We would like to create a local risk since we have defined a local control that truly mitigates a local risk that does not fit in with our global risk catalog. We have tried to do this by going into the local subprocess assigned to an entity and then under the risk tab we can add a risk but that is only if the risk has already been defined. A local risk in our case would not already have been defined and thus we would need to create this and associate it to the subprocess and control. We have even tried creating this via the local control but again we have the ability to add a risk that has already been defined.
Is it that we should get this risk created under the 'risk classification' section of GCO and then association to the local control will make it automatically local and not central? I am assuming this is what we need to do. Let me know your thoughts.
Aman