What's New in Your KCM GRC Platform?
In July 2020, the KCM GRC team added several enhancements to the Compliance Management module and other areas of your KCM GRC platform. These enhancements include workflow changes, faster loading performance, an updated user interface, and brand new features!
This article explains the primary changes that we've made to items and workflows under your Compliance Management module and introduces new features that we've added to your platform.
Use the jump links below to learn more.
Jump to:
Requirements & References
Guidance
Templates
Scopes
User Groups
Documents & Evidence Repository
Account Settings
Requirements & References
Change: References are no longer independent objects in KCM GRC. References have been combined with requirements.
Previously, references and requirements were independent objects that served the same purpose. Further, they had different naming conventions based on whether they were in a template or a scope. Templates held references and scopes held requirements. When you created a scope from a template, references were then referred to as requirements.
- Now, when a requirement is included in a scope, that instance of the requirement is referred to as a "scoped requirement". If you'd like to see this change in your account, navigate to any requirement that is included in a scope.
Note: If you have modified the Requirement Description for a requirement that was included in a managed template (prior to July 30, 2020), your modified description will show under the Additional Information field on the View Scoped Requirement page (click to view example).
Change: Editing a custom requirement is now a dynamic workflow. Meaning, if you modify a Requirement ID, Requirement Name, or Requirement Description, this change will be made to all instances of the requirement.
For example, if you edit a requirement that exists in multiple scopes, the Requirement ID, Requirement Name, and/or Requirement Description would be updated under each scope, accordingly.
- For this reason, if you would like to edit a requirement, you will now open the master version of the requirement instead of the scoped instance(s) of a requirement.
- To open the master version of the requirement: Navigate to the View All Requirements page, search for the requirement, and click the requirement name.
Guidance
Guidance is a new feature available for requirements. Guidance is information provided by KCM GRC that will help you create controls that will satisfy your requirements. Guidance is available for the requirements contained in several of the Managed Templates that KCM GRC offers.
To learn more about this new feature and to see a list of templates that offer guidance, please see our Working With Guidance for Controls article.
Templates
Change: Previously, when you deleted a custom template, the custom requirements included in the template would also be deleted. Now, if you delete a template, the custom requirements that are included in that template will not be removed from your account.
This change was made to support the feature enhancements that we've made to requirements. For details, see the Requirements and References section.
- If you would like to delete custom requirements, you can do so from the View All Requirements page (or from the View Requirement page).
Scopes
We have redesigned the user interface for the View Scope page for better usability.
If your organization creates custom scopes of requirements (or other objectives) in your KCM GRC platform, we recommend converting a template to a scope, instead of creating a scope independent from a template.
Change: To support this best practice recommendation, and to support the changes that we've made to requirements (see the Requirements and References section, above) we have removed the ability to:
- Create requirements from within a scope (from the View Scope page).
- Upload requirements directly to a scope (from the View Scope page).
However, account administrators and scope administrators retain the ability to map already-existing requirements to a scope (from the View Scope page).
Change: We have improved the scope statistics that are visible from the View Scope page > Overview tab, as outlined below.
- The section previously referred to as Requirement Status is now called Scope Self-Assessment.
- This section continues to display your Scope Self-Assessment responses. For more information, please see our Completing a Scope Self-Assessment article.
- The percentage previously referred to as Tasks Met, is now called Scope Health.
- Scope Health is the percentage of control tasks that are completed on time, for all controls that are mapped to requirements under the scope.
- The section previously referred to as Covered Requirements, is now called Control Coverage.
Scope Self-Assessment
We've streamlined the process of completing a Scope Self-Assessment. You can now complete the assessment without having to navigate away from the View Scope page.
You will view and complete a Scope Self-Assessment from the View Scope page > Requirements tab, as shown below.
You will use the buttons under the Self-Assessment Response column to make a selection for each of the requirements in your scope. For more information, please see our Completing a Scope Self-Assessment article.
Controls
We have redesigned the user interface for the View Control page for better usability.
Change: You can now create a task schedule for a control that is independent of any other object in KCM GRC.
Previously, a control-to-requirement or a control-to-risk mapping was required before you could create a task schedule. To learn about the additional changes that we've made to task schedules, see the Tasks & Task Schedules section, below.
Change: You can now create multiple task schedules for one control. Therefore, you can now create broader controls that will serve as an umbrella structure for collecting evidence for similar types of processes or procedures.
Previously, you were only able to create one task schedule per control, with the exception of creating a one-time task in addition to a task schedule.
For an example of how you can utilize this new feature, see the use case, below:
Use Case: Your company maintains a security awareness training program that includes mandatory training on an annual basis and simulated phishing tests on a monthly basis. |
Follow the steps outlined below:
Tip: For more information about modifying a task description, see the Tasks & Task Schedules section, below.
|
Change: Under the workflow of mapping requirements and controls, we have improved the user interfaces for mapping and unmapping controls and requirements. For details, please see our Mapping Requirements and Controls article.
- Additionally, you can map a control to one or more scoped versions of a requirement. Meaning, if a control applies to a requirement that is included in multiple scopes, you will map the control to each scoped version of the requirement.
Change: You now have the option to assign a user or a user group, an approving manager, and a second-level approving manager to a control.
- Assigning a user group to a control allows you to delegate task assignments and task evidence approvals to the user who is specified as the Group Lead. For more information about user groups and group leads, see the User Groups section, below.
- Assigning an approving manager to a control streamlines the process of creating task schedules for a control. If an approving manager is assigned to the control, this user will be selected by default—in the Approving Manager field—when you are creating a task schedule. However, you do retain the ability to select a different user for this field.
- Assigning a user to a control streamlines the process of creating task schedules for a control. If a user is assigned to a control, this user will be selected by default—in the User Assigned field—when you are creating a task schedule for a control. However, you do retain the ability to select a different user for this field.
Tasks & Task Schedules
Change: On the user interface for the View Control page, you will now create one-time tasks and task schedules in the same window.
Previously, there were two different buttons: A Create Task Schedule button and a New One Time button. Now, you will click the Create Schedule button to create a one-time task or a task schedule, as shown in the example below.
For more information on working with control tasks, please see our Working With Task Schedules for Controls article.
Change: When creating a task schedule or a one-time task, you can now customize the Task Name and Task Description.
Previously, all tasks that were created for a control would inherit the Control Name and the Control Description. For an example of how you can utilize this feature, see the use case in the Controls section, above.
Change: We have removed Advanced One-Time Tasks.
Previously, this type of task was similar to creating a task schedule using the Effective Date Range option. If you would like to specify a date range for the collection of evidence, when creating a task schedule click the Use Effective Date Range checkbox. To learn more, see our Working With Task Schedules for Controls article.
Change: To promote a sound audit experience in your KCM GRC platform, we've prevented the ability to edit the start date, end date, and due date for tasks that are part of a recurring task schedule. However, you retain the ability to edit the due date for one-time tasks.
If necessary, account administrators can modify the Task Failure Interval setting to extend the length of time that a task is considered Past Due before it is Failed. Learn more about this new setting in the Account Settings section, below.
Tiered-level Approvals for Tasks
Change: You can now assign additional users to review task evidence before a task can be closed.
Previously, you had the ability to assign one approving manager to a task schedule or a one-time task. Now, there are two new task evidence approval workflows available on your platform. For details, expand the drop-down menus, below.
The standard workflow allows you to assign up to two users who will be required to review task evidence before closing the task. This workflow is similar to the existing workflow of assigning an Approving Manager to a task schedule or a one-time task; with an additional option to add a Second-level Approving Manager.
- The User Assigned submits evidence for the task.
- The User Assigned clicks the Complete Task button.
- (Optional) If there is an Approving Manager assigned to the task:
- Once the User Assigned has marked the task as complete, the Approving Manager receives an email notification to approve the evidence.
Note: Additionally, if the task reaches the Past Due status, the Approving Manager will receive an email notification.
- Once the User Assigned has marked the task as complete, the Approving Manager receives an email notification to approve the evidence.
- (Optional) If there is a Second-level Approving Manager assigned to the task:
- Once the Approving Manager has marked the task as approved, the Second-level Approving Manager receives an email notification to approve the evidence.
The user group workflow allows you to assign up to three users who will be required to review the task evidence before closing a task. This workflow requires assigning a user group to a control. For more information on user groups, see the User Groups section, below.
- The User Assigned submits evidence for the task.
- The User Assigned clicks the Complete Task button.
- (Optional) If there is a user group assigned to the control (and the Group Lead is not assigned to the task):
- Once the User Assigned has marked the task as complete, the Group Lead receives an email notification to approve the evidence.
Note: Additionally, if the task reaches the Past Due status, the Group Lead will receive an email notification.
- Once the User Assigned has marked the task as complete, the Group Lead receives an email notification to approve the evidence.
- (Optional) If there is an Approving Manager assigned to the task:
- Once the Group Lead has marked the task as approved, the Approving Manager receives an email notification to approve the evidence.
Note: Additionally, if the task reaches the Past Due status, the Approving Manager will receive an email notification.
- Once the Group Lead has marked the task as approved, the Approving Manager receives an email notification to approve the evidence.
- (Optional) If there is a Second-level Approving Manager assigned to the task:
- Once the Approving Manager has marked the task as approved, the Second-level approving Manager receives an email notification to approve the evidence.
User Groups
User groups are a new feature that we've added to your platform. You can create user groups that will be responsible for completing control tasks, in order to satisfy your organization's compliance requirements or risk management objectives.
After you have created a user group, you will assign the group to a control. Assigning a user group to a control allows you to delegate task assignments and task evidence approvals to a specific user in the group. This specific user will be assigned as the Group Lead within their user group. The Group Lead has special permissions allowing them to reassign tasks to another user in their group.
We recommend assigning a user group to a control for the following scenarios:
- You have multiple users who can or should submit evidence for the same control task(s).
- If a designated group member (the group lead) should review the evidence submitted by another user or users—before the task(s) can be closed.
To learn more about this new feature, please see our Working With User Groups article.
Documents & Evidence Repository
The former Evidence Repository is now called the Documents page. This page has been upgraded to contain all of the files that have been uploaded to or linked to from your KCM GRC platform. The Documents page includes:
- Evidence that users have submitted for control tasks.
- Control documents that have been added to controls.
- Files that vendors (or other third-parties) have attached to their questionnaire responses. For more information, please see our Vendor Risk Management Module: Introduction Guide.
- The policies that have been added to the Policy Management module. For more information, please see our Policy Management article.
To learn more about the new Documents page, see our Navigating the Documents Page article.
Account Settings
Change: We've added a Task Fail Interval setting under your Account Settings area. This new setting allows you to choose how long your tasks will remain in Past Due status before changing to the Failed status.
Previously, all tasks would remain in the Past Due status for seven days after the due date, before changing to the Failed status. Now you can customize the Past Due time interval.
To learn more, please see the Account Settings section of our Managing Account Settings Article.
Change: There is a new tab available under your account settings, called Tags. You can now create and add tags to the following items in KCM GRC: templates, requirements, scopes, scoped requirements, controls, and risks.
Previously, you could only create tags for the risks in your Risk Register, and this was completed under the Risk Settings tab.
To learn more, please see the Tags section of our Managing Account Settings article.
Comments
0 comments
Article is closed for comments.