Implementation Guide for KCM GRC's Compliance Management Module
This article provides the four steps you'll take to start using the Compliance Management module in your KCM Governance, Risk, and Compliance (GRC) platform. The Compliance Management module helps you streamline, automate, and simplify your compliance and audit tasks. The jump links below will help you navigate through the KCM GRC setup.
Once you've created one or more scopes, you'll assess how many of its requirements you've met or need to meet by completing a Scope Self-Assessment.
Create or upload controls to provide details as to how you are meeting your compliance requirements or various objectives. Assign tasks to the appropriate users so the necessary evidence is supplied.
We've broken each of the steps into specific details below:
Step 1: Creating Templates and Scopes
In the KCM GRC platform, scopes are umbrella structures used to manage a series of related requirements, controls, and evidence. Typically, scopes are converted from templates. You will either manually create or upload a template, or it will be added to your account by your Customer Success Manager.
When creating scopes in KCM GRC, as a best practice, we suggest converting a template into a scope, rather than creating the scope independent from a template. You can consider a template a "hard copy" of your scope.
You have two options for creating and converting templates into scopes for your organization:
- Creating Custom Templates for Scopes: If your organization needs to abide by standards, laws, or other regulations that are not offered as a Managed Template, create custom templates to define the necessary objectives, then convert them to scopes.
- Converting Managed Templates to Scopes: After your Customer Success Manager has added one or more Managed Templates to your account, convert them to scopes to use them in KCM GRC.
See this article for a list of the Managed Templates that we offer. If you would like additional Managed Templates added to your account, contact your Customer Success Manager or our Support team at email@example.com.
Creating Custom Templates for Scopes
You can create custom templates in order to meet all of your compliance, or other objectives.
In KCM GRC, templates consist of references. References are the objectives your organization needs to comply with. Once templates are converted to scopes, references are then referred to as requirements.
Begin by creating a blank template that you'll add references to in one of the following ways:
- Add references in bulk by uploading a CSV file
- Map existing references to the template
- Create references one-by-one
See our Creating Custom Templates for Scopes article to learn more about the different methods of adding references to custom templates. Once you've created your custom template, you'll convert it to a scope–follow the next section for instructions.
Converting Templates to Scopes
You can easily convert managed and custom templates into scopes in your KCM GRC account.
- From the navigation menu on the left-hand side, select Templates, then Compliance Templates > View Templates, as shown below.
- From the View All Templates page, click the References button to the right of the template you would like to convert to a scope.
From the View Template page, click the Convert to Scope button toward the top-right of the screen.
- You will find a new scope added to your account under the View Scopes section. The scope will have the same name as the template it was converted from, with the word "CONVERTED" added to the end. If you'd like to change the scope title, description, or evidence settings, click the Update Scope button toward the top-right of the page.
- From the Update Scope page, you can modify the scope name, description and evidence settings, as shown below.
Use the Doculink Allowed and Document Upload Allowed drop-down menus if you'd like to specify limitations on the type of control evidence your employees can submit for this scope. If your organization wants to implement the same evidence limitations for all scopes, use the account-level evidence settings. See our Managing Account Settings article for more information.
Once you have one or more scopes in your account, proceed to Step 2 to add users to your account to manage scopes, delegate tasks, and complete tasks.
Step 2: Adding Users to Work in Scopes
Before you can create and assign ownership to your control tasks, you must first have confirmed users in your account.
If you're an account administrator, you can optionally add users to your account so they can assist in delegating and completing tasks to satisfy the requirements in your scopes. First, you'll decide which type(s) of user accounts you'll create, then you'll add the new users to KCM GRC. See below for more information.
Decide which user roles are the best fit for the users who will carry out your organization's objectives in KCM GRC.
In KCM GRC, there are two user roles dedicated to working in the Compliance Management module:
- Scope Administrator: We suggest assigning this user role if you'd like your employee to do any of the following:
- Create internal controls to satisfy the scope's requirements (or map requirements to controls from their other allowed scopes)
- Create tasks for the controls and assign the following responsibilities for the tasks:
- Monitor adherence to compliance controls
- Create and monitor response plans for audit findings
- Contributor: We suggest assigning this user role if you'd like your employee to be the User Responsible for one or more control tasks. Contributors can also be the Approving Manager for tasks.
Add additional Account Administrators, Scope Administrators, or Contributor users to your account.
If you grant an Account Administrator user role, then later need to downgrade the user's permissions, you'll need to contact our support team at firstname.lastname@example.org in order to do so.
Step 3: Complete Scope Self-Assessment
The Scope Self-Assessment lets you evaluate your current level of compliance based on a particular scope.
This assessment allows you to set a “status” for each requirement in the Scope. By selecting a status for each requirement you will determine the percentage of compliance that your organization currently holds for the scope in question. This will assist in showing your organization’s Scope Administrators, Contributors and stakeholders the current state of compliance within the scope. Completing the Self-Assessment for a scope is optional, but recommended. For more information on how to complete the Self-Assessment, see our KCM GRC: Completing a Scope Self-Assessment article.
Step 4: Creating and Assigning Controls
Controls are processes, technical implementations or other actions that relate to or demonstrate how you are meeting your compliance requirements or other objectives.
There are two different methods you can take to create controls in order to meet the requirements of your scopes:
(1) Creating Controls One-by-One: Navigate to a Scope's individual Requirements and create the appropriate control for the respective requirement.
The “Creating Controls one-by-one” method may be the best solution for your organization if the controls will vary between your different scopes, or if you do not already have processes in place for documenting compliance requirements.
(2) Creating Controls in Bulk: Upload a CSV file of controls independently from a scope's requirements, and then map these controls to the appropriate requirements.
The “Creating Controls in Bulk” option may be the best solution for your organization if controls will be applicable to multiple scope requirements, or if you do already have processes in place for documenting compliance efforts.
Although there is no "catch-all" compliance management plan that works for every organization or industry, our best practice recommendation is creating controls one-by-one so you can focus on one compliance (or general) objective at a time.
(1) Creating Controls One-by-One
Once you've created your scopes and their respective requirements, you'll follow the steps below to navigate to individual requirements to create the appropriate controls.
- Navigate to the scope containing the requirement for which you need to create a control (Compliance > Scopes > View Scopes from the menu on the left-hand side). (You can also navigate directly to the desired requirement by clicking Compliance > Requirements > View Requirements from the menu on the left-hand side.)
- From the View All Scopes page, locate the scope that you're working with and click the Requirements button on the right-hand side.
- From the View Scope page, click on the Requirements tab, then click on the title of the requirement for which you want to create a control.
- From the View Requirement page, click the Create Control button.
- Give the control a name and a detailed description. The control description should include what the control is, how to review and assess the control, what type of evidence is expected to satisfy the control, and where that evidence should be placed.
For more information on Control descriptions, click here.
- Click the Create Control button. The new control will be automatically mapped to the requirement from which you created the control.
- From the View Requirement page, click the Next Requirement in Scope > link (shown below), and repeat steps 1-6 until you've created a control for each of your scope's requirements.
Once you've created controls for all of your scope requirements, skip to the Assigning Controls/Creating Task Schedules section to assign control tasks.
Alternatively, if you'd like to schedule and assign control tasks at the time of creating the controls, click the Create & Assign Control button (see step 5) and refer to our How Do I Create Control Tasks? article.
(2) Creating Controls in Bulk
The alternative to the creating controls one-by-one method is to upload a CSV file of controls, and then mapping these controls to the appropriate requirements.
Follow the steps below to upload a CSV file of controls to your account:
- Navigate to the Controls Library by clicking Controls from the menu on the left-hand side.
- Upload a CSV file of Controls using the orange Upload CSV button toward the top-right portion of the page.
- From the Upload Control CSV page, click the Choose File button.
- Choose your local CSV file and click Upload Controls.
When creating your CSV file, be sure to use the headers "Name" and "Description". The subsequent rows should include the name and description of each control.
Once you've uploaded your controls, be sure to map them to the appropriate requirements. Please see our Mapping Requirements and Controls article for more information.
Assigning Controls/Creating Task Schedules
There are three prerequisites that must be met before you can assign users' responsibility for controls:
- The applicable user accounts have been created
- The applicable user accounts are confirmed (users must sign in to confirm)
- Controls must be mapped to at least one requirement
Once these prerequisites are met, please see our How Do I Create Control Tasks? article for instructions.