Skip to main content

MyRISK Trace

When a risk decision is challenged, will the record hold up?

Trace captures the evidence, rationale, approvals, exceptions, actions and history behind high-stakes risk decisions so your organisation can explain and defend them later.

Book a Trace Diagnostic
Trace Section 1

Important decisions cannot live only in email, meetings and disconnected tools

AI approvals, supplier exceptions, risk acceptances, policy deviations, control waivers and cyber investment decisions all need a clear record. When scrutiny arrives, it should be easy to show what was decided, why it was decided, what evidence was used, who approved it and when it will be reviewed.

Trace is for the decisions where the outcome is not enough. You need the reasoning, evidence and governance trail as well.

Use Trace where the decision trail matters

AI approvals

Capture why an AI use case was approved, restricted or rejected.

Supplier exceptions

Record supplier risk, evidence, compensating controls, conditions and approvals.

Risk acceptance

Standardise the rationale, owner, expiry date, approval path and review cycle.

Policy exceptions

Move exception decisions out of email and into a governed workflow.

Control waivers

Show why a control gap was accepted, what mitigations exist and when it will be reviewed.

Cyber investment decisions

Connect cyber risk, evidence, control gaps, trade-offs and funding rationale.

Trace creates the record you need later

Without Trace, decisions are often spread across emails, meeting notes, ticket comments, spreadsheets, documents and risk registers. The decision may be known, but the reasoning is hard to reconstruct.

With Trace, each decision has a structured record of context, evidence, policy alignment, approvals, rationale, actions, owners, conditions and review dates.

Decision record image

A practical workflow for defensible decisions

1

Step 1: Define the decision

Clarify what is being decided, why it matters and what level of scrutiny it may face.
2

Step 2: Set the evidence standard

Define what assessments, documents, control information, supplier evidence or policy references are required.
3

Step 3: Route the approval

Capture review, challenge, approval, conditions and escalation in one workflow.
4

Step 4: Track actions and review

Keep conditions, remediation, expiry dates and review points visible.
5

Step 5: Produce the decision record

Generate a clear decision pack for audit, board, regulator, customer or internal review.

Start where scrutiny is highest

Most Trace engagements begin with one high-friction decision type. Choose the workflow that creates the most manual effort, the most uncertainty or the highest need for defensibility.

Common starting points:

  • Risk acceptance

  • Supplier exceptions

  • AI approvals

  • Policy exceptions

  • Control waivers

  • Audit-significant decisions

Decision Defensibility Diagnostic

In a focused diagnostic, MyRISK maps one critical decision workflow, identifies evidence and rationale gaps, and recommends the first Trace workflow to pilot.

Best-fit organisations:

  • A decision workflow map

  • A defensibility gap summary

  • Evidence pack recommendations

  • A recommended pilot workflow

  • A practical implementation path

Make your most important risk decisions easier to defend

Start with one decision workflow and build a repeatable model from there.

Book a Trace Diagnostic
Talk to a Trace specialist