Assessments provide the business with an evaluation of risk, requirements, and control effectiveness at a point in time. They are used to determine compliance, identify vulnerabilities, raise awareness, and prioritize investment in the areas with the most impact. To be effective, assessment data must be recent and reflect change over time.
For example, an audit from three years ago provides some data but may no longer be accurate. An assessment from two weeks ago may be accurate but doesn’t indicate whether risk levels are rising or falling. To keep information current, continuous assessments are needed.
Continuous assessments are an evolution of periodic assessments. They allow the Risk Team to reassess Risks, Controls, and KRIs for any given assessment without needing to launch an entirely new one. This enables assessments to remain up to date without being tethered to a reporting period. Only members of the Risk Team and Administrator (Risk Management) user groups can launch a continuous assessment, though it is best practice for the Risk Team to do so.
To launch a continuous assessment:
Log into a user account from the Risk Team user group.
Click the dropdown in the nav bar > Risk Management.
Click the Review & Monitor tab.
In the Risk Assessment Review and Monitoring activity, click an assessment in the Complete state to open the Risk Assessment form.
Navigate to the Assessment Management section.
Click Reassess. The assessment will return to the Define Scope of Assessment state and risks and controls in the Monitoring state will return to the Assign Risk Owner state.