Issues

    Risk findings, compliance gaps, and their lifecycle

    What are Issues?

    Issues represent risk findings and compliance gaps that need to be tracked and remediated. They are the primary input to the risk report — each open issue contributes to your organisation's total risk exposure.

    Two Sources

    Issues can originate in two ways:

    • Auto-created from failed control tests — when a control test fails, an issue is automatically created with medium severity, linked to the control and the specific test.
    • Manually raised (ad-hoc) — users can create issues directly for findings that are not tied to a specific control test, such as audit observations or risk assessments.

    Key Information

    Each issue captures the following details:

    • Issue number — an auto-generated sequential identifier (ISS-0001, ISS-0002, and so on).
    • Title — a short summary of the finding.
    • Description — a detailed explanation of the issue.
    • Status — the current workflow state (see below).
    • Severity level — critical, high, medium, or low.
    • Reporter — the user who raised the issue.
    • Assignee — the user responsible for remediation.
    • Owning entity — the entity this issue belongs to.
    • Related control — link to the control (if auto-created from a test failure).
    • Related test — link to the specific test that triggered the issue.
    • Acceptance deadline — the date by which an accepted risk must be remediated (required when accepting a risk).

    Status Workflow

    When an issue is identified, it starts as Open and awaits action. The team then begins analysing the issue to determine the best remediation approach, moving it to Investigating. Once a fix is being implemented, the status changes to Remediation. After the issue has been remediated, it is marked as Resolved and a resolution timestamp is recorded. Finally, the issue is formally Closed after verification.

    Risk Acceptance

    Not every issue can or should be fixed immediately. When the organisation decides to accept a risk, the issue can be moved to Accepted. This requires setting an acceptance deadline — a date by which the risk must be re-evaluated or remediated.

    Accepted issues still contribute to your risk exposure in the risk report. They are not ignored — they are explicitly acknowledged risks with a deadline.

    Business Impact Analysis

    Each issue detail page includes a Business Impact panel that automatically resolves the impacted business processes, steps, and applications by traversing the issue’s linked control → configuration items → business processes.

    The impact panel shows:

    • Impacted business processes — derived from the control’s linked CIs and direct BP associations.
    • Impacted process steps — specific steps affected via CI links.
    • Impacted applications — with criticality badges.
    • Financial exposure — visible to users with the RiskValueInsight:read permission.

    Comments

    Each issue has a comment timeline, similar to tickets. Comments can be user-generated or system-generated (e.g. the initial comment noting that the issue was auto-created from a failed control test).

    Risk Report Integration

    Issues that are Open, Investigating, in Remediation, or Accepted are included in the risk report. The issue's severity level and the financial value of the highest-value business process linked to its control determine how much it contributes to your total risk exposure.