Risk waivers
      Back to home
      1. UpGuard Knowledge Base
      2. UpGuard Breach Risk
      3. Risk waivers

      How to use Subsidiary Risk Waivers

      Learn how to use Subsidiary Risk Waivers to acknowledge and accept specific risks identified in your child subsidiaries' infrastructure.

      Subsidiary Risk Waivers let you acknowledge and accept specific risks identified in your child subsidiaries' infrastructure. This is useful when a risk has been correctly flagged but is not relevant or material due to context, such as compensating controls.

      Importantly:

      • Subsidiary Risk Waivers do not change your public risk profile or score.

      • They only affect your internal view of that subsidiary’s risk score within UpGuard.

      Creating a Subsidiary Risk Waiver

      1. Within the Parent organization, navigate to Risk Profile and select the Organization and subsidiaries view. This will display the complete list of risks for the parent and all subsidiaries. Click “Manage risks” -> "Waive a risk" to start the new Risk Waiver flow.
        1. Select the Child Subsidiary from the list of organizations shown.
        2. Select the Risk to be waived.
        3. Select the Related assets. You can apply the waiver to all domains, IPs, or specific ones within the subsidiary.
        4. Set the Risk Waiver approval, justification, and expiry configuration details, and then review and confirm. 
      2. Within the Parent organization, navigate to Risk Profile and select the Organization and subsidiaries view. This will display the complete list of risks for the parent and all subsidiaries. Select a Risk and open the Risk Details drawer. Select the Company affected and click the "Waive risk" option from the action button to start the new Risk Waiver flow.
        1. By default, the applicable Risk to be waived will be selected.
        2. Select the Related assets. You can apply the waiver to all domains, IPs, or specific ones within the subsidiary.
        3. Set the Risk Waiver approval, justification, and expiry configuration details, and then review and confirm.
      3. Within the Parent organization, navigate to the Risk Waivers section. Select the Subsidiaries view to see all Risk Waivers that apply to any Child Subsidiaries. Click "Create risk waiver" to start the new Risk Waiver flow.
        1. Select the Child Subsidiary from the list of organizations shown.
        2. Select the Risk to be waived.
        3. Select the Related assets. You can apply the waiver to all domains, IPs, or specific ones within the subsidiary.
        4. Set the Risk Waiver approval, justification, and expiry configuration details, and then review and confirm. 
      4. Navigate to the Subsidiaries module and select the child organization you want to manage. Go to the Risk Profile for that subsidiary. This will display the complete list of risks for that subsidiary. Click “Manage risks” -> "Waive a risk" to start the new Risk Waiver flow.
        1. Select the Risk to be waived.
        2. Select the Related assets. You can apply the waiver to all domains, IPs, or specific ones within the subsidiary.
        3. Set the Risk Waiver approval, justification, and expiry configuration details, and then review and confirm. 
      5. Navigate to the Subsidiaries module and select the child organization you want to manage. Go to the Risk Profile for that subsidiary. This will display the complete list of risks for that subsidiary.  Select a Risk and open the Risk Details drawer.  Click “Manage risks” -> "Waive a risk" to start the new Risk Waiver flow or select the Asset affected and click the "Waive risk" option from the action button to start the new Risk Waiver flow.
        1. Select the Related assets. You can apply the waiver to all domains, IPs, or specific ones within the subsidiary.
        2. Set the Risk Waiver approval, justification, and expiry configuration details, and then review and confirm.

      Approval & Expiry Settings

      • Approval: Choose if the waiver needs approval. If not, it becomes active immediately.
        (Admin approval workflows can be managed in Settings.)

      • Visibility: Waivers for subsidiaries are always private and are not visible outside your organization.

      • Expiry: Optionally set an expiry date. You’ll get a reminder before it lapses.

      Managing Subsidiary Risk Waivers

      To manage existing waivers:

      1. Open the subsidiary's Risk Profile.

      2. Select the Risk Waivers tab.

      From here you can:

      • View current and expired waivers.

      • Cancel a waiver.

      • Update the approver or expiry date.

      Only active waivers will suppress the risk from appearing in the internal risk profile or influencing the internal score for that subsidiary.