🛡️ Risk Management

Risk Register with 30+ data fields for centralized risk documentation. Six risk categories (Strategic, Operational, Financial, Compliance, Technology, Reputational). Preventive, Detective, and Corrective Risk Controls. Budget-tracked Treatment Plans and a 5×5 Risk Matrix (Likelihood × Impact scoring) aligned with ISO 31000:2018 methodology.

✅ Compliance Management

Multiple Frameworks — ISO 27001, ISO 45001, ISO 55001:2024, ISO 31000:2018, GDPR, SOC 2, and more. Control Mapping links controls to framework requirements. Self-assessment, internal/external audits, gap analysis. Evidence Management and compliance scoring to track posture over time.

📝 Audit Management

Audit Planning across Internal, External, Compliance, Security, Financial, and Operational types. Finding Tracking with severity ratings and remediation workflows. Root cause analysis, evidence collection, and follow-up tracking to monitor finding closure rates.

🚨 Incident Management

Incident Types — Security Breach, Data Leak, System Outage, Policy Violation. Chronological Timeline Tracking, financial/operational/reputational Impact Assessment. Response actions for containment, eradication, and recovery. Lessons learned and post-incident review.

📄 Policy Management

Policy Types — Security, Compliance, HR, IT, Operational, Governance. Full Version Control with revision history. Review workflow (Draft → Review → Approved → Published). Approval tracking with designated authorities and effective date lifecycle management.

🏢 Vendor Risk Management

Comprehensive third-party Risk Assessments with Low/Medium/High/Critical classification. Due diligence via security questionnaires and certifications. Mitigation Tracking for contractual and technical safeguards with automated review scheduling.

Immediate action required

Senior management attention

Management responsibility

Routine procedures

Principles

Eight principles: Integrated, Structured & comprehensive, Customised, Inclusive, Dynamic, Best available information, Human & cultural factors, Continual improvement.

Framework

Organisational infrastructure: Leadership & commitment, Integration, Design, Implementation, Evaluation, and Improvement — embedded in all organisational activities.

Process

Iterative risk management lifecycle: Communication & consultation → Scope, context & criteria → Risk assessment (identify, analyse, evaluate) → Treatment → Monitoring & review → Recording & reporting.

Likelihood × Consequence scoring with four risk bands (Low, Medium, High, Critical)

Avoid, Reduce/Modify, Share/Transfer, Accept/Retain, Exploit (Opportunity)

Dual-layer assessment with control effectiveness tracking

Appetite, tolerance, threshold, and capacity — As Low As Reasonably Practicable

ISO 55001:2024 — Requirements

Specifies requirements for an asset management system applicable to all asset types and organisation sizes. Key 2024 changes include: new subclauses on asset management decision-making and value (4.5), separation of risk and opportunity (6.1.2/6.1.3), simplified SAMP requirements, stronger emphasis on leadership, new sections on data/information and knowledge management, and lifecycle operations in planning & control.

ISO 55002:2018 — Application Guidelines

Provides guidance for applying the ISO 55001 requirements. Covers Strategic Asset Management Plan (SAMP) development (Annex A), leadership and commitment, planning asset management objectives, risk and reward decision-making, operational planning and control, outsourcing requirements, performance evaluation, and continuous improvement. A new revision aligned with ISO 55001:2024 is currently in development (CD stage).

Clause 6.2.1

Simplified SAMP positioned as key planning artefact

Clause 8.1

Acquisition through operation to disposal

Clauses 6.1.2 / 6.1.3

Now separated — risk and opportunity as mutually supportive

Clause 4.5 (NEW)

Connecting decisions at all organisational levels

New Sections

Configuration management, tacit knowledge, data assets (see ISO 55013)

Clause 9.1

Monitoring, measurement, analysis, and evaluation of asset performance

🔧 Technical Requirements

ES ERP 15+ Framework, Python 3.10+, MariaDB 10.6+ or PostgreSQL 13+, Node.js 18+

🔌 ES ERP Integration

Links to User for ownership, Company for multi-company, Employee for HR risks, Supplier for vendors, Project for project risks

🌐 API Access

Full REST API for all DocTypes, webhook support, standard Frappe API endpoints, bulk import/export, custom report generation

Platform

• ✓ ES ERP Framework
• ✓ ES ERP 15+
• ✓ 15 Custom DocTypes
• ✓ 150+ Fields

Standards

• ✓ ISO 31000:2018 Risk Mgmt
• ✓ ISO 55001:2024 Asset Mgmt
• ✓ ISO 55002:2018 Guidelines
• ✓ ISO 27001 / ISO 45001

Compliance

• ✓ 10 Frameworks Supported
• ✓ 31 Control Sets
• ✓ GDPR & SOC 2 Type II
• ✓ Custom Framework Support

Management

• ✓ 6 Audit Types
• ✓ Incident Response Workflow
• ✓ Policy Versioning
• ✓ Vendor Risk Assessment