Start Trial
PortalMeridianKeystoneRMM
Audit & Compliance Manual

Risks

Risk tracking, ownership, and the way Meridian keeps exposure tied to the controls and findings that drive it.

Audience: Risk and compliance ownersFocus: Risk ownership and follow-throughStatus: Public manual

Scope

Risk registers lose value when they drift away from the controls, evidence, and remediation state they are meant to represent. This public guide keeps that linkage visible and removes private internals.

Creating a Risk

  1. Open Risk in the sidebar to land on the relevant workflow.
  2. Pick the target program from the program selector at the top.
  3. Click New Risk.
  4. Fill in:
  5. Risk Reference: Unique identifier within the program (e.g., “RISK-001”)
  6. Category: Technical, Operational, Compliance, Strategic, or Financial
  7. Title: Brief description of the risk
  8. Likelihood (1–5) and Impact (1–5) — inherent score is computed automatically
  9. Optionally add description, treatment strategy, treatment plan, and residual scoring.

The new risk lands on the risk detail page where you can transition its status, link mitigating controls, edit, or delete it.

Editing a Risk

  1. Open the risk detail page (the relevant workflow).
  2. Click Edit in the header. This navigates to the relevant workflow.
  3. Update any field — risk reference, title, category, likelihood, impact, treatment strategy, treatment plan, residual scoring, or review date.
  4. Click Save Changes. The inherent and residual scores recompute on submit; the backend rejects the save if you set residual likelihood or residual impact without the other.

Status changes are not edited inline on this form. They are made from the status-action toolbar on the detail page so the state-machine guard is explicit and confirms before each transition.

Deleting a Risk

  1. Open the risk detail page (the relevant workflow).
  2. Click Delete in the header.
  3. Confirm in the dialog. The risk and all of its mitigating-control links are removed in a single transaction. The control rows themselves are not touched.

Deletion is permanent and audit-logged. The Delete button is hidden when the parent program is archived — archived programs are immutable to preserve historical state.

Understanding the Heat Map

Navigate to the relevant workflow to see the 5x5 grid: - Y-axis: Likelihood (1 at bottom, 5 at top) - X-axis: Impact (1 at left, 5 at right) - Color: Green (low) → Yellow (medium) → Red (high/critical) - Number in cell: Count of risks at that score combination

Toggle between Inherent (pre-treatment) and Residual (post-treatment) views.

Click a cell to see the specific risks at that score.

Risk Score Interpretation

Score Level Action
1–5 Low Monitor, review annually
6–10 Medium Treat or accept with justification
11–15 High Active treatment required
16–25 Critical Immediate action required

Updating Risk Status

Risk status tracks treatment progress: - Open → Treating: Start active treatment - Treating → Accepted: Accept residual risk after treatment - Any → Closed: Risk no longer applicable

Closed is permanent

Closing a risk is one-way. Once you transition a risk to Closed, the status-action toolbar stops offering any further transitions and the backend rejects any attempt to move it back to Open, Treating, or Accepted with a 422 error. This is deliberate — a closed risk is frozen audit evidence, and every compliance framework Meridian supports expects the risk register to be an immutable record of decisions once a risk is resolved.

If a closed risk recurs and needs active tracking again, create a new risk with a fresh risk reference. Link back to the closed one from the new risk’s description so the history stays traceable. Do not try to “undo” the closure — there is no undo.

The Closed button is shown as the final action on the status toolbar specifically so operators notice that clicking it is a terminal decision. Think of it like archiving — the record stays, but you cannot change it afterward.

Treatment Planning

  1. Set Treatment Strategy: mitigate, accept, transfer, or avoid
  2. Write the Treatment Plan: specific steps being taken
  3. Set a Review Date for re-assessment
  4. Link Controls: identify which controls mitigate this risk

Linking Controls

From the risk detail page you can link existing controls that mitigate the risk. Controls must belong to the same compliance program as the risk.

  1. On the risk detail page, click Link Control in the “Mitigating Controls” section.
  2. A searchable picker appears. Type a control ref or title to find a control in this program. Controls already linked to this risk are hidden so you can never double-link.
  3. Pick a control and click Link Control.
  4. To remove a link, click Remove next to the linked control row and confirm in the dialog.

Use the risk-to-control linkage to demonstrate that controls address identified risks — this is evidence of risk treatment in a SOC 2 audit.