RiskOps is the operational layer for enterprise risk. Risks have a lifecycle, an owner, a treatment plan, and an audit trail — auto-generated from the work the platform is already doing across TPRM, privacy, internal controls, and supply chain monitoring. One register. Six lifecycle states. Five treatment strategies. Bidirectional sync with the GRC tooling you already run.
Most "ERM platforms" are spreadsheets with a UI on top. The risk inventory is unconnected to the controls assessment program, the vendor portfolio, and the breach intelligence feed. Risks accumulate without lifecycle, ownership decays, and the register becomes shelfware.
RiskOps reverses the pattern. Risks auto-generate from upstream signals — the same signals that drive the rest of the platform — and carry source provenance through every transition. When an auditor asks where a risk came from, the answer reconstructs from the originating assessment, scan, or report.
Assessment findings. Failed QFX answers with action-plan flags create risk records automatically — vendor-scoped or enterprise-scoped depending on the program category. Source attribution preserved.
LiveThreat scan findings. Vendor scan findings above the configured severity threshold flow into the register tagged to the originating vendor and scan ID. Daily re-scans update existing risks rather than creating duplicates.
SBOM CVE matches. CVE findings from continuous SBOM monitoring become software supply chain risk records — tagged with the vendor, the affected component, the CVSS, and the EPSS exposure score.
Manual entry. Risk practitioners create risks directly from the library, from scratch, or by promoting an observation. All four sources land in the same register, follow the same lifecycle, and produce the same audit trail.
Open, Escalated, In Mitigation, Accepted, Closed, Expired. Each transition is a named action — Escalate, Begin Mitigation, Mitigate, Accept, Close, Reopen, Expire — with required evidence and audit-logged actor, timestamp, before-state, after-state, and free-text justification.
Risk acceptance is the highest-stakes transition. Accept-strategy plans require an executive approver, an expiration date, and a 30-day renewal reminder. Approver identity, timestamp, and circuit context (IP, user agent) are captured for SOX and ISO 31000 evidence. Expired acceptances reappear in the open queue automatically.
Accept, Avoid, Mitigate, Transfer, Combination. Each treatment plan carries justification, target completion date, estimated cost, and estimated effort hours. Inline milestone CRUD with status pills tracks progress; the milestone status surfaces in the dashboard alongside the risk it belongs to.
Treatment strategy is per-risk, not per-program. The same register hosts vendor concentration risks under Mitigate, regulatory exposure under Avoid, financially-bounded exposures under Transfer, and tail-risk under Accept — each appropriate, each defensible.
KRIs attach to risks and surface threshold breaches in the dashboard. The KRI watchlist shows red-amber-green status across the portfolio and links each metric back to the risks it indicates. KRI breaches can trigger workflow — escalation, treatment-plan review, or alert routing to the on-call rotation.
Exceptions are accept-strategy plans with a finite life. The exception register tracks every active exception, the approver, the expiration, and the compensating controls cited as justification. Attestation cycles run on a configurable cadence — quarterly for high-risk, annual for steady-state — with prior-cycle pre-population and digital signature capture.
ServiceNow GRC for enterprises that already run on it — risks open as records in the destination, closures sync back, drift detection catches divergence. Jira for engineering-led organizations. PagerDuty for critical-severity escalation. Microsoft Teams via Adaptive Cards. GitHub Issues for SBOM-driven supply chain findings. Generic HMAC-signed webhooks for any other destination.
Every outbound dispatch, every inbound update, every drift event captured in the integration audit log.
Every state transition logged with actor, timestamp, before-state, after-state, and justification. Every accept-strategy approval signed and IP-stamped. Every auto-generated risk carries the source signature back to the originating assessment, scan, or report. Compliance Pack export bundles the risk decision audit, finding lifecycle, score override report, and AI generation log into a single signed archive auditors can verify independently.
Indefinite retention by default for risk audit data. Legal hold pins specific entities so they cannot be deleted, archived, or purged regardless of retention configuration.
RiskOps is included in Enterprise. Vendor risk register is included from RR Core; enterprise-scoped risks and the full treatment / KRI / exceptions surface require Enterprise.