Skip to main content
Version: 1.0.0

Troubleshooting and FAQ

Use this guide when a dashboard, report, workflow, or record does not look right. Most issues are caused by source data, ownership, permissions, filters, or status.

1. Dashboard and Reports

Why did the compliance score change?

Common reasons:

  • more controls were assessed as compliant or non-compliant
  • new controls or frameworks were added
  • assessment responses were updated
  • duplicate or stale assessment data was corrected
  • filters or reporting period changed

What to check:

  1. Open the assessment or framework behind the score.
  2. Review recent control status changes.
  3. Check whether controls are not assessed, non-compliant, or missing evidence.
  4. Confirm the same filters and reporting period are being compared.

Why does a report number look wrong?

Check the source records first:

  • status
  • owner
  • due date
  • review date
  • filters
  • duplicate records
  • missing linked records

Do not correct the report manually. Correct the source module.

Why is a KPI red or critical?

The KPI is outside its threshold.

Check:

  1. The KPI definition and whether lower or higher is better.
  2. The source records behind the KPI.
  3. Whether due dates, statuses, or scores are outdated.
  4. Whether the threshold still matches management appetite.

2. Assessments and Compliance

Why is an assessment not progressing?

Common causes:

  • controls are not assigned to the right owner
  • owner has not started responses
  • evidence is missing
  • reviewer requested changes
  • due date passed without escalation

Admin action: filter by owner and status, then follow up on blocked owners.

Why is a control not compliant?

Possible reasons:

  • the control is not implemented
  • evidence does not support compliance
  • the response is partial or not assessed
  • the requirement is not applicable but was not marked correctly

Admin action: ask the control owner for evidence or remediation plan.

Should non-compliance become a risk, issue, or finding?

Use this rule:

SituationRecommended Follow-Up
Business exposure or uncertainty existsCreate or link a risk.
A concrete remediation task is neededCreate an issue or action.
The gap was identified during auditCreate or link an audit finding.
The organization accepts a temporary gapCreate a policy exception or risk acceptance if allowed.

3. Risk Management

Why is a risk not showing as critical?

Check residual likelihood and residual impact. Critical risk normally depends on residual score, not only inherent score.

Review:

  • residual likelihood
  • residual impact
  • treatment evidence
  • risk status
  • whether the risk is closed or accepted

Why did residual risk decrease?

Residual risk should decrease only when treatment, controls, or mitigation reduce likelihood or impact.

Admin action: confirm the record includes treatment notes and evidence.

When should a risk be escalated?

Escalate when:

  • residual risk is critical
  • treatment is overdue
  • owner is missing
  • review date is overdue
  • acceptance lacks justification
  • risk exceeds appetite

4. Policies and Acknowledgements

Why is policy acknowledgement low?

Common causes:

  • audience is too broad
  • users are inactive or wrongly assigned
  • policy was recently published
  • reminders were not sent
  • users do not understand the requirement

Admin action: confirm audience, active users, due date, and reminder plan.

Why is a policy stuck in approval?

Check:

  • assigned approver
  • approver availability
  • missing attachment or content
  • unclear change summary
  • workflow ownership

Escalate if the policy blocks compliance, audit, or legal obligations.

5. Vendors, Assets, and Operations

Why is vendor risk unclear?

Check whether the vendor has:

  • owner
  • criticality
  • service description
  • current assessment
  • linked risks or issues
  • review date

Why is an issue still overdue after completion?

The status may not be updated, or closure evidence may be missing.

Check:

  1. Owner updated the status.
  2. Required evidence is attached.
  3. Reviewer approved closure if required.
  4. Due date was not confused with completion date.

6. Users and Permissions

Why can a user not see a record?

Check:

  • role assignment
  • department or ownership scope
  • module permission
  • record assignment
  • whether the record is restricted
  • whether the user is active

Why can a user view but not approve?

Viewing and approving are different permissions. Approval should be limited to accountable decision makers.

Why should delete permission be limited?

Deleting records can remove audit history and reporting context. Prefer closing, archiving, or correcting records unless deletion is clearly appropriate.

7. Quick FAQ

QuestionShort Answer
Where should I fix wrong report data?In the source module.
What should I review first each day?Dashboard alerts, overdue work, pending approvals, and critical risks.
Can one person own all records?Avoid it. Ownership should reflect real accountability.
Can a policy be published without approval?It should not be published until approved.
Can a finding close without evidence?No. Closure should be evidence-based.
Should accepted risks still be reviewed?Yes, according to the review cycle and acceptance conditions.
What causes most reporting problems?Missing owners, wrong status, missing due dates, stale scores, and weak evidence.