Reviewing a Risk Control for Effectiveness

A control is always pending and requires review if a supplier has not previously filled out one of its associated questionnaires or if the control includes internal assessments.

Depending on its type, a control might also be pending in the current engagement even though it was already reviewed and marked effective for a previous engagement. A control applies at one of three different levels, each of which has different review requirements in engagement risk assessment projects with a supplier selected:

• Engagement-level: A control that applies to a specific, individual engagement
  • Engagement-level controls always require a new review in every engagement risk assessment project for every supplier
• Vendor-level: A control that applies generally to a supplier
  • If a decision maker marks a vendor-level control as effective or ineffective for a supplier, it continues to be effective or ineffective for that supplier in subsequent engagement risk assessment projects
• Service-level: A control that applies to a supplier for a specific commodity or commodities

If you are a control decision maker, you review the pending controls for the current engagement that are assigned to you and mark them as effective or ineffective. These effectiveness decisions help approvers determine whether or not to approve the engagement project.

In a control-based engagement risk assessment project, each control has one or more assessment questionnaires. Each assessment questionnaire is a separate modular supplier management questionnaire that might have its own approval process. You only review a control for effectiveness once all of its associated questionnaires are approved.

Reviewing a pending control for effectiveness involves reviewing the answers to the approved questionnaires and marking the control or services as effective or ineffective based on those answers.

If the periodic review of risk controls feature is enabled in your site, decision makers use the Control details page to review a pending control for effectiveness. If that feature is not enabled in your site, decision makers use the Control review page instead.