Applies to: Risk Assessment Platform
- Can you apply an approval process to the override that is specific to the change in Control Effectiveness, not just overall to the assessment of the risk factor?
- When the Approver is approving the overall assessment of the risk factor, can they be alerted that the default Control Effectiveness has been overridden?
The Control Effectiveness Rating defaults to a value depending on the values to the Design (Present; Fit for Purpose) and Performance (Implemented; Operating Effectively) fields. This is driven by what is defined in the Methodology. A user can then override the default Effectiveness rating.
Current functionality (v1.7.5) only allows the control effectiveness to be changed to a 'worse' rating (e.g.: Adequate can be lowered to Poor) but not a better rating. The audit trail includes any changes made.
In a future release of the platform, there will be an "override" concept to risk indicators and control effectiveness. This new function will be permission-based and any changes from overrides will be highlighted and included in reporting.