Assessments provide the business with an evaluation of risk and control effectiveness at a point in time. They are used to identify vulnerabilities, raise awareness, and prioritize investment in the areas that will have the most impact. For this process to be effective, assessment data needs to be recent and reflect change over time. An audit from three years ago provides some data but may no longer be accurate. An assessment from two weeks ago may be accurate but doesn’t indicate whether risk levels are rising or falling. In order to keep information current, continuous assessments are needed.
Continuous assessments are an evolution of periodic assessments. They allow the risk team to reassess risks, controls, and KRIs for any given assessment without needing to relaunch it. This enables assessments to remain up-to-date without being tethered to a reporting period. Only members of the Risk Team and Administrator (Risk Management) user groups can launch a continuous assessment, though it is best practice for the risk team to do so.
To launch a continuous assessment:
Log into a user account that's been added to the Risk Team user group.
Click the dropdown in the nav bar > Risk Management.
Click the Review & Monitor tab.
Click an assessment in the Complete state in the Risk Assessment Review and Monitoring activity to open the Risk Assessment form.
Navigate to the Management Assessments section.
Click Reassess. The assessment will return to the Define Scope of Assessment state and risks and controls in the Monitoring state will return to the Assign Risk Owner state.