• If the metric has increased and exceeded the risk appetite:

❗Arrange a meeting with the team to discuss security tasks for the upcoming sprint to reduce the metric, starting with the most critical ones.

• If the metric has increased but has not exceeded the risk appetite:

❗Pay attention to the metric and start collecting a backlog of security tasks for the upcoming planning session.

• If the metric has decreased and fallen below the risk appetite:

❗Plan measures to maximize the reduction of the metric. Keep striving for zero, but at this stage, you have achieved success. Otherwise, if the team is highly occupied, wait until the metric approaches a critical value.

• If the metric has decreased but has not fallen below the risk appetite:

❗The team should repeat the process until the WRT has decreased.