The Risk Management tab on the risk Assessment Details page displays the risks identified during an entity assessment and any subcontrols that are mapped to it. If your organization maintains risk and control libraries, the responsibility of stakeholders is reduced in deciding the appropriate controls for risks, including those risks that are identified very rarely. To add ad hoc risks, see Adding a Risk to an Assessment. The Risk Management user interface is greatly improved to support the business logic by presenting multiple user interface views of a subcontrol mapped to a risk. Each view is interdependent, processoriented, and expects an action for useful reporting.
The idea is to help you understand how well a control governs the presence of risk. The control's answer choice for a risk determines how effectively a risk is mitigated. Based on the stakeholders' answer choice, if the compliance score meets the domain objective, you can mark the control as key control on the subcontrol view. When you achieve the desired compliance score or when a stakeholder marks certain control as a key control, a control is tested using the internal or third party test procedures to determine if a control can remediate or at a minimum can mitigate such a risk in future.
SubControl Attributes
When controls are mapped to risks, expand the risk to view subcontrols in a pane below the risk. After you click the subcontrol title, the SubControls Details view contains the following attributes and uses the default settings.
- Test Frequency- Select the desired test frequency from the drop-down list.
- In Use- Choose Yes or No to indicate whether a subcontrol is in use.
- Answer- Displays the answer choice from the questionnaire, which is provided by the stakeholder. When a questionnaire is not answered, the value 'N/A' is displayed.
- Test Date- Indicates when a subcontrol was last tested. You can even override the test date.
- Deficiency- Enter deficiencies to maintain a log when a subcontrol does not meet the objective.
- Comments- Enter any other information to help other stakeholders understand about the changes that you made to the subcontrol.
- Evidence- More significantly, you can attach evidence from your local system as new evidence, select existing evidence, or upload a document or web reference from the document repository. This can provide a reference for the type of testing performed on a subcontrol.
- Risk- Displays risks attached to a subcontrol.
To learn how the Risk Management view can be customized to suit your risk assessment strategy, see "Customizing the Risk Management View" in the Administrator's Guide or Online Help.