Learn how control responsibilities can help you ensure compliance
This article discusses how to add responsibilities to controls. Responsibilities are actionable items linked to controls in a control set. They are created in the Control Set Builder, and actioned in Tasks.
For adding tests to controls so you can evaluate pass/fail outcomes, head here.
If you are using the Hub & Spoke architecture, you may want to create controls and responsibilities at the Hub level instead.
Table of contents
Creating a control responsibility
Control responsibilities can be added to a control or controls within a control set that you are building or editing; therefore, make sure the control set you want to add responsibilities to is in Edit status.
From the navigation menu, select Controls (or what you renamed it to) and select a control set.
This opens the Control Set Builder page and will display a list of all controls under this control set. The Control Set Builder page is also divided into five tabs: Controls, Mappings, Viewer, Versions, and History. Click on a control to create a responsibility.
When you select a control, details such as the control ID, control name, control domain, and description, will be displayed under the Overview section. From the side panel, select the Linked data tab.
Under the Linked data tab, all available responsibility tasks and authority provisions will be displayed. One you click on the + icon under responsibilities, you will be able to update your linked responsibilities.
The default view in the Link Responsibility view is Linked to show currently linked responsibilities. You can select the All tab to view all available responsibilities. From this view, you can:
- Link/unlink existing responsibilities (by toggling the link icon)
- Select the > (right arrow) next to an existing responsibility to view/update the responsibility's details
- Click on the + icon to create new responsibilities
To create a new responsibility for a control under its Linked data tab once you have clicked the + icon for responsibilities and are viewing the Link Responsibility modal, click on the + icon, and you will be presented with the Create Responsibility modal.
Fill in the Name and Description fields then click Create Responsibility.
Once created, you can edit the responsibility details in the subsequent view and the responsibility is linked to the control.
The Overview section of the control will be updated, showing the new responsibility under the Linked Data column. Multiple responsibilities can be linked to a control.
To remove a responsibility from a control, you can click on the red X displayed next to the name in the Linked data view of the control; you cannot delete the responsibility if it is linked to any control, but you can unlink it in this manner.
Responsibilities at the Hub
Like any other content created in the Hub, control sets created at the Hub level cannot be put directly to use; they are only put to use once they arrive at the Spoke level.
Therefore, control sets in the Hub appear slightly differently.
A control set in the Hub can have controls, responsibilities linked to those controls, tests linked to those controls, and responsibilities linked to those tests.
A control set in the Hub cannot have test results, issues & issue actions that may be linked to test results, and responsibility tasks, as they only come into effect at use.
Responsibilities linked to tests are separate from responsibilities linked to controls. This is because a test may be applicable to multiple controls, but a responsibility that is applicable to one of those controls may not be applicable to the other controls just because these controls use the same test.
Consider linking responsibilities to tests if the responsibilities & their tasks can pass/fail.
Similarly, consider linking responsibilities to controls if these controls can pass/fail.
Responsibility details
You can access the below Responsibility details side panel to update the details of the responsibility.
Title
To edit the responsibility title, click on its name and select the edit icon next to its name; make your changes and press enter to save your changes.
Description
To edit the responsibility's description, click on Aa in the Responsibility Details. A text box modal will open for you to edit the description.
Click Done to update the description.
Assigning owners
To learn about the differences between owners and assigned members, head here.
Ownership of the responsibility must be assigned to an individual user(s) or group. From the Linked data tab, editing a responsibility in the Responsibility Details, click the + icon under the Responsibility Owner field and search for the name of the user through the search bar. Assigned owners will receive an email notifying them of the responsibility and when it is due.
Assigning members
Assigned members are individuals or groups tasked with actioning the responsibility. Click the + icon under the Assigned Members field and select a user from the drop-down list. You can also search for the name of the user through the search bar. Assigned members will receive an email notifying them of the responsibility and when it is due. They can then view, manage, and complete their responsibility tasks via their Tasks page.
Learn more about the 6clicks Tasks module and how to respond to responsibility tasks.
Assigning a due date
To assign a due date to the responsibility, click the Due Date field and select a date from the calendar.
Recurring tasks
If a responsibility only has an owner from a governance perspective, without any assigned members to actually do the task, it will not generate a task.
If a responsibility is assigned, but it is not recurring, then it will only generate one task per assigned member.
To learn more about completing tasks, head here.
If the responsibility task is a recurring activity, select Yes under the Recurring field then select the Time Period field to define the frequency of the task. For example, choosing 1 Year means the responsibility must be performed yearly and choosing 2 Years means the responsibility must be completed every two years, etc.
Recurring responsibilities will only automatically create a new task for each assigned member, once the recurring due date for the previous task has passed.
If a non-recurring responsibility with a due date in the past is updated with a new due date, a new task will be created.
If a new version of the control set is published, responsibility tasks will all have a created date reflecting the publishing date of the control set.
For example, if a control set has 1 responsibility assigned to 2 assigned members due monthly on the 15th day, and neither of the assignees complete their tasks for April, then on 16th April, the control set owner will see 4 tasks in the control set's Manage Tasks tab; 2 overdue for April, 1 for each assignee, and 2 for May, 1 for each assignee.
If you are editing an existing control set, it may have responsibility due dates that need actioning.
Before you can publish the control set, the system will show you any responsibility due dates that you will need to edit in red.
A blank calendar icon indicates recurring responsibilities that require due dates to start the recurrence.
A calendar icon indicates due dates set in the past which you need to bring forward to publish the control set.
Comments
Finally, to ensure a complete audit trail of all communications regarding a control task, users can add comments to a Responsibility through the Comments tab under Responsibility details on the side panel. You can also assign a risk level rating to the comment by clicking the caution icon beside the text box:
If you have responsibilities that can not only be in-progress or completed, but passed or failed, you can use manual tests to record this information.
For more information on internal controls sets and policies, click here.