Issues

This article gives you insight into the concept issue and how you can use it within the platform.

Introduction

Issues are used across the 3rdRisk platform to record information and relationships - typically related to deviations or things that (could) impact your control environment. They serve as a springboard for action, such as adjusting risks and creating action plans. There are different issue types. They can be used to document anything that may need your attention in the (near) future, such as an (imminent) problem, important topic, or potential opportunity. An issue can be created or linked to, amongst others, a framework, a section, a control, a risk, an incident, a third party, a contract, an internal control assessment, or an ecosystem assessment.

Process

We have created a flow chart to help you understand the issue and action plan management process. This flow chart can be viewed here.

Create issue

Issues can be linked to basically any element (an assessment, third-party, control, etc.) within the 3rdRisk platform. They can be used to document deviations and things that (could) impact your control environment. We distinguish between several types: observations, findings, recommendations, comments, occurrences, threats, and vulnerabilities.

Some typical examples:

Example 1: During an ecosystem assessment, you find out that a third-party does not have a well-embedded security function and adequate technical controls in place. This might have implications for the overall cyber security risk level.

Example 2: A compliance framework is about to be replaced by a newer version. You want to be reminded to do a gap assessment on the current versus the new framework once the new framework is published.

Example 3: During a post-incident analysis, you discovered that the root cause of the incidents might be related to each other. You can create a new one or link an existing Issue to document this for future investigation.

If you want to document a potential issue with e.g. a control or a third party, you can create a new issue or add it to an existing one. Whether you create a new one or adjust an existing issue depends on the specific use case and your personal preference. For example, you can:

  • Create a new issue for each internal or ecosystem assessment that requires your follow-up;
  • Add an incident with a known root cause to an existing issue that deals with this specific root cause;
  • Add a third party to an existing issue that is concerned with the lack of multi-factor authentication controls.

Manage issue

Once you have created a new issue or edited an existing one, you need to manage it. An issue can be a trigger to initiate various activities, such as:

  • Creating, acting upon, and monitoring action plans;
  • Creating a new or re-assessing an existing risk;
  • Initiating a new internal control or ecosystem assessment;
  • Creating a new or adjusting another open issue.

Importantly, you need to create an issue first before you can create an action plan.

Monitor issue

To ensure you don't lose track of your open issues, you can set a re-evaluation date. At various times, depending on your own settings, you will be informed by the virtual officer that you need to re-evaluate an issue. The re-evaluation of an open issue can trigger one or more of the activities stated above. It can also result in adjusting the re-evaluation date or closing the issue.

Report issue

In the near future, it will be possible to analyze and report on open and closed issues.

Issue types

There are various issue types used in the 3rdRisk platform.

Issue typeExplanation
ObservationSomething you have noticed which might not require immediate follow-up
FindingInformation discovered as a result of an assessment that usually necessitates a follow-up
RecommendationSuggestion or proposal as to the best course of action
CommentA remark expressing an opinion or reaction which should be considered in the near future
OccurrenceThe fact of something existing or being found in a place or under a particular set of conditions (e.g., unsafe behavior)
ThreatAny circumstance or event with the potential to cause harm
VulnerabilityQuality or state of being exposed to the possibility of being harmed

Creating an issue

To create a new issue, navigate to Left side menu Issues and select Create new issue.

You can also directly create a new issue when working in another module. For instance, when reviewing an internal control or ecosystem assessment, editing a framework section, or adding a control. Simply click on the Create Issue or Link existing Issue button.

Issue parameters

Upon clicking Create new issue, a new form appears. This form consists of 5 tabs: Issue, Action plans, Documents, Communication and Status log.

The Issue tab allows you to define the issue parameters.

You can define the following parameters:

ParameterDescription
Title<provide a brief title of the issue>
Description<free rich text field to explain what the issue is about, you can also add visuals if you like>
Type<select the issue type, see here for the different issue types>
Status<active or closed>
Location in the organisation<shows the organisational model and allows you to select to which entities, value chains or processes the issue is applicable>
Re-evaluation date<you will be informed before and on this date by the virtual officer to re-assess the status of the issue>
Criticality<select the criticality of the issue: low, medium, high and critical>
Owner

<select the owner of the issue>

 

By using the toggle you can indicate whether or not the issue owner needs to be notified about the issue

The first tab also includes a hidden section that you can open to link the relations of the issue with other elements in the platform, such as incidents and frameworks.

Upon opening this section, you will be able to define the relations. You will only see the relations that are applicable to you. For instance, if your risk register is empty, you cannot associate the issue with a risk. In this case, this risk field will not be visible for you. The same is true if you don't have a subscription to the Internal Control module. In that case, you cannot link a control.

Below you'll see an example:

RelationsExplanation
Risks<you can link one or more risks to an issue. Just start typing to find the risk you are looking for>
Incidents<you can link one or more incidents to an issue. Just start typing to find the incident you are looking for>
Frameworks<you can link one or more frameworks to an issue. Just start typing to find the framework that you are looking for>
Framework sections<you can link one or more framework sections to an issue. Just start typing to find the framework that you are looking for>
Controls<you can link one or more controls to an issue. Just start typing to find the control that you are looking for>
Third parties<you can link one or more third parties to an issue. Just start typing to find the third party that you are looking for>
Contracts<you can link one or more contracts to an issue. Just start typing to find the contract that you are looking for>
Processes<you can link one or more value chains or processes to an issue. Just start typing to find the process that you are looking for>
Assets<you can link one or more assets to an issue. Just start typing to find the asset that you are looking for>

Action plans

In the Action plan tab, you have the option to create one or more action plans. These action plans are connected to the issue.

Go to the Action plan knowledge article to learn how to work with action plans.

You can add a new action plan by using the Add action plan button.

By clicking on the three dots [...], you will get the option to View/edit the action plan or Copy the link to the clipboard. The latter will give you a direct URL which you can share with your colleagues.

Documents

In the Documents tab, you can attach relevant documents that belong to the issue. To add a new document, you can use the Add document button.

Any document attached to an action plan linked to the issue will also be shown in this section.

Communication

The Communication tab gives you the ability to communicate with colleagues about the issue. All communications about an issue will be stored in the communications tab.

Based on the relations that you have defined on the Issue tab, it will give you an overview with the most likely colleagues you want to chat with. You can use the mouse-over to retrieve the role of the specific colleague shown in the overview.

Status log

The Status log tab gives you the ability to record updates related to the Issue. Any important information relating the Issue can be documented here. You can add an note by using the Add note button.

 

Please note that the Status log is not designed for internal communications with colleagues. If you want to get an update from another colleague, we recommend to use the Communication tab and reach out to that colleague directly.

Searching an issue

To search for a new issue, navigate to Left side menu Issues and consider the data table. On the left corner of the data table, you will find a small section with a search box and filters.

 

You can use the search box or define the filters to retrieve the right issue. Click on the Filters button to open the filter section.

Define your filters by selecting the right items from the drop down menus.

If you like, you can save the filter by using the arrow down button next to the Filters button. Click on Save current filter to save the filter.

To clear the filters, you need to click on the red Clear filter button.

Editing an issue

To edit an existing issue, navigate to Left side menu Issues and find the right issue by using the search box and/or filters. On the right corner of the data table, you will find the action menu. Click on the three dots [...] and select Edit issue.

 

You can also edit an existing issue when working elsewhere in the platform. Wherever you have the option to create a new issue, you can also edit an existing one. Click on the three dots [...] of an existing issue and choose Edit issue.

 

Monitoring an issue

The owner of the issue will be informed when an open issue needs to be re-evaluated. By providing a re-evaluation date, the platform's virtual officer will timely inform the owner to perform a review of the issue and associated action plans. Open an issue and scroll down to re-evaluation date. Provide the right date and press Save & close.

You can also monitor the status of the issues by using the widget on the dashboard.

Closing an issue

To close an open issue, open the issue and scroll down to Status. You need to switch the toggle from active to closed and press Save & close.