This article provides the four steps you'll take to start using the Compliance Management module in your KCM Governance, Risk, and Compliance (GRC) platform. The Compliance Management module helps you streamline, automate, and simplify your compliance and audit tasks. The jump links below will help you navigate through the KCM GRC setup.
Scopes group together the related requirements, controls, and evidence necessary for your compliance (or general) objectives. Generally, scopes are created from templates. A template is a collection of requirements that are related to one another.
Once you've created one or more scopes, you can assess how many of the scoped requirements you have met or need to meet, by completing a Scope Self-Assessment.
We've broken each of the steps into specific details below.
Step 1: Create Templates and Scopes
In the KCM GRC platform, scopes are umbrella structures used to manage a series of related requirements, controls, and evidence. Typically, scopes are converted from templates. You will either create a template, or it will be added to your account by your Customer Success Manager.
When creating scopes in KCM GRC, we recommend converting a template to a scope, rather than creating the scope independent from a template. You can consider a template a "hard copy" of your scope.
First, decide if you will use custom and/or managed templates.
In your platform, Account Administrators have two options for creating scopes from templates:
- Managed Templates: We offer a wide variety of managed templates for your use in the KCM GRC platform. See our Managed Templates article for a list of the templates that we offer. If you would like additional managed templates added to your account, contact your Customer Success Manager or our Support team.
- Custom Templates: If your organization needs to abide by standards, laws, or other regulations that are not offered as a managed template, create custom templates to define the necessary objectives.
- You have three options for adding requirements to a custom template. See our Creating Custom Templates for Scopes article to learn more.
Then, create one or more scopes from your templates.
After you've created a custom template or your Customer Success Manager has added a managed template to your account, see our Converting Templates to Scopes article for more information.
Once you have one or more scopes in your account, proceed to Step 2 where you will add users to your account so they can manage your scopes, create controls, delegate control tasks, and complete control tasks.
Step 2: Add Users to Work in Scopes and Controls
Before you can create and assign ownership to your control tasks, you must first have confirmed users in your account.
If you're an Account Administrator, you can add users to your account so they can assist in delegating and completing tasks to satisfy the requirements in your scopes.
First, decide which user roles are the best fit for the users who will carry out your organization's objectives in KCM GRC.
In KCM GRC, there are two user roles dedicated to working in the Compliance Management module. Click the drop-downs to learn more about each user role.
Scope Administrator privileges are granted on a per-scope basis. Meaning, your user will be able to perform the following tasks (only) under the scopes that you have added to the Allowed Scopes field, for this user. For more information, please see this section of our Working With Users article.
We suggest assigning the Scope Administrator user role if you'd like your employee to do any of the following:
- Create internal controls to satisfy the scope's requirements
- Scope Administrators can create controls for the scoped requirements that are included in their allowed scopes.
- Create task schedules for controls and assign the following responsibilities for the task:
- User Assigned: The individual responsible for submitting task evidence that supports the organization's compliance with the control.
- Approving Manager (optional): The individual responsible for reviewing the task evidence and deciding whether it is sufficient for the control.
- Second-level Approving Manager (optional): The individual responsible for reviewing the task evidence and deciding whether it is sufficient for the control—after the Approving Manager has reviewed the control evidence.
- Monitor adherence to compliance controls
We suggest assigning the Contributor user role if your employee should be responsible for submitting task evidence for one or more controls.
Additionally, users who have the Contributor role can be assigned to a task schedule (or one-time task) as the Approving Manager or the Second-level Approving Manager.
Then, add additional Account Administrators, Scope Administrators, and Contributor users to your account.
Step 3: Complete the Scope Self-Assessment
The Scope Self-Assessment provides an evaluation of your current level of compliance based on a particular scope.
You can complete the Scope Self-Assessment if you are an Account Administrator or a Scope Administrator (under your allowed scopes). This assessment allows you to set a status for each requirement in a scope. By selecting a status for your requirements, you will determine the percentage of compliance that your organization currently holds for the scope in question.
Completing the Self-Assessment for a scope is optional, but recommended. For more information on completing the Self-Assessment, please see our KCM GRC: Completing a Scope Self-Assessment article.
Step 4: Create Controls and Assign Task Schedules
First, add controls to your account and map the controls to your scoped requirements.
Controls are processes, technical implementations, or other actions that demonstrate how your organization is meeting compliance requirements or other objectives.
Account Administrators have two options for adding controls to your account:
- Option 1: Creating Controls One-by-One: Navigate to a scope's individual requirements and create a control for each. When you create a control from a scoped requirement, the control is automatically mapped to that requirement.
Tip: In addition to Account Administrators, users with the Scope Administrator user role can perform this option under their allowed scopes. To learn more about assigning allowed scopes, see our Working With Users article.
- Option 2: Creating Controls in Bulk: Upload a CSV file of controls independently from a scope's requirements, and then map these controls to the appropriate requirements.
To see full instructions for the options above, please refer to our Creating and Importing Controls article.
Then, create task schedules for your controls.
Task schedules allow for the continuous monitoring of controls. They provide an opportunity to collect evidence relating to a control on a periodic basis, so you will be prepared when it is time for an audit.
Please refer to our Working With Task Schedules for Controls article to learn about the following, and more:
- The prerequisites required for creating task schedules
- The three types of task schedules that are available in your platform
- Your options for assigning users to approve task evidence
- How to create task schedules