Overview
Reviewers have read-only access to Business Risk Assessments and related data. They can view assessments, dashboard metrics, and audit logs but cannot create or modify any data. This role is designed for oversight, compliance, and audit functions.Key Responsibilities
Access Scope
Entity-Based Access
Like Assessors, Reviewers are assigned to specific entities:Reviewers can view data from their assigned entities but cannot modify anything.
Permissions
Reviewer Workflows
Reviewing BRAs
1
Navigate to BRAs
Go to BRAs page
- See list of all BRAs for assigned entities
- Filter by status, entity, period
2
Open BRA Details
Click on a BRA to view:
- Assessment metadata
- Risk scenario list
- Control linkages
- Risk ratings
3
Review Scenarios
In the Risk Scenarios tab:
- View inherent and residual risk ratings
- See justifications provided
- Check assessment completion
4
Review Controls
In the Controls tab:
- View linked controls
- See ToD and ToE ratings
- Review effectiveness calculations
5
Review Summary
In the Review & Finalize tab:
- Read executive summary
- See key findings
- View risks above appetite
- Check mitigation actions
Dashboard Monitoring
Reviewers can monitor risk metrics:Key Metrics
- Total risks for assigned entities
- Risks above appetite
- Control effectiveness distribution
- Overdue actions count
Visualizations
- Risk heat maps (inherent and residual)
- Risk trend charts
- Control effectiveness heat map
- Risk movement tracker
Drill-Down
Click on any metric to see detailed data.Audit Log Access
Reviewers can access audit logs for their assigned entities:- Navigate to Settings → Audit Logs (if accessible via menu)
- Or use API:
GET /api/v1/audit - Filter by:
- Date range
- Action type
- Entity type
- User (limited view)
Audit logs show all actions within assigned entities, providing a complete record for compliance and audit purposes.
Use Cases
Internal Audit Support
Reviewers supporting internal audit can:Compliance Monitoring
Reviewers in compliance functions can:External Audit Preparation
Prepare for external auditors:Dashboard View
Reviewers see a read-only dashboard:Visible Data
- Risk metrics for assigned entities
- All BRAs (any status) for assigned entities
- Actions for assigned entities
- Historical trends
Interactions
- Filtering by entity, period
- Drill-down into detailed views
- No create/edit capabilities
Collaboration
Working with Assessors
- Can view Assessor’s work
- May provide informal feedback
- Cannot modify assessments
- Can raise concerns to Client Admin
Working with Client Admins
- Can report observations
- May recommend improvements
- Support governance reviews
- Provide audit feedback
Best Practices
Regular Monitoring
Regular Monitoring
- Check dashboard weekly
- Review new BRAs when submitted
- Monitor action plan progress
- Track trend changes
Audit Preparation
Audit Preparation
- Understand data structure
- Know how to navigate reports
- Practice data extraction
- Maintain documentation
Observation Reporting
Observation Reporting
- Document concerns formally
- Escalate to Client Admin
- Track follow-up
- Maintain objectivity
Confidentiality
Confidentiality
- Protect accessed data
- Follow data handling policies
- Report only as authorized
- Maintain professional skepticism
Limitations
Reviewers cannot:Create or Edit BRAs
Cannot create new assessments or modify existing ones
Modify Risk Library
Cannot add or change products, scenarios, controls, or triggers
Create Actions
Cannot create or update mitigation actions
Configure Settings
Cannot change risk appetite or organization structure