Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Compliance & Readiness

Risk register

Risk management in Nuxari: risk fields, statuses, treatment options, how unresolved high risks block control readiness, and risk acceptance requirements.

Last updated: June 2026

Risk management in Nuxari

The risk register is the central record of information security risks your organization has identified, assessed, and decided to treat. Both SOC 2 and ISO 27001 require demonstrated risk management — auditors expect to see that risks have been identified, assessed, and formally treated with documented rationale.

Nuxari structures risk management around the register. Risks are linked to controls, and unresolved high or critical risks can block control readiness until they are treated or formally accepted.

Risk fields

Each risk in the register includes:

  • Title and description. What the risk is and which systems or processes it affects.
  • Likelihood. How probable the risk is to occur (low, medium, high).
  • Impact. How severe the consequences would be if the risk materialized (low, medium, high, critical).
  • Inherent risk. The calculated risk level before any controls are applied, derived from likelihood and impact.
  • Treatment plan. The chosen treatment option and the specific actions taken.
  • Risk owner. The person responsible for the risk treatment and ongoing monitoring.
  • Residual risk. The remaining risk level after controls and treatment are applied.

Risk treatment options

Mitigate

Implement controls to reduce the likelihood or impact of the risk. This is the standard treatment for most identified risks.

Accept

Formally acknowledge the risk and decide not to implement additional controls at this time. Requires documented rationale and authorization from the Client Owner. Accepted risks are still tracked.

Transfer

Shift the risk to a third party — for example, through insurance, a vendor contract, or a managed service agreement.

Avoid

Eliminate the activity or condition that creates the risk. This may involve decommissioning a system, discontinuing a process, or removing a feature.

How unresolved risks block control readiness

Controls linked to risks with a high or critical inherent risk that have no treatment plan — or whose treatment plan is incomplete — are blocked. This prevents a control from showing as ready for audit when known risks remain untreated. To unblock the control, either implement a mitigation, formally accept the risk with documented rationale, transfer, or avoid it.

Risk acceptance must be authorized by a Client Owner. Governance Operators and Client Admins cannot accept risks on behalf of the organization. This requirement reflects the principle that accepting residual risk is a business decision requiring senior authorization.

Risk review cadence

ISO 27001 requires periodic risk reviews — at least annually and when significant changes occur. Nuxari tracks each risk's last review date and surfaces overdue reviews. Unreviewed risks past their due date may block related controls depending on your organization's policy settings.

Related docs

Control library

How risks link to control statuses

Policy center

Risk management policy

Compliance troubleshooting

Resolve risk acceptance issues

Compliance roles

Who can accept risks

Was this page helpful?