Menu

Enhancements to the KCM GRC Platform and Compliance Management Workflows (July 2020)

Avatar
Lauren Ashley
Updated
Follow

What's New in Your KCM GRC Platform?

In July 2020, the KCM GRC team added several enhancements to the Compliance Management module and other areas of your KCM GRC platform. These enhancements include workflow changes, faster loading performance, an updated user interface, and brand new features! 

This article explains the primary changes that we've made to items and workflows under your Compliance Management module and introduces new features that we've added to your platform.

Use the jump links below to learn more.  

Jump to: 

Requirements & References
Guidance 
Templates
Scopes

Controls

User Groups
Documents & Evidence Repository
Account Settings

 

Requirements & References

Change: References are no longer independent objects in KCM GRC. References have been combined with requirements.
Previously, references and requirements were independent objects that served the same purpose. Further, they had different naming conventions based on whether they were in a template or a scope. Templates held references and scopes held requirements. When you created a scope from a template, references were then referred to as requirements.

  • Now, when a requirement is included in a scope, that instance of the requirement is referred to as a "scoped requirement". If you'd like to see this change in your account, navigate to any requirement that is included in a scope.
    Note: If you have modified the Requirement Description for a requirement that was included in a managed template (prior to July 30, 2020), your modified description will show under the Additional Information field on the View Scoped Requirement page (click to view example).

Change: Editing a custom requirement is now a dynamic workflow. Meaning, if you modify a Requirement ID, Requirement Name, or Requirement Description, this change will be made to all instances of the requirement.
For example, if you edit a requirement that exists in multiple scopes, the Requirement ID, Requirement Name, and/or Requirement Description would be updated under each scope, accordingly.

  • For this reason, if you would like to edit a requirement, you will now open the master version of the requirement instead of the scoped instance(s) of a requirement.
  • To open the master version of the requirement: Navigate to the View All Requirements page, search for the requirement, and click the requirement name.

Back to top

 

Guidance

Guidance is a new feature available for requirements. Guidance is information provided by KCM GRC that will help you create controls that will satisfy your requirements. Guidance is available for the requirements contained in several of the Managed Templates that KCM GRC offers.

To learn more about this new feature and to see a list of templates that offer guidance, please see our Working With Guidance for Controls article.

Back to top

 

Templates

Change: Previously, when you deleted a custom template, the custom requirements included in the template would also be deleted. Now, if you delete a template, the custom requirements that are included in that template will not be removed from your account.
This change was made to support the feature enhancements that we've made to requirements. For details, see the Requirements and References section.

  • If you would like to delete custom requirements, you can do so from the View All Requirements page (or from the View Requirement page).

Back to top

 

Scopes

We have redesigned the user interface for the View Scope page for better usability.

If your organization creates custom scopes of requirements (or other objectives) in your KCM GRC platform, we recommend converting a template to a scope, instead of creating a scope independent from a template.

Change: To support this best practice recommendation, and to support the changes that we've made to requirements (see the Requirements and References section, above) we have removed the ability to: 

  • Create requirements from within a scope (from the View Scope page).
  • Upload requirements directly to a scope (from the View Scope page).

However, account administrators and scope administrators retain the ability to map already-existing requirements to a scope (from the View Scope page).

Tip: To learn more about custom templates and scopes, please see this article: Creating Custom Templates for Scopes.

Change: We have improved the scope statistics that are visible from the View Scope page > Overview tab, as outlined below.
View Scope Page > Overview Tab

  1. The section previously referred to as Requirement Status is now called Scope Self-Assessment
  2. The percentage previously referred to as Tasks Met, is now called Scope Health.
    • Scope Health is the percentage of control tasks that are completed on time, for all controls that are mapped to requirements under the scope. 
  3. The section previously referred to as Covered Requirements, is now called Control Coverage.

Scope Self-Assessment

We've streamlined the process of completing a Scope Self-Assessment. You can now complete the assessment without having to navigate away from the View Scope page.

You will view and complete a Scope Self-Assessment from the View Scope page > Requirements tab, as shown below.

You will use the buttons under the Self-Assessment Response column to make a selection for each of the requirements in your scope. For more information, please see our Completing a Scope Self-Assessment article.

Note: If you added notes to your requirements during the previous version of the Scope Self-Assessment, you can still view these notes from the View Requirement page, under the Notes area.

Back to top

 

Controls

We have redesigned the user interface for the View Control page for better usability.

Change: You can now create a task schedule for a control that is independent of any other object in KCM GRC. 
Previously, a control-to-requirement or a control-to-risk mapping was required before you could create a task schedule. To learn about the additional changes that we've made to task schedules, see the Tasks & Task Schedules section, below.  

Change: You can now create multiple task schedules for one control. Therefore, you can now create broader controls that will serve as an umbrella structure for collecting evidence for similar types of processes or procedures.
Previously, you were only able to create one task schedule per control, with the exception of creating a one-time task in addition to a task schedule. 

For an example of how you can utilize this new feature, see the use case, below:

Use Case: Your company maintains a security awareness training program that includes mandatory training on an annual basis and simulated phishing tests on a monthly basis.
Follow the steps outlined below:
  1. Create one control to collect evidence for both the training reports and phishing campaign results.
  2. Create a task schedule and select Annually for the frequency.
    1. Modify the Task Description to say: Please upload a report showing the employees who have completed training in the past year.
  3. Create an additional task schedule and select Monthly for the frequency.
    1. Modify the Task Description to say: Please upload the phishing campaign results for the current month.
Tip: For more information about modifying a task description, see the Tasks & Task Schedules section, below.

 

Change: Under the workflow of mapping requirements and controls, we have improved the user interfaces for mapping and unmapping controls and requirements. For details, please see our Mapping Requirements and Controls article. 

  • Additionally, you can map a control to one or more scoped versions of a requirement. Meaning, if a control applies to a requirement that is included in multiple scopes, you will map the control to each scoped version of the requirement. 

Change: You now have the option to assign a user or a user group, an approving manager, and a second-level approving manager to a control.

Note: These are optional settings. The standard workflow of assigning a user and an approving manager to a task schedule has not changed.
  • Assigning a user group to a control allows you to delegate task assignments and task evidence approvals to the user who is specified as the Group Lead. For more information about user groups and group leads, see the User Groups section, below.
  • Assigning an approving manager to a control streamlines the process of creating task schedules for a control. If an approving manager is assigned to the control, this user will be selected by default—in the Approving Manager field—when you are creating a task schedule. However, you do retain the ability to select a different user for this field.
  • Assigning a user to a control streamlines the process of creating task schedules for a control. If a user is assigned to a control, this user will be selected by default—in the User Assigned field—when you are creating a task schedule for a control. However, you do retain the ability to select a different user for this field.
Note: Be sure to see the next section (Tasks & Task Schedules) to learn about additional improvements that are related to controls.

Back to top

 

Tasks & Task Schedules

Change: On the user interface for the View Control page, you will now create one-time tasks and task schedules in the same window.
Previously, there were two different buttons: A Create Task Schedule button and a New One Time button. Now, you will click the Create Schedule button to create a one-time task or a task schedule, as shown in the example below.

For more information on working with control tasks, please see our Working With Task Schedules for Controls article.

Change: When creating a task schedule or a one-time task, you can now customize the Task Name and Task Description.
Previously, all tasks that were created for a control would inherit the Control Name and the Control Description. For an example of how you can utilize this feature, see the use case in the Controls section, above. 

Change: We have removed Advanced One-Time Tasks. 
Previously, this type of task was similar to creating a task schedule using the Effective Date Range option. If you would like to specify a date range for the collection of evidence, when creating a task schedule click the Use Effective Date Range checkbox. To learn more, see our Working With Task Schedules for Controls article

Change: To promote a sound audit experience in your KCM GRC platform, we've prevented the ability to edit the start date, end date, and due date for tasks that are part of a recurring task schedule. However, you retain the ability to edit the due date for one-time tasks.
If necessary, account administrators can modify the Task Failure Interval setting to extend the length of time that a task is considered Past Due before it is Failed. Learn more about this new setting in the Account Settings section, below.

Tiered-level Approvals for Tasks

Change: You can now assign additional users to review task evidence before a task can be closed.
Previously, you had the ability to assign one approving manager to a task schedule or a one-time task. Now, there are two new task evidence approval workflows available on your platform. For details, expand the drop-down menus, below.

The standard workflow allows you to assign up to two users who will be required to review task evidence before closing the task. This workflow is similar to the existing workflow of assigning an Approving Manager to a task schedule or a one-time task; with an additional option to add a Second-level Approving Manager. 

Task Evidence Approval (Standard Workflow)

  1. The User Assigned submits evidence for the task.
  2. The User Assigned clicks the Complete Task button. 
  3. (Optional) If there is an Approving Manager assigned to the task: 
    • Once the User Assigned has marked the task as complete, the Approving Manager receives an email notification to approve the evidence.
      Note: Additionally, if the task reaches the Past Due status, the Approving Manager will receive an email notification.
  4. (Optional) If there is a Second-level Approving Manager assigned to the task: 
    • Once the Approving Manager has marked the task as approved, the Second-level Approving Manager receives an email notification to approve the evidence.

The user group workflow allows you to assign up to three users who will be required to review the task evidence before closing a task. This workflow requires assigning a user group to a control. For more information on user groups, see the User Groups section, below.

Task Evidence Approval (User Group Workflow)
Note: If a user group is assigned to a control, the Group Lead will be required to review the task evidence before the task can be closed. 

  1. The User Assigned submits evidence for the task. 
  2. The User Assigned clicks the Complete Task button.
  3. (Optional) If there is a user group assigned to the control (and the Group Lead is not assigned to the task):
    • Once the User Assigned has marked the task as complete, the Group Lead receives an email notification to approve the evidence.
      Note: Additionally, if the task reaches the Past Due status, the Group Lead will receive an email notification.
  4. (Optional) If there is an Approving Manager assigned to the task: 
    • Once the Group Lead has marked the task as approved, the Approving Manager receives an email notification to approve the evidence.
      Note: Additionally, if the task reaches the Past Due status, the Approving Manager will receive an email notification.
  5. (Optional) If there is a Second-level Approving Manager assigned to the task:
    • Once the Approving Manager has marked the task as approved, the Second-level approving Manager receives an email notification to approve the evidence.

Back to top

 

User Groups

User groups are a new feature that we've added to your platform. You can create user groups that will be responsible for completing control tasks, in order to satisfy your organization's compliance requirements or risk management objectives.

After you have created a user group, you will assign the group to a control. Assigning a user group to a control allows you to delegate task assignments and task evidence approvals to a specific user in the group. This specific user will be assigned as the Group Lead within their user group. The Group Lead has special permissions allowing them to reassign tasks to another user in their group.

We recommend assigning a user group to a control for the following scenarios: 

  • You have multiple users who can or should submit evidence for the same control task(s).
  • If a designated group member (the group lead) should review the evidence submitted by another user or users—before the task(s) can be closed. 

To learn more about this new feature, please see our Working With User Groups article.

Back to top

 

Documents & Evidence Repository

The former Evidence Repository is now called the Documents page. This page has been upgraded to contain all of the files that have been uploaded to or linked to from your KCM GRC platform. The Documents page includes: 

To learn more about the new Documents page, see our Navigating the Documents Page article.

Back to top

 

Account Settings

Change: We've added a Task Fail Interval setting under your Account Settings area. This new setting allows you to choose how long your tasks will remain in Past Due status before changing to the Failed status. 
Previously, all tasks would remain in the Past Due status for seven days after the due date, before changing to the Failed status. Now you can customize the Past Due time interval.

To learn more, please see the Account Settings section of our Managing Account Settings Article

Change: There is a new tab available under your account settings, called Tags. You can now create and add tags to the following items in KCM GRC: templates, requirements, scopes, scoped requirements, controls, and risks
Previously, you could only create tags for the risks in your Risk Register, and this was completed under the Risk Settings tab. 

To learn more, please see the Tags section of our Managing Account Settings article.

Back to top

 

Note: If you have questions about the changes that were made to your KCM GRC platform, please reach out to your Customer Success Manager or contact our support team
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles