reference (the full audit trail is preserved)
- You can reopen it if needed
Where it can go next: Back to Assessed (reopen).
Allowed Status Changes
| From | Can Move To |
|---|---|
| Identified | Assessed |
| Assessed | In Treatment, Accepted, Closed |
| In Treatment | Monitored, Closed |
| Monitored | Closed, In Treatment |
| Accepted | Closed, Assessed |
| Closed | Assessed (reopen) |
The system only allows valid transitions. Every status change is recorded in the audit trail with the name of the person who made it.
Roles & Responsibilities
| Role | What You Can Do |
|---|---|
| Risk Manager | Create, edit, and manage risks and control mappings. Add comments. View compliance data |
| Admin / Owner | Full access to everything, including risk settings |
| Security Engineer | Create and manage risks, plus manage compliance controls |
| Viewer | View the risk dashboard and registry (read-only) |
| Auditor | View risks, compliance data, and audit logs (read-only) |
Treatment Strategies
Four standard strategies aligned with ISO 27001:
| Strategy | What It Means | When to Use It |
|---|---|---|
| Mitigate | Reduce the risk by putting controls in place | Most common approach. Link compliance controls to lower your residual score |
| Accept | Acknowledge and live with the risk | When the residual risk is within your appetite, or mitigation costs more than the potential impact |
| Transfer | Shift the risk to someone else | Insurance, outsourcing, or contractual agreements |
| Avoid | Stop doing the activity that causes the risk | When the risk is too high and can't be mitigated |
Getting Started Workflow
If You're New to Risk Management in Clarion
- Browse the library — Look through the 110+ pre-built risks and pick the ones relevant to your organization
- Bulk import — Add multiple risks at once to save time
- Assess each risk — Review and adjust the likelihood and impact scores
- Link controls — Connect compliance controls to each risk (done automatically for library risks)
- Set treatment plans — Choose a strategy, assign an owner, and set a due date
- Monitor your dashboard — Track residual scores and overdue treatments
- Schedule reviews — Set review dates and re-evaluate risks periodically
Quarterly Review Checklist
- [ ] Check risks that are due for review
- [ ] Verify residual scores reflect your current control posture
- [ ] Review treatment progress and follow up on overdue items
- [ ] Update the risk appetite threshold if your tolerance has changed
- [ ] Export a CSV for management reporting
- [ ] Document the review in risk comments for audit purposes