Skip to main content

Overview

Reviewers have read-only access to Business Risk Assessments and related data. They can view assessments, dashboard metrics, and audit logs but cannot create or modify any data. This role is designed for oversight, compliance, and audit functions.

Key Responsibilities

Access Scope

Entity-Based Access

Like Assessors, Reviewers are assigned to specific entities:
Reviewers can view data from their assigned entities but cannot modify anything.

Permissions

Reviewer Workflows

Reviewing BRAs

1

Navigate to BRAs

Go to BRAs page
  • See list of all BRAs for assigned entities
  • Filter by status, entity, period
2

Open BRA Details

Click on a BRA to view:
  • Assessment metadata
  • Risk scenario list
  • Control linkages
  • Risk ratings
3

Review Scenarios

In the Risk Scenarios tab:
  • View inherent and residual risk ratings
  • See justifications provided
  • Check assessment completion
4

Review Controls

In the Controls tab:
  • View linked controls
  • See ToD and ToE ratings
  • Review effectiveness calculations
5

Review Summary

In the Review & Finalize tab:
  • Read executive summary
  • See key findings
  • View risks above appetite
  • Check mitigation actions

Dashboard Monitoring

Reviewers can monitor risk metrics:

Key Metrics

  • Total risks for assigned entities
  • Risks above appetite
  • Control effectiveness distribution
  • Overdue actions count

Visualizations

  • Risk heat maps (inherent and residual)
  • Risk trend charts
  • Control effectiveness heat map
  • Risk movement tracker

Drill-Down

Click on any metric to see detailed data.

Audit Log Access

Reviewers can access audit logs for their assigned entities:
  1. Navigate to Settings → Audit Logs (if accessible via menu)
  2. Or use API: GET /api/v1/audit
  3. Filter by:
    • Date range
    • Action type
    • Entity type
    • User (limited view)
Audit logs show all actions within assigned entities, providing a complete record for compliance and audit purposes.

Use Cases

Internal Audit Support

Reviewers supporting internal audit can:

Compliance Monitoring

Reviewers in compliance functions can:

External Audit Preparation

Prepare for external auditors:

Dashboard View

Reviewers see a read-only dashboard:

Visible Data

  • Risk metrics for assigned entities
  • All BRAs (any status) for assigned entities
  • Actions for assigned entities
  • Historical trends

Interactions

  • Filtering by entity, period
  • Drill-down into detailed views
  • No create/edit capabilities

Collaboration

Working with Assessors

  • Can view Assessor’s work
  • May provide informal feedback
  • Cannot modify assessments
  • Can raise concerns to Client Admin

Working with Client Admins

  • Can report observations
  • May recommend improvements
  • Support governance reviews
  • Provide audit feedback

Best Practices

  • Check dashboard weekly
  • Review new BRAs when submitted
  • Monitor action plan progress
  • Track trend changes
  • Understand data structure
  • Know how to navigate reports
  • Practice data extraction
  • Maintain documentation
  • Document concerns formally
  • Escalate to Client Admin
  • Track follow-up
  • Maintain objectivity
  • Protect accessed data
  • Follow data handling policies
  • Report only as authorized
  • Maintain professional skepticism

Limitations

Reviewers cannot:

Create or Edit BRAs

Cannot create new assessments or modify existing ones

Modify Risk Library

Cannot add or change products, scenarios, controls, or triggers

Create Actions

Cannot create or update mitigation actions

Configure Settings

Cannot change risk appetite or organization structure
If you need to make changes, work with an Assessor or Client Admin who has the appropriate permissions.

API Access

Reviewers have read-only API access:

Example: Export BRA Data

Example: Get Audit Logs

See API Reference for complete documentation.