Reviewing Policies
How to review items in the module
Introduction
Every time an item is created in the Policy module, eramba will automatically create two reviews for that document.
- One will be automatically completed and will be used by eramba to track the starting point of that document version, content, etc.
- The other will be incomplete, with a "Planned Date" set on the day you asked eramba to review the document in the future.
All changes to the document content, version and next review date will be handled by working with reviews (as opposed to simply editing the policy item). For this reason is very important you understand how reviews work.
Review Tab
Your reviews will be stored in the Review tab, not in the Policy tab.
If you want to access all reviews for any given document you can always use the shortcut counter.
Reviewer Role
When eramba or you create review records, by default eramba will assign to the reviewer role of the review record whoever was set on the parent policy as "Policy Reviewer Contact".
In the screenshot above we show a policy where the role is taken by the group "IT Teams". In the screenshot below, at the review records for this policy, we can see the "Reviewer" role is owned by that group as well.
Changing the role in the parent item will automatically update all incomplete reviews. You can define who inherits review records by going to settings / Reviewers.
Changes to this setting will take effect immediately updating all incomplete reviews. All new review records will use this setting. Remember that you can create custom roles in the parent item (Approver, Supervisor, etc) and include those custom roles as well as part of your reviews.
Review Attributes
A review record is composed of the following fields:
- Planned Date: when the review is supposed to be completed
- Actual Date: when the review was completed
- Description: a brief description of this review, this field is filled once the review is completed.
- Reviewer: the team who is meant to lead the completion of the review. This field by default inherits whoever you set on the policy on the role "Reviewer Contact"
- Next Review Date: every time you create a review you need to record when the next review will take place
- Version: the version of the document
- Content-Type: where the document is stored, this could be in eramba (Content Editor), a URL or attachments
A completed review will have all those fields completed. An incomplete review will have all fields incomplete except "Planned Date" and "Reviewers".
Comments & Attachments
Each review record holds a review and its attributes (version, when it was done, by whom, etc) - you will also need to record the interactions that took place to get all that done (approvals, discussions about the content, etc).
For these types of interactions, we use Comments & Attachments. Every review should have in theory some discussions recorded that explain interactions in between both parties (the GRC team and whoever the review is being done with).
When you or the person providing feedback click on Comments & Attachments, they can write whatever they want, for example, "We are reviewing the document, we will let you know". You can then click there as well and reply. In the end, a trail of conversations will be logged where "who", "wrote what" and "when" will be evident.
Is of course important to remind you that accessing those menus is completely controlled by Access Lists, so you can remove the "Remove" function, etc to those that provide you with feedback.
Review Status
eramba ships with pre-defined statuses that distinguish between the current review and past (completed) or future (planned) reviews. These statuses are defined on the "Status" menu and can of course be renamed to whatever works best for you.
- Planned: an incomplete review with a planned date in the future
- Completed: a completed review record
- Current: the last completed review record (based on the actual date)
Review Scenarios
When a Policy is created for the first time (using the web interface or CSV templates), two “review” records will be created automatically and stored on the “Reviews” tab.
From this point onwards the following typical scenarios might trigger:
- A non-planned (Ad-Hoc) review must take place to correct any of the current Review attributes mentioned before:
- The content must be corrected
- The version must be corrected
- The reviewer must be corrected
- The planned review is due or is about to be due and you would like to complete the review record
- An existing, incomplete review with a Planned Date in the future needs to be corrected because the review date or the "Reviewer" is wrong
- You would like to delete a review record
- You don't want to track reviews in eramba
For each one of these situations you can handle reviews with the following process explained in the coming sections of this episode.
Ad-Hoc Review
If you need to create an Ad-hoc review, on the Review tab, click on Actions and Add.
On the "Policy" tab you will tell eramba which existing document in the Policy module requires a new review.
On the "Current Tab" you will describe the review you are trying to create now, for example, version 1.1.
- The "Planned Date" and "Actual Date" will be today set by default by eramba
- You can adjust the "Reviewers" to whoever is that you are doing the review with
- You will provide a "Description" of what the review is all about
- Then you can set the "Version" (for example, 1.2) and Content of the document.
Planned Review
If you want to complete a planned review because is just about to be due or is already past, then you just need to edit the review record and complete the fields as requested:
You must complete all fields on the "Current Review" - these fields reflect the review you are working on (version, content, etc).
The "Next Review" tab is used to tell eramba when the next review must be completed and by whom.
Once you save this review record you will have completed the Review and added a new, incomplete, review for that date in the future.
Updating Planned Reviews
If a planned review date or the assigned reviewer is not ok, then you need to simply follow the same steps as when a normal planned review is completed (previous section). Just keep versions and on the description field mention the date is wrong and that it needs to be updated.
On the "Next Review" tab you will be able to provide a new future review date and reviewer.
Deleting Reviews
In some cases you might need to delete reviews, for example, we have an incomplete review in there that could be deleted as we have newer reviews defined already. Simply use the item menu for that Review and Delete it.
Avoid Doing Reviews
If you don't want to do reviews in eramba, simply delete them. You can use the bulk delete function for this.
Review Process
As mentioned before the review process is typically an interaction between two roles, the "GRC Contact" and the "Policy Review Contact". For example, the "Encryption Standards" document would be reviewed between the GRC team and the IT team.
There are two ways on how the review process can be executed, Offline and Online:
Off-line
This is the recommended method for organisations that are not used to eramba or have not been doing reviews in an automated way. The review process is:
- eramba may or not send notifications to both roles letting them know about the upcoming review
- The "GRC Contact" discusses the review with the "Policy Review Contact" over email, in person, etc
- The "GRC Contact" completes the review record in eramba
- The "GRC Contact" updates evidence as Comments & Attachments to the review
Online
This is the recommended method for organisations that are used to eramba or have been doing reviews in an automated way. The review process is:
- eramba must send notifications to both roles before or after the review planned date
- The email notification includes a link where the "Policy Review Contact" must click and log into eramba.
- eramba will show the review record, the "Policy Review Contact" click on Comments & Attachments and provide feedback
- eramba triggers a notification to both roles that a new comment has been created
- They both repeat these interactions until the review is defined
- The "GRC Contact" edits the review and completes it. All evidence of the review is already on the review record as Comments & Attachments.
Playlist
- Episode 1Introduction to the Policy Module8 mins left
- Episode 2Problem vs. Solution Principle5 mins left
- Episode 3Policy Related Modules1 min left
- Episode 4Typical Policy Questions3 mins left
- Episode 5Policy Portal1 min left
- Episode 6Identifying Policies4 mins left
- Episode 7Creating a Policy2 mins left
- Episode 8Reviewing Policies7 mins left