Automatic Risk and Control relationship

George P · ‎12-07-2023

It seems to me that if a Control Objective has been mapped to a Risk Statement, that a Control created based on that Control Objective should create a Risk related to the Control, but that does not happen. Am I missing something? Do something we customized break an OOTB function?

George P · ‎12-08-2023

That thread is very helpful. But I think the system needs an additional linking for large scale uses like my use case. I would have expected that a RS with COs would create a Risk for every Control created by the CO when the RS is mapped.

When using CAM, the Entity does not have an Entity Type (automatically), so I guess I expected when CAM is involved that another method of automatic linking would exist. When you look at creating several hundred Authorization Boundaries with several hundred Controls on each, manually creating a Riskk for each control will be a monumental task. It seems like more can be done to enhance the relationship between CAM and Risk.

SanjivMeher · ‎12-08-2023

@George P I think the missing part is, you also need to map the entity to the Risk Statement.

So ideally a CO mapped to Entity A creates a Control.

A RS mapped to the Same entity A creates a Risk.

Now if the CO is linked to RS, to auto-create the mapping between control and Risk, the entity in CO and RS needs to match. So if Entity A is mapped to both CO and RS, their corresponding control and risk should auto-map.

Please mark this response as correct or helpful if it assisted you with your question.