Skip to main content

Overview

Reviewers have read-only access to Business Risk Assessments and related data. They can view assessments, dashboard metrics, and audit logs but cannot create or modify any data. This role is designed for oversight, compliance, and audit functions.

Key Responsibilities

ResponsibilityDescription
Assessment ReviewReview submitted and approved BRAs
Compliance MonitoringMonitor risk levels and control effectiveness
Audit SupportAccess data for internal and external audits
Dashboard MonitoringView risk metrics and trends
Report GenerationExtract data for reporting purposes

Access Scope

Entity-Based Access

Like Assessors, Reviewers are assigned to specific entities: 
Reviewer: Maria Garcia
├── Assigned: ACME Bank Brasil S.A.
│   ├── All Business Units
└── Assigned: ACME Seguros Ltda.
    └── All Business Units
Reviewers can view data from their assigned entities but cannot modify anything.

Permissions

FeaturePermission
DashboardView (filtered to assigned entities)
BRAsView only
Risk ScenariosView only
ControlsView only
Mitigation ActionsView only
Risk LibraryView only
GovernanceView only
Audit LogsView (assigned entities)
UsersNo access

Reviewer Workflows

Reviewing BRAs

1

Navigate to BRAs

Go to BRAs page
  • See list of all BRAs for assigned entities
  • Filter by status, entity, period
2

Open BRA Details

Click on a BRA to view:
  • Assessment metadata
  • Risk scenario list
  • Control linkages
  • Risk ratings
3

Review Scenarios

In the Risk Scenarios tab:
  • View inherent and residual risk ratings
  • See justifications provided
  • Check assessment completion
4

Review Controls

In the Controls tab:
  • View linked controls
  • See ToD and ToE ratings
  • Review effectiveness calculations
5

Review Summary

In the Review & Finalize tab:
  • Read executive summary
  • See key findings
  • View risks above appetite
  • Check mitigation actions

Dashboard Monitoring

Reviewers can monitor risk metrics:

Key Metrics

  • Total risks for assigned entities
  • Risks above appetite
  • Control effectiveness distribution
  • Overdue actions count

Visualizations

  • Risk heat maps (inherent and residual)
  • Risk trend charts
  • Control effectiveness heat map
  • Risk movement tracker

Drill-Down

Click on any metric to see detailed data.

Audit Log Access

Reviewers can access audit logs for their assigned entities:
  1. Navigate to Settings → Audit Logs (if accessible via menu)
  2. Or use API: GET /api/v1/audit
  3. Filter by:
    • Date range
    • Action type
    • Entity type
    • User (limited view)
Audit logs show all actions within assigned entities, providing a complete record for compliance and audit purposes.

Use Cases

Internal Audit Support

Reviewers supporting internal audit can:
ActivityHow
Review assessment qualityOpen BRAs, check justifications
Verify control testingCheck ToD/ToE ratings and dates
Track action completionView mitigation actions and status
Extract evidenceUse API to export data

Compliance Monitoring

Reviewers in compliance functions can:
ActivityHow
Monitor risk levelsDashboard overview
Check appetite breachesView “above appetite” metrics
Review control effectivenessControl heat map analysis
Track remediationAction plan progress

External Audit Preparation

Prepare for external auditors:
PreparationData Available
BRA documentationFull BRA details with justifications
Control evidenceToD/ToE ratings with testing dates
Risk appetiteCurrent configuration and history
Audit trailComplete action logs

Dashboard View

Reviewers see a read-only dashboard:

Visible Data

  • Risk metrics for assigned entities
  • All BRAs (any status) for assigned entities
  • Actions for assigned entities
  • Historical trends

Interactions

  • Filtering by entity, period
  • Drill-down into detailed views
  • No create/edit capabilities

Collaboration

Working with Assessors

  • Can view Assessor’s work
  • May provide informal feedback
  • Cannot modify assessments
  • Can raise concerns to Client Admin

Working with Client Admins

  • Can report observations
  • May recommend improvements
  • Support governance reviews
  • Provide audit feedback

Best Practices

  • Check dashboard weekly
  • Review new BRAs when submitted
  • Monitor action plan progress
  • Track trend changes
  • Understand data structure
  • Know how to navigate reports
  • Practice data extraction
  • Maintain documentation
  • Document concerns formally
  • Escalate to Client Admin
  • Track follow-up
  • Maintain objectivity
  • Protect accessed data
  • Follow data handling policies
  • Report only as authorized
  • Maintain professional skepticism

Limitations

Reviewers cannot:

Create or Edit BRAs

Cannot create new assessments or modify existing ones

Modify Risk Library

Cannot add or change products, scenarios, controls, or triggers

Create Actions

Cannot create or update mitigation actions

Configure Settings

Cannot change risk appetite or organization structure
If you need to make changes, work with an Assessor or Client Admin who has the appropriate permissions.

API Access

Reviewers have read-only API access:
EndpointPermission
/api/v1/brasRead only
/api/v1/bras/{id}/*Read only
/api/v1/mitigation-actionsRead only
/api/v1/controls/*Read only
/api/v1/dashboard/metricsRead (filtered)
/api/v1/auditRead (assigned entities)

Example: Export BRA Data

curl -X GET "/api/v1/bras/{bra_id}" \
  -H "Authorization: Bearer $REVIEWER_TOKEN"

Example: Get Audit Logs

curl -X GET "/api/v1/audit?start_date=2026-01-01&end_date=2026-01-31" \
  -H "Authorization: Bearer $REVIEWER_TOKEN"
See API Reference for complete documentation.