Hi Guys, please can you help advise me here. We have completed the risk assessment and the asset owners are populating the risk treatment table with treatment options. However there was a good number of months between completing the risk assessment and where we are today. As a result the assets have changed in several departments meaning some items in the current risk assessment are not relevant. It also means any new or replaced assets need to be re-assessed.
So the question is:-
1) Do we just delete those irrelevant risks from the inventory of assets, risk assessment table and the risk treatment process, and just deal with the new assets in next year's overall risk assessment?
2) Or do we update those documents according to document control procedures and (i.e. update the asset inventory; risk assessment table to reflect new and removed assets; apply the treatment to the new assets)?
You should not change the initial inventory of assets, risk assessment table and the risk treatment table, because they are records about the situation at the time they were elaborated. The right thing to do is to create an updated version of them as you mentioned in option 2.
Regarding dealing with the new assets in next year, to make this decision you must evaluate the impacts of such changes in your risk scenario. Since you mentioned that assets have changed in several departments, probably your risk scenario has also changed too and you should perform a new risk assessment as soon as possible.