While each organization will have its own processes in place, it is a reasonable question on how and when to inform stakeholders of risk remediation plans. The key is to identify the roles that stakeholders hold in the individual process. This can be done using a simple R.A.C.I. process. With each remediation plan, you should identify your R,A,C, stakeholders.
R= Responsible for completing the tasks or taking ownership of the remediation.
A= Accountable for ensuring the remediation is achieved (Typically management)
C= Consulted, must provide information or input on the remediation, two-way communication is required (think subject matter experts such as infosec, legal, compliance, etc.)
I= Informed, these are stakeholders that need to know about the remediation, but have no ownership, approval authority or say in the specific remediation. One -way communication required (Other lines of business, or administrative roles responsible for record keeping, etc.)
All "R, A, C" roles are involved in developing and finalizing the remediation plan so by default they have awareness of the remediation.
All other" I" roles can be informed on regular basis through standardized reporting. For example, your issues management report should be updated weekly to list new remediation plans, owners, and timelines. Existing remediation plans' status should be updated. Ensuring that all stakeholders know where to find the weekly report is essential to making sure the process is effective. Taking this approach can save so much time and valuable resources, as you do not have to readjust the process each time.
Of course this is just one suggestion, I would love to hear from other members.
Original Message:
Sent: 03-19-2024 09:16 AM
From: Anonymous Member
Subject: Risk Mitigation Plans
This message was posted by a user wishing to remain anonymous
Hi TPRM Community!
I have a question in regard to the risk mitigation process internally at your organization. I realize that it is dependent on the risk, controls, etc. However, what does the workflow look like to inform internal stakeholders on agreed remediation? I.e. does anyone have a swim lane diagram that they could share? Any insight to how the workflow is managed would be greatly appreciated. Thank you!