Operations
Operations manages execution-heavy follow-up work: issues, actions, incidents, regulatory changes, remediation, and calendar obligations.
1. Background and Business Purpose
This module is where governance, risk, audit, and compliance outputs become assigned work. It gives administrators a place to track owners, due dates, progress, escalation, and closure evidence.
Main outcomes:
- manage corrective actions and remediation
- respond to incidents
- track regulatory change obligations
- monitor deadlines through calendar
- connect operational work back to risks, assessments, audits, policies, and reports
2. Core Records and Actors
| Item | Meaning |
|---|---|
| Issue | Remediation or corrective action item from assessment, audit, risk, incident, or manual entry. |
| Action | Task assigned to an owner with status and due date. |
| Incident | Operational, security, privacy, or compliance event requiring response. |
| Regulatory Change | External requirement or change that must be reviewed and acted on. |
| Calendar Event | Deadline, review date, due date, or scheduled obligation. |
| Actor | Responsibility |
|---|---|
| Issue owner | Completes remediation and uploads evidence. |
| Incident manager | Coordinates incident response and closure. |
| Compliance/risk manager | Reviews priority, escalation, and cross-module impact. |
| Action owner | Completes assigned action. |
| Approver | Confirms closure where workflow applies. |
3. Issues and Actions Flow
- Open Operations then Issues & Actions or Remediation Hub.
- Create an issue manually or open one generated from assessment/audit/risk.
- Confirm title, source, severity/priority, owner, due date, and description.
- Add remediation plan.
- Assign actions if work must be split.
- Owner updates status and adds comments/evidence.
- Reviewer verifies completion.
- Close issue when remediation is complete and evidence is acceptable.
Issue statuses:
| Status | Meaning |
|---|---|
| Open | Issue exists and needs action. |
| In Progress | Owner is working on remediation. |
| Pending Review | Owner submitted completion for review. |
| Resolved | Remediation completed. |
| Closed | Issue verified and closed. |
| Cancelled | No longer required. |
4. Incident Flow
- Open Incidents.
- Click Create Incident.
- Enter title, type, severity, affected asset/vendor/user/process, date, and description.
- Assign incident manager and owner.
- Record containment, investigation, root cause, and impact.
- Link related risks, assets, third parties, privacy records, or policies.
- Create actions for remediation.
- Review and close when response and evidence are complete.
Incident statuses:
| Status | Meaning |
|---|---|
| New | Incident logged but not triaged. |
| Triage | Severity, owner, and scope are being confirmed. |
| Investigating | Root cause and impact are under review. |
| Contained | Immediate impact is controlled. |
| Remediation | Corrective actions are being executed. |
| Closed | Incident is resolved and documented. |
5. Regulatory Changes
Use Regulatory Changes to monitor external obligations.
Recommended flow:
- Create regulatory change record.
- Enter source, summary, effective date, impacted areas, and owner.
- Assess impact on policies, controls, risks, training, privacy, or operations.
- Create issues or change requests for required updates.
- Track implementation and evidence.
- Close when obligations are addressed.
6. Calendar
Calendar consolidates due dates and review dates from modules.
Common calendar items:
- assessment planned end dates
- risk review dates
- treatment action due dates
- issue due dates
- policy review dates
- audit dates
- incident follow-up dates
- regulatory effective dates
Administrator rule: calendar is a visibility layer; update the source record to change the obligation.
7. Cross-Module Behavior
| Related Module | Overlap |
|---|---|
| Compliance and Assessments | Findings can create issues; issue creation can flag linked risks for reassessment. |
| Risk Management | Risks can create issues and treatment actions; incidents can link to or create risks. |
| Audit | Findings become issues/actions and feed remediation status. |
| Governance | Policy gaps and change requests create operational work. |
| Assets and Third Parties | Incidents and issues can be linked to affected assets/vendors. |
| Reports | Overdue items, incident trends, and remediation status feed reporting. |
8. Related Pages
| Related Page | Why It Matters |
|---|---|
| Compliance and Assessments | Non-compliant and partially compliant controls can create issues and remediation work. |
| Risk Management | Risk treatment actions, incidents, and accepted exposure depend on operational follow-up. |
| Governance | Policy exceptions and change requests can create operational actions. |
| Audit Management | Audit findings use operations records for remediation tracking and closure evidence. |
| Reports and Analytics | Overdue issues, actions, incidents, and calendar events appear in dashboards and reports. |
| Workflow and Status Reference | Use this to interpret issue, finding, incident, approval, and action states. |
9. Before You Start, Reporting Impact, and Common Mistakes
Before using operations records for remediation tracking, confirm issue categories, priorities, owners, due date rules, escalation expectations, and closure evidence rules. Operations is the execution layer; poor ownership here weakens every upstream GRC module.
Records that change reports and KPIs:
| Record or Field | Reporting Impact |
|---|---|
| Issue or action status | Changes open, in-progress, overdue, resolved, and closed counts. |
| Owner and due date | Drives accountability and overdue reporting. |
| Incident severity | Changes incident trend and escalation reporting. |
| Regulatory change status | Shows whether external changes are reviewed and acted on. |
| Closure evidence | Supports auditability and management confidence. |
Common mistakes:
- Creating issues without owner and due date.
- Closing actions without evidence or review notes.
- Using cancelled status instead of documenting why work is no longer required.
- Leaving incidents disconnected from risks, assets, vendors, or policies.
- Ignoring overdue items because they are not assigned to the right owner.
Use this module page when training users on issue creation, incident follow-up, action closure, and calendar review. Screenshots and operating guidance should stay with the module rather than a separate screenshot menu.
10. Administrator Checklist
- Require owner and due date for actionable issues.
- Use severity/priority consistently.
- Link issues to source module records.
- Review overdue issues and actions weekly.
- Link incidents to affected assets/vendors where applicable.
- Create risks for material incidents or recurring issues.
- Do not close issues without evidence or reviewer confirmation.
11. Screenshot
