Automating operational risk and control assessments
In the Projects app, you can create assessment drivers based on a metric to automate operational risk and control assessments and notify key stakeholders when changes occur.
Before you start
Before you can automate assessments, you need to set up a project with objectives, risks, and controls. To turn on the Automate button, you or someone on your team needs to complete the following tasks:
- Create a metric in Results see Monitoring key indicators with metrics
- Link the metric to the assessment in a project see Linking evidence from Results
How it works
An assessment driver is an automation tool that allows you to keep your assessments current, in real-time. You can create multiple assessment drivers to automate different risk and control assessments.
You create an assessment driver by:
- selecting the risk or control assessment you want to automate
- defining metric ranges that will be used to:
- populate the inherent risk score for the risk assessment OR
- determine the evaluation of a control's design or effectiveness
Once you create the assessment driver, the assessment is automatically updated whenever the metric value crosses a specified threshold.
Why do I create an assessment driver in a project vs. a framework?
Active projects are point-in-time assessments, while frameworks are continuous and show aggregate activities across multiple projects. It is more valuable to create assessment drivers within a project, and aggregate the changes to a single framework.
How do I notify stakeholders when changes to assessments occur?
The following users are automatically notified about assessment changes via the Projects daily summary email:
- Risk assessment changes the Assigned User of the objective
- Control assessment changes the Owner of the control and the Assigned User of the objective
The email summarizes:
- which assessments were updated
- the number of times each assessment was updated in the last 24 hours
- any assessment drivers that have been disabled due to an error
Can I view historical data associated with assessment drivers?
Yes. When an assessment driver updates an assessment, the event is logged in the Activity Log within the project dashboard and within the History section of the risk, execute procedure, walkthrough, or test.
Automate a risk or control assessment
Task | Detailed information |
---|---|
Automate a risk assessment | Automating operational risk assessments |
Automate a control assessment | Automating control assessments |
Examples
Scenario
As part of your Cybersecurity Review, you have identified a risk in the Identify process:
Fines, lawsuits, and legal fees resulting from non-compliance or loss of sensitive information
Based on your data analytic results, you have identified the global cost of security incidents and created a metric called "Global Cost of Security Incidents".
Process
First, you configure risk scoring by quantifying the impact of the risk as follows:
- < $10,000,000 = Low
- ≥ $10,000,000 < $65,000,000 = Medium
- ≥ $65,000,000 = High
Then, you link the "Global Cost of Security Incidents" metric you created in Results to the risk in Projects.
Finally, you create an assessment driver by defining a series of metric ranges that will be used to populate inherent risk scores:
Result
The risk assessment is automated:
Users are automatically notified when specific thresholds are crossed, enabling them to take appropriate action.
Scenario
As part of your IT General Controls Review, you have identified a control in the Physical Security process:
All data center or server facilities entrances are protected by key card access system
Based on your data analytic results, you have identified 100 facility entrances across different data centers that should all be protected by key card access. The metric that you created to assess and monitor the effectiveness of the control is called "% of Secure Facility Entrances". This metric monitors the percentage of facility entrances that have key card access enabled.
Process
First, you link the "% of Secure Facility Entrances" metric you created in Results to the test in Projects.
Then, you create an assessment driver by defining a series of metric ranges that will be used to populate the value of the Did this Control operate effectively? field:
- > 99 = Operating Effectively
- ≤ 99 = Exception(s) Noted
Result
The control assessment is automated:
Users are automatically notified when specific thresholds are crossed, enabling them to take appropriate action.