A flow chart that starts with a box, Is the gross risk higher than risk appetite? An arrow with no leads to Accept risk. An arrow with yes leads to a box with: Is the current risk the same as the gross risk. An arrow with no leads to a box that contains: 1. List controls, 2. record evidence controls are effective (by design and operation). Another arrow with a yes leads to a box that contains: report risk is out of appetite. This box leads to another via an arrow that contains: Develop action plan to reduce risk level. An arrow then leads to a box that contains: Is the residual risk higher than risk appetite. A yes arrow leads to a box that contains: Have all treatment options been exhausted, which then goes to a yes arrow with a box that contains: Report that risk cannot be bought within appetite. Another arrow with a no comes from the previous box that contains: Implement action plan. Another arrow comes out of this box that leads to a box containing: Adjust current risk to new level post. Action plan to implementation. Back up to the box that contains 1. List controls, 2. record evidence controls are effective (by design and operation), an arrow coming from this box leads to a box that contains: based upon the evidence is the current level of risk supported. An arrow with a yes comes out of this and leads to another box that has: Is the current risk higher than appetite. A no arrow comes from this box and leads to a box that contains: Risk mitigated to acceptable level. a yes arrow leads to the box that contains report risk is out of appetite. Back to the box that contains: based upon the evidence is the current level of risk supported, an arrow with a no against it leads to a box containing: improve performance of existing controls. An arrow from this box leads back up to the box which contains: 1. List controls, 2. record evidence controls are effective (by design and operation).