¶ Why Complete and Confirm?
The Complete and Confirm step is the final step of the risk assessment and is a quality assurance and risk acceptance activity. The purpose of the step is to assign responsibility, and the decision-maker decides whether the:
- Counter-measures are sufficiently described (quality)
- Counter-measures are within a reasonable price range (cost)
- Risk is acceptable based on the risk assessment and the treatment plan (benefit)
- Treatments shall be implemented, by whom, and deadline (responsibility and time frame)
- Accept residual risk (risk ownership)
Residual risk is the risk that the organisation's management deliberately accepts and takes, which is why a decision-maker at the management level should carry out the signing step. A decision-maker in risk management is defined differently within organisations, but examples of appropriate roles are system owners, risk owner, and others. The decision to accept responsibility and risk is made formally and logged in Diri. Diri adds a lot of transparency to risk management and allow for escalation of severe risk.
¶ Signing the treatment plan and completing the risk assessment
Firstly, make sure that the decision-maker has access to the risk assessment. It is time to sign the risk treatment plan when the decision-maker deems the residual risk acceptable. Below is an example of a simple plan with only three treatments:
Click on the "Sign Risk Treatment plan" button to apply your signature and timestamp the plan. You will be asked to confirm your responsibility for the treatment plan. The Signed By field will be filled by your name, and Signed at will be time stamped with approval date and time. The Valid Until indicates the revision time set by the organisation. The revision time means how long the risk assessment will be valid before needing revision. Diri will notify you when the revision time is closing to an end. Notifications are set in My account in the main menu. At the same time, revision time adjustment is available for administrators in the settings.
¶ Archiving risk assessments (Not implemented)
Signing a Risk treatment plan will (soon) create an archinved version of the risk assessment as an audit trail. Such that you can scroll back to older assessments as needed.