A team identifies a new risk. As the GRC analyst, what do you do with it?
Short answer
Governance means the risk is captured and managed, not informally handled: record it in the risk register with assessed likelihood and impact, assign an accountable owner, decide and document the treatment (mitigate, transfer, accept, or avoid), and set a review date. Fixing it yourself on the spot skips ownership, prioritisation, and tracking, and may not even be your call. Ignoring it until it becomes an incident is negligent, and emailing everyone creates noise but no accountability or follow-through. The register turns a one-off observation into a tracked, owned, revisited decision.
A GRC analyst's job isn't to personally resolve every risk — it's to make sure each risk is identified, assessed, owned, decided on, and revisited. The risk register is the instrument that does this, and reaching for it is the disciplined response.
What "managing" a risk looks like
When a new risk surfaces, you record it so it can't be forgotten, then assess it — likelihood and impact — so it can be prioritised against everything else competing for attention. You assign an accountable owner, ideally the person with the authority and resources to act, not just whoever spotted it. You then make and document a treatment decision: mitigate (reduce it), transfer (insure or contract it away), accept (consciously live with it, with sign-off), or avoid (stop the activity). Finally you set a review date, because risk changes over time and an unrevisited register goes stale.
Why the wrong answers fail
Fixing it yourself on the spot feels proactive but skips ownership, prioritisation, and the audit trail — and the fix may not be yours to make or may not be the highest-value use of effort. Ignoring it until it becomes an incident is the definition of negligence; the whole point of risk management is to act before the loss event. Emailing everyone and moving on broadcasts the problem but assigns it to no one; diffuse responsibility means nothing actually gets done, and there's no record that a decision was ever taken.
The judgment being probed
The interviewer wants to see that you understand governance is about accountability and traceability, not heroics. A strong answer names the four treatment options correctly, distinguishes the risk owner from the finder, and recognises that even "accept" is a legitimate, documented decision when made by someone with the authority to own the residual risk. The register isn't bureaucracy for its own sake — it's how an organisation proves it knew about a risk, decided what to do, and followed through.
Likely follow-ups
- Who should own a risk — the person who found it, or someone else, and why?
- When is 'accept' a legitimate treatment, and what makes a risk acceptance valid?
- How do you prioritise a new risk against everything already in the register?