Automating operational risk and control assessments

In the Projects app, you can create assessment drivers based on a metric to automate operational risk and control assessments and notify key stakeholders when changes occur.

Before you start

Before you can automate assessments, you need to set up a project with objectives, risks, and controls. To turn on the Automate button, you or someone on your team needs to complete the following tasks:

How it works

An assessment driver is an automation tool that allows you to keep your assessments current, in real-time. You can create multiple assessment drivers to automate different risk and control assessments.

You create an assessment driver by:

  1. selecting the risk or control assessment you want to automate
  2. defining metric ranges that will be used to:
    • populate the inherent risk score for the risk assessment OR
    • determine the evaluation of a control's design or effectiveness

Once you create the assessment driver, the assessment is automatically updated whenever the metric value crosses a specified threshold.

Why do I create an assessment driver in a project vs. a framework?

Active projects are point-in-time assessments, while frameworks are continuous and show aggregate activities across multiple projects. It is more valuable to create assessment drivers within a project, and aggregate the changes to a single framework.

How do I notify stakeholders when changes to assessments occur?

The following users are automatically notified about assessment changes via the Projects daily summary email:

  • Risk assessment changes the Assigned User of the objective
  • Control assessment changes the Owner of the control and the Assigned User of the objective

The email summarizes:

  • which assessments were updated
  • the number of times each assessment was updated in the last 24 hours
  • any assessment drivers that have been disabled due to an error

Can I view historical data associated with assessment drivers?

Yes. When an assessment driver updates an assessment, the event is logged in the Activity Log within the project dashboard and within the History section of the risk, execute procedure, walkthrough, or test.

Automate a risk or control assessment

Task Detailed information
Automate a risk assessment Automating operational risk assessments
Automate a control assessment Automating control assessments

Examples

Scenario

As part of your Cybersecurity Review, you have identified a risk in the Identify process:

Fines, lawsuits, and legal fees resulting from non-compliance or loss of sensitive information

Based on your data analytic results, you have identified the global cost of security incidents and created a metric called "Global Cost of Security Incidents".

Process

First, you configure risk scoring by quantifying the impact of the risk as follows:

  • < $10,000,000 = Low
  • ≥ $10,000,000 < $65,000,000 = Medium
  • ≥ $65,000,000 = High

Then, you link the "Global Cost of Security Incidents" metric you created in Results to the risk in Projects.

Finally, you create an assessment driver by defining a series of metric ranges that will be used to populate inherent risk scores:

Result

The risk assessment is automated:

Users are automatically notified when specific thresholds are crossed, enabling them to take appropriate action.

Scenario

As part of your IT General Controls Review, you have identified a control in the Physical Security process:

All data center or server facilities entrances are protected by key card access system

Based on your data analytic results, you have identified 100 facility entrances across different data centers that should all be protected by key card access. The metric that you created to assess and monitor the effectiveness of the control is called "% of Secure Facility Entrances". This metric monitors the percentage of facility entrances that have key card access enabled.

Process

First, you link the "% of Secure Facility Entrances" metric you created in Results to the test in Projects.

Then, you create an assessment driver by defining a series of metric ranges that will be used to populate the value of the Did this Control operate effectively? field:

  • > 99 = Operating Effectively
  • ≤ 99 = Exception(s) Noted

Result

The control assessment is automated:

Users are automatically notified when specific thresholds are crossed, enabling them to take appropriate action.