Residual risk score calculation with non-compliant controls
Where in the configuration does the residual risk calculation take into account any non-compliant controls? My assumption is that the residual risk score should automatically be lowered if there is an associated non-compliant control.