After the Requirement Owner has reviewed a requirement and added issues and controls, they return it to the Compliance Team, who will assess it for residual risk. As the Compliance Team, requirements that have been submitted for your review will appear either on the My Tasks page or the Assess Risk activity.
To assess risk:
Log into a user account that's been added to the Compliance Team user group to open the My Tasks page.
Click a requirement in the Compliance Team Review state to open the Compliance Team Review form.
Optional: Navigate to the Review Inherent Risk Assessment section to review the inherent risk. Clicking the Historical Trending will display a chart showing how the inherent risk score has changed over time.
In the Review Control Documentation section:
Click the name of a control to open the Control Review palette. Add any additional details, as needed.
Select the rating that best describes the control in the Control Effectiveness field.
In the Residual Risk Assessment section:
Click the Residual Impact dropdown menu to select the impact of the risk after the controls have been put in place.
Click the Residual Likelihood dropdown menu to select how likely the risk is to occur after the controls have been put in place.
Click the Historical Trending tab to view how the residual risk score has fluctuated over time.
Optional: In the Document Issues section:
Click the name of an issue to make any changes or to close the issue as needed.
Begin typing keywords in the search bar to display a list of existing issues. Click on an appropriate issue to add it to the requirement.
Click + to open the Create a New Issue pallette. Fill in the fields as required.
In the Determine Level of Compliance section:
Select the requirement's level of compliance in the Compliance Level select list.
Enter any comments on the requirement's compliance level in the Comments on Level of Compliance field.
Optional: Expand the Related Assessments section to view the assessments related to the risk. Clicking on an assessment will display its Requirement Review form.
Add comments, as needed.
Click one of the following buttons:
Remediation Required: Send the requirement back to the Requirement Owner if further input is required.
Send to Monitoring: Transition the requirement to the Monitoring state.