Impact assessments for the regulatory event alerts

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Impact Assessments for the Regulatory Event Alerts

    The impact assessment process evaluates the consequences of regulatory changes on business entities following a regulatory event alert. This process involves collaboration with subject matter experts to determine the implications of the regulatory change on the organization.

    Show full answer Show less

    Key Features

    • Types of Impact Assessments:
      • Classic Risk Assessment: Allows selection of specific entities for assessment.
      • Regulatory Assessment: Utilizes the Smart Assessment Engine for smart evaluations of regulatory alerts.
    • Workflow of Regulatory Alert Assessment:
      • Assignment: Alerts are assigned to users based on roles to initiate assessments.
      • Initiation: Users can start an impact assessment or mark the alert as applicable without assessment.
      • Assessment Creation: Entity owners gather details and create assessments for each impacted entity.
      • Submission: Entity owners submit their assessments for evaluation.
      • Decision Making: Managers decide the overall impact rating based on submitted assessments.
      • Awaiting Approval: Assigned impact assessments are subject to approval, with updates limited to entity owners.

    Key Outcomes

    Customers can expect to accurately assess and understand the impact of regulatory changes on their organization, ensuring compliance and informed decision-making. The systematic approach facilitates collaboration among stakeholders and enhances the governance process related to regulatory events.

    A regulatory event alert may result in a regulatory change to an organization. You can evaluate the impact of the regulatory change on your business entities by performing an impact assessment.

    Types of impact assessments

    The impact assessment process is used as a reporting tool for evaluating the impact of a proposed regulatory change. For a given regulatory event alert, the assigned user triggers an impact assessment to a subject matter expert who is an expert in a certain regulatory area. The expert then performs an impact assessment on the regulatory event alert. Impact assessments are of the following types.
    • Classic risk assessment: This assessment enables you to select the entities that you want to assess. Refer to Respond to a regulatory alert risk assessment to understand how to respond to a risk assessment.
    • Regulatory assessment: This assessment utilizes the Smart Assessment Engine to perform smart assessments on regulatory alerts. Refer to
    Note:
    For more information on how to initiate either of these assessments, refer to Assess the impact of a regulatory alert.

    Workflow of a regulatory alert assessment

    If the regulatory event alert has an impact, the impact radius is calculated to find the associated control objectives that are related to the regulatory event. Based on the calculation, the application displays suggestions for what GRC objects will be impacted by the regulatory event.

    When the impact assessment task is sent for approval, the impact assessment has the following typical sequence of events:

    1. Assignment: The manager with the sn_grc_reg_change.manager role assigns a regulatory event alert to a user who has the sn_grc_reg_change.user role. The user views the assigned alert that is listed under the New Alerts module in the application.
    2. Initiation of assessment: An event or a regulatory change that is described in the alert can cause an impact on the organization. The user can initiate an impact assessment to understand the impact of the change on the entities that are owned by different stakeholders. The user can mark the alert as applicable without initiating an impact assessment.
    3. Assigning the assessment: The assessment task is automatically assigned to the owner of the entity, such as the owner of the business entity on which the assessment task is created. The alert is moved to the Impact Assessment state.
      Note:
      The entity owners who have the GRC Business User role can perform the impact assessment. For more information on the GRC Business User role, see Common roles in Governance, Risk, and Compliance.
    4. Assessment creation: The entity owners gather details on the regulatory event, the proposed regulatory changes, and the severity of the impact. A regulatory event can impact one or more business entities. An assessment is created for each entity owner.
    5. Submitting the assessment: The entity owners assess the impact of the regulatory change and submit an impact assessment.
    6. Decision making: Based on the assessment received from the entity owners, the manager or user decides the overall impact rating. The manager then marks the alert as applicable or not applicable.
    7. Awaiting Approval: Impact assessment task assigned for approval.

    Only entity owners can update the impact assessment task. The user can view the impact assessment task and its details only in read mode.

    If an alert record has been sent for an impact assessment and you're waiting for a response, then the alert is in the Impact Assessment state.
    Note:
    The Impact assessment action is applicable only to the regulatory event alerts.