Skip to main content

What is risk and incident management?

Risk and incident management allows you to take every risk and incident and log it as ‘managed’. This helps you work through your risks and incidents, and ultimately get to a point where all risks and incidents are considered ‘managed’. The goal of ‘managing’ risks and incidents is to provide an audit trail and internal workflow system to show auditors that you’re compliant with risk and incident management related compliance requirements.
Risks and incidents can be ‘managed’ manually by you, manually by the supplier through the corrective action workflow, and automatically via management rules. Risks should in general be managed ‘in mass’ or ‘automatically’ by defining preventative actions taken by you or the supplier. Due to the way Responsibly identifies risks - at the granular per supplier, per parameter level - there will be a lot of risks to manage, hence the need for managing them at scale. This can be done through ‘management rules’ or manually via multi-select. Read more below Incidents on the other hand should be managed individually to ensure you’ve seen the incident and have taking a qualified decision on whether corrective action is warranted. However, for very large accounts, the amount of incidents can still be significant. Fortunately, most if not all supply chain due diligence regulations acknowledge that it’s okay to prioritize incident management with your suppliers. This can both be done by prioritizing certain supplier segments, or better yet, by prioritizing according to the analytics we provide, tackling most severe incidents for most severe topics first.

Managing risks manually

On the ‘Risk Management’ and ‘Incident Management’ pages every risk and incident can be managed by clicking the 3 dots on the right of the table. The user has x options:
  1. Mark as Mitigated: The incident or risk has been mitigated. You’re guided to a dialogue that let’s you log the reason. The user and timestamp of the management event is further logged for auditability.
  2. Mark as Seen: The incident or risk is marked as ‘Seen’. This does not change the effect on the risk.
  3. Create Task:
  4. Mark as Invalid:
  5. Mark as Irrelevant:
Internal Notes:
  1. Rename ‘Accept’ on incident management to ‘Mark as Seen’ so it matches risk management wording
  2. Kill ‘Downgrade to risk’ on incidents
  3. Merge Mark as Invalid and Mark as Irrelevant into 1 ‘workflow’
Comment on ‘multi-select’

Management rules

Corrective action through tasks

Auto extraction of corrective action from audits