Skip to main content
Version: 1.0.0

End-to-End Use-Case Playbooks

These playbooks are written for customer administrators who run governance, risk, compliance, audit, policy, vendor, and reporting activities in a SaaS administration workspace. They focus on business operation, ownership, decisions, evidence, and closure.

Use them when you need to complete a full work cycle rather than configure a single page.

1. Run a Compliance Assessment from Start to Closure

Purpose

Use this playbook to plan, launch, monitor, review, and close a compliance assessment. The goal is to produce a reliable compliance position with clear evidence, accountable owners, reviewed exceptions, and agreed remediation for gaps.

Prerequisites

  • The assessment scope is approved, including business unit, process, location, product, or service.
  • The relevant framework, standard, or internal control set is selected.
  • Assessment owners, control owners, reviewers, and approvers are confirmed.
  • Due dates, review expectations, scoring rules, and evidence expectations are understood.
  • Any prior assessment results, open issues, risks, audit findings, and accepted exceptions are available for reference.

Steps

  1. Create the assessment with a clear title, scope, owner, assessment period, due date, and reviewer.
  2. Select the control set or requirement group that applies to the assessment scope.
  3. Assign each control or requirement to the correct owner. Avoid assigning all items to one person unless that person truly owns the responses.
  4. Confirm the response options that will be used, such as compliant, partially compliant, non-compliant, not applicable, or not assessed.
  5. Add instructions for evidence quality, including what type of document, approval, record, or explanation is expected.
  6. Launch the assessment and notify owners of due dates and expectations.
  7. Monitor completion progress by owner, requirement group, and due date.
  8. Review submitted responses for completeness, consistency, and evidence quality.
  9. Return weak responses for clarification when evidence does not support the answer.
  10. Mark items as reviewed only when the response, explanation, and evidence are sufficient.
  11. For each non-compliant or partially compliant item, decide whether it should become a risk, issue, audit finding, policy exception, or accepted gap.
  12. Confirm remediation owners and target dates for gaps that require action.
  13. Review the overall compliance score, major gaps, overdue responses, and unsupported responses.
  14. Obtain approval from the accountable reviewer or governance owner.
  15. Close the assessment only after required responses, reviews, decisions, and follow-up records are complete.

Decisions

  • Is the assessment scope narrow enough to produce meaningful results?
  • Is each response supported by evidence or a clear explanation?
  • Should a gap be remediated, accepted, escalated, or reclassified?
  • Are any responses marked not applicable without a defensible reason?
  • Can the assessment be closed with open remediation, or must remediation be completed first?

Outputs

  • Completed assessment with reviewed responses.
  • Compliance score or compliance position by scope.
  • Evidence attached or referenced for key requirements.
  • List of non-compliant, partially compliant, and not applicable items.
  • Follow-up risks, issues, audit findings, exceptions, or actions.
  • Closure approval and assessment history.

Follow-Up

  • Track remediation progress until target dates are met.
  • Review accepted gaps on their next review date.
  • Compare results with previous assessments to identify trend changes.
  • Use results in management reporting and audit preparation.
  • Schedule the next assessment cycle before the current evidence becomes stale.

Common Mistakes

  • Starting before owners and scope are confirmed.
  • Accepting yes/no answers without evidence.
  • Treating not applicable as a shortcut for difficult requirements.
  • Closing the assessment while major decisions are still unresolved.
  • Creating duplicate follow-up records for the same gap.
  • Reporting a compliance score without explaining unsupported or excluded items.

2. Convert Non-Compliance into a Risk, Issue, or Audit Finding

Purpose

Use this playbook when an assessment, review, incident, or audit identifies non-compliance and the administrator must decide the correct follow-up record. The goal is to preserve the compliance context while assigning the right owner, severity, due date, and governance path.

Prerequisites

  • The non-compliant requirement is clearly documented.
  • Evidence or explanation shows why the requirement was not met.
  • The affected process, department, vendor, asset, policy, or control is known.
  • The business impact and urgency are understood.
  • The responsible owner can be identified.

Steps

  1. Read the non-compliant item and confirm the requirement that was missed.
  2. Review the evidence, reviewer comments, and any previous related records.
  3. Determine whether the situation represents uncertainty, a known corrective task, or an assurance observation.
  4. Choose risk when the main concern is potential future impact or exposure.
  5. Choose issue when the organization already knows what is wrong and needs corrective action.
  6. Choose audit finding when the observation belongs to a formal audit or assurance review.
  7. Write a neutral title that describes the gap without blame.
  8. Add the source assessment, requirement, evidence, owner, affected area, severity, and target date.
  9. Define the expected treatment or remediation outcome.
  10. Assign an accountable owner and any supporting contributors.
  11. Submit the record for review if approval is required.
  12. Update the original non-compliant item with the follow-up decision and reference.
  13. Monitor the follow-up record until it is accepted, remediated, or closed.

Decisions

  • Is the gap best managed as future exposure, current non-conformance, or formal audit observation?
  • Is the impact high enough to require escalation?
  • Does the gap need one record or several related records?
  • Should remediation be required, or can the gap be accepted with justification?
  • Who has authority to approve acceptance or closure?

Outputs

  • One correctly classified follow-up record.
  • Clear link between the original non-compliance and follow-up action.
  • Owner, severity, due date, and expected outcome.
  • Supporting evidence and reviewer comments.
  • Updated assessment or review record showing the decision taken.

Follow-Up

  • Review progress before the due date.
  • Escalate overdue or critical items.
  • Confirm evidence before closure.
  • Update the assessment result if remediation changes the compliance status.
  • Include significant items in management reports.

Audit Finding to Targeted Reassessment

Use this flow when the gap is identified during a formal audit and the finding is linked to a specific failed assessment control.

  1. Auditor creates the audit and links it to the source assessment.
  2. Auditor creates a finding and links it to the exact failed assessment control.
  3. If the finding is material, link it to an issue or risk before closure can proceed.
  4. Remediation owner completes corrective work and uploads evidence.
  5. Owner uses the close action; the finding is submitted for verification rather than directly closed.
  6. Auditor verifies the remediation evidence.
  7. The linked assessment control is automatically flagged for reassessment, reset to Not Assessed, and given a targeted reassessment due date.
  8. If the parent assessment was Completed or Closed, it is reopened to In Progress for the targeted reassessment.
  9. Control owner reassesses only the affected control and uploads updated evidence.
  10. Saving the reassessment clears the reassessment flag.
  11. Risk, treatment, or issue records are updated or closed only after the corrected control state supports the decision.

This avoids unnecessary full reassessments while preserving audit, compliance, and risk traceability.

Common Mistakes

  • Creating a risk when the matter is only a task with a known fix.
  • Creating an issue without recording the compliance requirement that was missed.
  • Creating multiple records for the same gap without clear purpose.
  • Closing the source assessment without recording the follow-up decision.
  • Accepting a gap without an owner, expiry date, or review date.

3. Manage a Critical Risk until Acceptance or Closure

Purpose

Use this playbook to manage a critical risk from identification through analysis, treatment, monitoring, executive decision, acceptance, or closure. The goal is to keep accountability clear and ensure that severe exposure is not left unmanaged.

Prerequisites

  • The risk event, cause, and consequence are clearly described.
  • The risk owner and affected business area are identified.
  • Initial likelihood, impact, and criticality are assessed.
  • Relevant controls, incidents, compliance gaps, vendor exposure, or audit findings are known.
  • Escalation and acceptance authority are understood.

Steps

  1. Create or review the risk record with a precise title and description.
  2. Document cause, potential consequence, affected area, and current controls.
  3. Rate inherent likelihood and impact before considering existing controls.
  4. Record existing controls and assess whether they are effective.
  5. Rate residual likelihood and impact after considering current controls.
  6. Confirm why the risk is critical and whether immediate escalation is required.
  7. Select a treatment approach: reduce, avoid, transfer, share, accept, or monitor.
  8. For reduction, create treatment actions with owners, due dates, milestones, and success criteria.
  9. For acceptance, document business justification, acceptance period, compensating controls, review date, and approver.
  10. Schedule regular reviews based on severity, not convenience.
  11. Update status, progress notes, evidence, and treatment completion.
  12. Re-score the risk after treatment evidence is reviewed.
  13. Decide whether the residual level is acceptable, needs further treatment, or should remain open.
  14. Close the risk only when it is no longer relevant, has been fully treated, or has formal acceptance in place.

Decisions

  • Is the risk truly critical, or is the score inflated by weak information?
  • Is immediate escalation needed because of legal, financial, operational, safety, or reputation exposure?
  • Is treatment realistic within the agreed timeframe?
  • Does acceptance have a valid business reason and authorized approver?
  • Should the risk remain open after treatment because residual exposure remains high?

Outputs

  • Complete critical risk record with scoring rationale.
  • Treatment plan or acceptance decision.
  • Assigned actions, due dates, and owners.
  • Review history and decision trail.
  • Evidence supporting treatment completion or acceptance.
  • Updated residual rating and final status.

Follow-Up

  • Review critical risks at the agreed frequency.
  • Escalate missed treatment dates immediately.
  • Reassess the risk when business conditions change.
  • Renew or close acceptance before it expires.
  • Include critical risks in management reporting until closed or reduced.
  • If the risk is linked to an audit finding, wait for auditor verification and targeted assessment-control reassessment before reducing residual score or closing.

Common Mistakes

  • Recording a critical score without explaining the rationale.
  • Accepting risk informally through comments instead of an approved decision.
  • Treating acceptance as permanent.
  • Closing a risk because actions were completed without re-scoring residual exposure.
  • Closing a risk linked to an audit finding before the affected control has been reassessed with updated evidence.
  • Leaving critical risks without review dates or senior visibility.

4. Publish a Policy and Track Acknowledgements

Purpose

Use this playbook to prepare, approve, publish, communicate, and monitor a policy that requires employee or stakeholder acknowledgement. The goal is to ensure the right audience receives the current approved version and that acknowledgement progress is visible.

Prerequisites

  • The policy owner, approver, and review cycle are defined.
  • The policy content is final and aligned with related procedures or standards.
  • The target audience is identified by department, role, location, or group.
  • The effective date, review date, and acknowledgement due date are agreed.
  • Any related training, exceptions, or supporting documents are ready.

Steps

  1. Create or update the policy record with title, owner, category, version, and summary.
  2. Attach or enter the approved policy content.
  3. Set effective date, review date, and acknowledgement requirement.
  4. Define the target audience carefully. Include only people who are expected to read and acknowledge the policy.
  5. Submit the policy for review and approval.
  6. Address reviewer comments and obtain final approval.
  7. Publish the policy on the effective date or agreed release date.
  8. Notify the target audience with clear acknowledgement instructions and due date.
  9. Monitor acknowledgement completion by audience group and individual status.
  10. Send reminders before the due date.
  11. Escalate overdue acknowledgements to the appropriate managers or policy owner.
  12. Record exceptions when someone should be excluded from the audience.
  13. Close the acknowledgement cycle after completion targets and escalations are resolved.

Decisions

  • Is this a new policy, a major revision, or a minor update?
  • Does the audience need acknowledgement, awareness only, or formal training?
  • Should the prior version remain available for reference?
  • What completion threshold is acceptable before reporting closure?
  • How will late acknowledgements be escalated?

Outputs

  • Published policy with approved version and effective date.
  • Defined target audience.
  • Acknowledgement status by user, group, and due date.
  • Reminder and escalation history.
  • Exceptions or exclusions with justification.
  • Completion summary for management or audit review.

Follow-Up

  • Review acknowledgement completion after the due date.
  • Follow up with managers for repeated non-response.
  • Refresh acknowledgements after major policy revisions.
  • Review the policy before the next review date.
  • Use acknowledgement results in compliance and audit evidence packs.

Common Mistakes

  • Publishing without final approval.
  • Targeting too broad an audience and creating avoidable overdue items.
  • Changing the policy after publication without version control.
  • Reporting completion without accounting for exclusions.
  • Treating acknowledgement as proof of understanding when training is also needed.

5. Onboard a Vendor and Assess Third-Party Risk

Purpose

Use this playbook to onboard a vendor, assess third-party risk, document approvals, and set the vendor up for ongoing monitoring. The goal is to understand service dependency, data exposure, compliance obligations, and residual risk before or during the relationship.

Prerequisites

  • The business owner and vendor relationship owner are identified.
  • The vendor service description and business purpose are known.
  • Criticality, data sensitivity, access level, and dependency are understood.
  • Required due diligence questions and evidence expectations are ready.
  • Contract, renewal, review, and approval expectations are known where applicable.

Steps

  1. Create the vendor record with legal name, service description, owner, department, status, and contact details.
  2. Classify vendor criticality based on business dependency, data exposure, service importance, and replacement difficulty.
  3. Identify the type of information, process, asset, or service the vendor supports.
  4. Select the appropriate due diligence questionnaire or assessment.
  5. Assign the assessment to the vendor owner or responsible internal reviewer.
  6. Request required evidence such as certifications, policies, assurance reports, insurance details, continuity information, or security attestations.
  7. Review responses for completeness and consistency.
  8. Record risks, gaps, or missing evidence as follow-up items.
  9. Rate the vendor risk level before and after planned controls or commitments.
  10. Decide whether to approve, approve with conditions, reject, pause, or escalate the relationship.
  11. Record approval decision, conditions, owner, and next review date.
  12. Add monitoring tasks for renewals, reassessments, expiring evidence, or open issues.
  13. Keep vendor status current as the relationship moves from onboarding to active, suspended, terminated, or archived.

Decisions

  • Is the vendor critical to operations?
  • Does the vendor handle sensitive information or support regulated activity?
  • Is missing evidence acceptable for temporary approval?
  • Are conditions required before the vendor can be fully approved?
  • How often should the vendor be reassessed?

Outputs

  • Complete vendor profile.
  • Criticality and risk rating.
  • Completed due diligence assessment.
  • Evidence and review comments.
  • Approval decision with conditions if applicable.
  • Open risks, issues, or actions.
  • Next review, renewal, and monitoring dates.

Follow-Up

  • Reassess high and critical vendors on schedule.
  • Track evidence expiry and renewal dates.
  • Monitor open vendor issues until closure.
  • Update risk rating when service scope or data exposure changes.
  • Review terminated vendors to ensure no active obligations remain.

Common Mistakes

  • Treating all vendors as the same risk level.
  • Approving a vendor without naming an accountable internal owner.
  • Accepting incomplete due diligence without conditions.
  • Forgetting to reassess vendors after scope changes.
  • Leaving terminated vendors marked as active.

6. Prepare an Audit Evidence Pack

Purpose

Use this playbook to prepare a complete evidence pack for internal audit, external audit, regulator review, management assurance, or control testing. The goal is to provide organized, current, and reviewable evidence that supports the audit scope.

Prerequisites

  • Audit scope, period, request list, and due date are confirmed.
  • Required controls, policies, risks, assessments, issues, vendors, and reports are identified.
  • Evidence owners are assigned.
  • Evidence quality expectations are understood.
  • Sensitive or restricted evidence handling rules are confirmed.

Steps

  1. Review the audit request and break it into evidence categories.
  2. Create an evidence checklist with owner, due date, status, and reviewer.
  3. Collect current policies, control descriptions, approvals, assessment results, risk records, issue closure evidence, vendor reviews, and relevant reports.
  4. Confirm each item matches the audit period and scope.
  5. Remove duplicates and outdated versions unless they are needed to show history.
  6. Add explanations for evidence that may not be self-explanatory.
  7. Confirm that sensitive information is appropriate for the intended reviewer.
  8. Review evidence completeness against the checklist.
  9. Return weak or missing items to owners with clear requests.
  10. Organize the final pack by audit request number, control, process, or theme.
  11. Record reviewer sign-off before sharing the pack.
  12. Track additional audit requests, clarifications, and resubmissions.
  13. Preserve the final pack and decision history for future reference.

Decisions

  • Does each evidence item prove the control or activity for the requested period?
  • Is the evidence final, approved, and current?
  • Should sensitive information be summarized, redacted, or restricted?
  • Is an explanation needed to help the auditor interpret the evidence?
  • Are open gaps disclosed with related remediation plans?

Outputs

  • Evidence checklist with completion status.
  • Organized evidence pack.
  • Owner responses and reviewer sign-off.
  • List of missing, excluded, or delayed evidence.
  • Clarification log and final submission record.

Follow-Up

  • Track audit questions and additional requests.
  • Convert audit observations into findings, issues, or risks where needed.
  • Reuse accepted evidence for future assessments when still valid.
  • Update weak controls or missing records after audit closure.
  • Retain the final evidence pack according to internal retention rules.

Common Mistakes

  • Providing evidence that is outside the audit period.
  • Sending drafts or unapproved documents as final evidence.
  • Providing too much unrelated material.
  • Failing to explain exceptions or missing evidence.
  • Losing track of revised evidence after auditor questions.

7. Build a Management Report Pack

Purpose

Use this playbook to prepare a management report pack that summarizes governance, risk, compliance, audit, policy, vendor, and remediation status for leadership review. The goal is to provide clear decisions, trends, exceptions, and required actions.

Prerequisites

  • Reporting audience, meeting date, period, and decision needs are known.
  • Required modules, metrics, and report owners are agreed.
  • Data owners have reviewed their records for completeness.
  • Critical risks, overdue items, major non-compliance, audit findings, vendor exposure, and policy acknowledgement status are current.
  • Prior meeting actions are available for comparison.

Steps

  1. Define the report purpose: awareness, decision, escalation, approval, or performance review.
  2. Confirm the reporting period and cut-off date.
  3. Gather key metrics for compliance, risks, issues, audits, vendors, policies, incidents if relevant, and open actions.
  4. Validate owners, due dates, statuses, ratings, and closure evidence before reporting.
  5. Highlight changes since the previous report, not only current totals.
  6. Separate information items from decisions required.
  7. Summarize critical risks, overdue remediation, major audit findings, high-risk vendors, and low acknowledgement areas.
  8. Add commentary explaining why numbers changed.
  9. Identify decisions needed from management, such as acceptance, funding, reprioritization, escalation, or closure approval.
  10. Review the draft with module owners before release.
  11. Publish the final pack for the meeting audience.
  12. Record decisions and action owners after the meeting.
  13. Track management actions in the next reporting cycle.

Decisions

  • Which metrics are useful for leadership decisions rather than operational detail?
  • Are trends improving, stable, or deteriorating?
  • Which items need escalation because they are overdue, critical, repeated, or blocked?
  • Which risks or gaps require acceptance?
  • What actions must be assigned before the next meeting?

Outputs

  • Management report pack for the reporting period.
  • Executive summary with key messages.
  • Metrics, trends, exceptions, and decisions required.
  • Action list with owners and due dates.
  • Record of approvals, escalations, and accepted items.

Follow-Up

  • Send action owners their agreed tasks and due dates.
  • Update records with management decisions.
  • Track overdue management actions separately from normal operational tasks.
  • Compare next period results against the current pack.
  • Retire metrics that do not support decisions and replace them with more useful indicators.

Common Mistakes

  • Reporting raw counts without explaining impact.
  • Including too much operational detail for senior reviewers.
  • Using stale data that owners have not validated.
  • Hiding overdue or critical items in appendices.
  • Leaving meeting decisions outside the operational records.