Skip to main content
Version: 1.0.0

Role-Based Admin Guides

This guide explains what each customer administrator role should review, maintain, report, and escalate during normal governance, risk, compliance, and audit operations. It is written for day-to-day business administration and assumes each role has access only to the areas needed for its responsibilities.

Use this guide with the module pages for Compliance and Assessments, Risk Management, Governance, Audit Management, Operations, Third Parties and Assets, Privacy and Awareness, and Reports and Analytics.

Tenant Admin

The Tenant Admin keeps the workspace organized, usable, and governed. This role does not own every business decision, but it ensures the right people, review cycles, notifications, dashboards, and operating discipline are in place.

Responsibilities

  • Maintain users, role assignments, ownership coverage, and approver coverage.
  • Confirm that key registers have active owners and current review dates.
  • Monitor overdue work, stalled approvals, unresolved findings, expiring exceptions, and high-priority alerts.
  • Coordinate with business owners when records are incomplete, duplicated, or assigned incorrectly.
  • Prepare regular administration summaries for management review.

What to Review First

  • Dashboard alerts for overdue items, critical risks, pending approvals, and expiring exceptions.
  • User and role coverage for compliance owners, risk owners, control owners, auditors, and executives.
  • Records without owners, records with missed review dates, and open items assigned to inactive users.
  • Scheduled reports and meeting packs due in the current period.

Daily Checklist

  • Review dashboard alerts and triage urgent items.
  • Check overdue issues, corrective actions, assessment responses, approvals, and audit findings.
  • Follow up on blocked owners and reassign work where ownership is no longer valid.
  • Confirm that critical risks, severe findings, and urgent exceptions have visible next actions.
  • Review new comments, evidence updates, and status changes that need administrator attention.

Weekly Checklist

  • Review ownership gaps across risks, controls, assessments, issues, findings, vendors, assets, and policies.
  • Check upcoming due dates for assessments, control reviews, audit actions, policy approvals, and exception renewals.
  • Validate that management dashboards reflect current records before weekly governance meetings.
  • Review repeated delays by team, department, owner, or process area.
  • Confirm that closed items include adequate business evidence and closure notes.

Monthly Checklist

  • Prepare management reporting packs for compliance status, risk exposure, audit progress, overdue actions, and exceptions.
  • Review role assignments and remove access that is no longer needed.
  • Check inactive users, vacant ownership, duplicate records, and outdated review schedules.
  • Review KPI trends and confirm action plans for indicators outside tolerance.
  • Coordinate monthly cleanup of stale drafts, abandoned assessments, and old unresolved follow-ups.

Routine Tasks

  • Keep role membership aligned with job responsibilities.
  • Maintain clear ownership across records and reports.
  • Track recurring overdue patterns and escalate repeated non-response.
  • Confirm that scheduled reports have the right audience, timing, and business owner.
  • Support managers by directing them to the correct module and source record.

Key Reports

  • Executive dashboard.
  • Overdue issues and actions report.
  • Pending approvals report.
  • Compliance status report.
  • Risk register and heatmap.
  • Audit findings summary.
  • Exception and policy review report.
  • User ownership and assignment review.

Escalation Triggers

  • Critical risks without an approved treatment plan or owner.
  • Severe audit findings overdue or repeatedly deferred.
  • Assessments blocked by missing owners or unanswered controls.
  • Exceptions near expiry without renewal, closure, or replacement action.
  • Repeated overdue work from the same team or owner.
  • Management reports showing unexplained negative trends.

Common Mistakes

  • Assigning every item to the administrator instead of the accountable business owner.
  • Closing issues without evidence or a clear closure note.
  • Ignoring pending approvals because the source task appears complete.
  • Allowing inactive users to remain as owners or approvers.
  • Treating reports as the source of truth instead of correcting the underlying records.
  • Reports and Analytics.
  • Operations.
  • Governance.
  • Compliance and Assessments.
  • Risk Management.
  • Audit Management.

Compliance Manager

The Compliance Manager maintains compliance posture across obligations, controls, assessments, evidence, findings, and remediation activities.

Responsibilities

  • Plan and monitor compliance assessments.
  • Ensure controls are reviewed by the right owners.
  • Validate evidence quality and response completeness.
  • Track compliance gaps, corrective actions, and overdue remediation.
  • Report compliance performance, trends, and areas needing management attention.

What to Review First

  • Active and overdue assessments.
  • Controls marked non-compliant, partially compliant, or not assessed.
  • Missing or weak evidence.
  • Open compliance findings and remediation actions.
  • Frameworks or obligation areas with declining scores.

Routine Tasks

  • Launch or coordinate assessment cycles.
  • Review submitted responses for completeness and consistency.
  • Follow up with control owners on missing evidence or unclear answers.
  • Convert compliance gaps into issues or action plans.
  • Prepare status updates for compliance committees and management reviews.

Key Reports

  • Compliance summary.
  • Framework compliance report.
  • Assessment report.
  • Control evidence status.
  • Open findings and remediation report.
  • Compliance trend dashboard.

Escalation Triggers

  • High-impact obligations without completed assessment coverage.
  • Repeated missed assessment deadlines.
  • Critical controls without current evidence.
  • Compliance scores declining without an agreed action plan.
  • Findings overdue beyond accepted tolerance.

Common Mistakes

  • Accepting evidence that does not prove the control is working.
  • Treating "not applicable" as a shortcut instead of documenting the reason.
  • Running assessments without confirming owners and due dates first.
  • Closing findings before the corrective action has been verified.
  • Reporting compliance percentages without explaining material gaps.
  • Compliance and Assessments.
  • Governance.
  • Operations.
  • Reports and Analytics.
  • Audit Management.

Risk Manager

The Risk Manager maintains the quality, consistency, and actionability of the risk register and ensures risk exposure is understood by management.

Responsibilities

  • Review new and updated risks for clear description, ownership, scoring, treatment, and review schedule.
  • Monitor high and critical risks, overdue treatments, and risks outside appetite.
  • Challenge weak scoring, unclear treatment plans, and unsupported risk acceptance.
  • Coordinate with control owners and issue owners on mitigation progress.
  • Prepare risk summaries for management and executive review.

What to Review First

  • Critical and high residual risks.
  • Risks outside appetite.
  • Risks requiring reassessment.
  • Overdue treatment actions.
  • Risks missing owners, controls, review dates, or treatment decisions.

Routine Tasks

  • Validate likelihood, impact, residual rating, and treatment approach.
  • Review risk trends and changes since the previous period.
  • Follow up on mitigation delays and unresolved blockers.
  • Confirm accepted risks have proper approval and review dates.
  • Link risks to relevant controls, assets, vendors, incidents, issues, or audits when needed.

Key Reports

  • Risk register.
  • Risk heatmap.
  • High and critical risk report.
  • Risk treatment status.
  • Risks outside appetite.
  • Accepted risk review report.
  • Risk trend dashboard.

Escalation Triggers

  • Critical risks without active treatment or acceptance.
  • Residual risk above appetite with no management decision.
  • Treatment actions overdue for material risks.
  • Major incidents, audit findings, or control failures that change risk exposure.
  • Risk owners repeatedly failing to review assigned risks.

Common Mistakes

  • Focusing only on inherent risk and ignoring residual exposure.
  • Using risk acceptance to avoid treatment without management visibility.
  • Leaving treatment plans vague, ownerless, or undated.
  • Updating risk scores without explaining the reason for the change.
  • Treating the heatmap as a report only instead of using it to drive action.
  • Risk Management.
  • Operations.
  • Third Parties and Assets.
  • Audit Management.
  • Compliance and Assessments.
  • Reports and Analytics.

Control Owner

The Control Owner is accountable for keeping assigned controls accurate, operating, evidenced, and ready for review.

Responsibilities

  • Maintain assigned control descriptions, ownership, evidence, and review status.
  • Respond to assessments and control reviews on time.
  • Explain control gaps, exceptions, and remediation needs.
  • Provide evidence that is current, relevant, and understandable.
  • Coordinate corrective actions when a control is not operating as expected.

What to Review First

  • Assigned controls with upcoming or overdue review dates.
  • Assessment requests awaiting response.
  • Controls marked ineffective, partially effective, or missing evidence.
  • Open issues, findings, and exceptions linked to assigned controls.

Routine Tasks

  • Review assigned controls for accuracy and current operating status.
  • Upload or reference evidence that supports the control response.
  • Respond to assessment questions with concise business explanations.
  • Update action owners when remediation work is needed.
  • Notify the Compliance Manager or Risk Manager when control performance changes materially.

Key Reports

  • Assigned control list.
  • Evidence status report.
  • Assessment response status.
  • Control effectiveness report.
  • Linked issues and findings report.

Escalation Triggers

  • A key control is not operating or cannot be evidenced.
  • Evidence is unavailable before an assessment or audit deadline.
  • A control gap creates a material compliance, risk, privacy, or audit concern.
  • Remediation requires resources or decisions outside the owner team.
  • The same control fails repeatedly.

Common Mistakes

  • Uploading old or unrelated documents as evidence.
  • Waiting until the due date to confirm whether evidence exists.
  • Answering assessment questions without explaining gaps.
  • Assuming a control is effective because it is documented.
  • Closing remediation work before the control has been retested or reviewed.
  • Compliance and Assessments.
  • Governance.
  • Risk Management.
  • Operations.
  • Audit Management.

Auditor

The Auditor reviews whether governance, risk, compliance, and operational records are complete, supported, and traceable.

Responsibilities

  • Plan audit reviews and define scope, owners, evidence needs, and timelines.
  • Review evidence, approvals, history, findings, and remediation progress.
  • Record findings clearly with severity, owner, due date, and expected action.
  • Monitor finding closure and validate that remediation evidence is sufficient.
  • Report audit status and unresolved issues to management.

What to Review First

  • Open audits and active fieldwork.
  • Findings by severity and due date.
  • Evidence requests awaiting response.
  • Closed findings that require validation.
  • Repeated issues across teams, controls, risks, vendors, or processes.

Routine Tasks

  • Review audit scope and confirm responsible contacts.
  • Request and evaluate evidence.
  • Document findings with clear business impact.
  • Follow up on overdue remediation actions.
  • Validate closure evidence before accepting a finding as resolved.

Key Reports

  • Audit summary.
  • Findings by severity.
  • Overdue findings report.
  • Evidence request status.
  • Remediation progress report.
  • Repeat findings analysis.

Escalation Triggers

  • Severe findings with overdue remediation.
  • Evidence not provided by agreed dates.
  • Management action plans that do not address the root cause.
  • Repeated control failures or repeat findings.
  • Attempts to close findings without adequate evidence.

Common Mistakes

  • Writing findings without a clear business impact or required action.
  • Accepting verbal confirmation instead of reviewable evidence.
  • Closing findings based only on planned work.
  • Not linking findings to the related control, risk, policy, or issue.
  • Reporting audit progress without separating fieldwork, remediation, and validation.
  • Audit Management.
  • Operations.
  • Compliance and Assessments.
  • Governance.
  • Risk Management.
  • Reports and Analytics.

Executive Viewer

The Executive Viewer uses dashboards and reports to understand business exposure, progress, and decisions requiring leadership attention.

Responsibilities

  • Review overall risk, compliance, audit, and remediation posture.
  • Focus on exceptions, trends, overdue decisions, and items outside tolerance.
  • Challenge unclear ownership, repeated delays, and unresolved high-impact issues.
  • Approve or sponsor decisions where business accountability is required.
  • Use reports to guide governance meetings and management follow-up.

What to Review First

  • Executive dashboard.
  • Critical and high risks.
  • Compliance score and movement from the prior period.
  • Severe audit findings and overdue actions.
  • Exceptions, accepted risks, and open management decisions.
  • KPI indicators marked outside tolerance.

Routine Tasks

  • Review monthly management packs before governance meetings.
  • Ask owners to explain negative trends and overdue high-priority work.
  • Confirm that major risks and findings have credible action plans.
  • Track whether previous management decisions were completed.
  • Sponsor cross-team action when blockers cannot be resolved by a single owner.

Key Reports

  • Executive dashboard.
  • Risk heatmap and top risks.
  • Compliance summary.
  • Audit findings summary.
  • Overdue actions report.
  • KPI trend dashboard.
  • Exceptions and accepted risks report.

Escalation Triggers

  • Critical risk exposure increasing or remaining outside appetite.
  • Compliance decline in important obligation areas.
  • Severe findings overdue or repeatedly extended.
  • Material actions blocked by ownership, budget, or authority.
  • Management decisions not completed by agreed dates.

Common Mistakes

  • Reviewing only the score and not the underlying trend or overdue actions.
  • Accepting green status without checking whether evidence is current.
  • Treating overdue actions as administrative noise instead of accountability signals.
  • Approving exceptions or accepted risks without a review date.
  • Asking for new reports when the required answer already exists in source records.
  • Reports and Analytics.
  • Risk Management.
  • Compliance and Assessments.
  • Audit Management.
  • Operations.