Applies to: Risk Assessment Platform
Question
- What is an override?
- Who can apply an override?
- I applied an override and it is now gone. What happened?
Answer
What is an override?
An override is where a user has manually applied a rating, overriding the system-calculated rating.
The platform automatically calculates ratings for Inherent Risk, Controls Effectiveness, and Residual Risk based on user-entered answers to risk indicator questions and control effectiveness metrics.
When a user overrides a rating, they must enter comments explaining the reason for the override.
The original rating, override rating, and comments are stored in the audit log and shown in the assessment unit reports.
Where can overrides be applied?
Overrides can be applied to:
- Risk Indicator: answer rating
- Risk Factor: inherent risk rating
- Risk Factor: control effectiveness rating
- Risk Factor: residual risk rating
- Control: control effectiveness rating*
- Assessment Unit: residual risk rating
Ratings with overrides display a clickable indicator, which opens the Preview Audit popup window containing details of the original rating, override rating, comments, and current calculated rating.
Note*: When assessing controls, the assignee can select a lower controls effectiveness rating; this is not treated as an override. An override is only applied when the approver changes the rating while it is awaiting approval.
How to apply an override?
The approver for the risk or control can apply an override when the risk/control is Awaiting Approval.
After selecting a different rating the approver must enter override comments.
Who can apply an override?
A user must have the appropriate "Override" and "Approver" permissions, and be the approver for the risk or control where the override is to be applied.
The default/global "Approver" role includes all override and approval permissions.
Company Admins can create custom/company roles with specific permissions. Individual override permissions are available for each overridable rating.
What removes overrides?
Overrides are removed when a user performs an action that triggers a recalculation of the rating resulting in the recalculated rating matching the override rating.
The override is removed because it is no longer needed.
If override rating = recalculated rating, then override removed.
Example 1: Risk Factor Inherent Risk Rating
A risk factor has a High calculated inherent risk rating due to answers to the risk indicator questions. The risk factor is submitted and awaiting approval.
The approver overrides that rating and instead selects Medium. The risk factor is later reopened and different answers are selected for the risk indicator questions. The new answers cause a recalculation of the inherent risk rating and the new calculated rating is Medium.
The override is removed because the new calculated rating matches the override rating making the override unnecessary.
Override rating: Medium > Recalculated rating: Medium = override removed.
Example 2: Risk Factor Residual Risk Rating
A risk factor has a Low calculated residual risk rating due to the combination of its inherent risk rating and control effectiveness rating. The risk factor is submitted and awaiting approval.
The approver overrides that rating and instead selects High. The controls linked to that risk factor are later changed. The change of linked controls causes a recalculation of the control effectiveness rating which then causes a recalculation of the risk factor residual risk rating. The new calculated rating changes to High.
The override is removed because the new calculated rating matches the override rating making the override unnecessary.
Override rating: High > Recalculated rating: High = override removed.
Risk Factor Overrides
Control Override
Assessment Unit Override
Preview Audit Pop-up
With calculated rating
Overrides in Reports
Comments
0 comments
Please sign in to leave a comment.