Accessing Essential Compliance
Essential Compliance appears in your menu bar when:
The module is enabled for your organization, and
You have been granted role-based access by your administrator (Admin or Standard user)
The menu bar provides access to the following areas, in the order compliance managers typically work through them:
Obligations — What your organization must do
Policies — Management-approved statements that define expectations
Controls — Specific measures that ensure compliance
Evidence Tasks — Tasks that prove controls are working
Compliance Calendar — Timeline view of compliance activities
Key Compliance Resources
Resource | Description |
Framework | Typically, a framework is a regulation, law, or standard your organization must comply with (e.g., SOC2, AML regulations, privacy act etc.).
Essential Compliance allows admin users to configure all the regulatory and technical frameworks that apply to their organization. Custom frameworks can also be configured to manage commitments from legal agreements with customers and partners. |
Obligation | Broadly speaking, an obligation is a binding or otherwise important commitment that an organization has made to another party or stakeholder.
Most often, obligations are specific requirements that are derived from a framework that applies to your organization.
Obligations are created by compliance managers interpreting how the requirements of a framework apply to their organization — normally phased in business-friendly language that aligns with your organization's terminology.
In this way, obligations are a product of a specific framework and can only be connected to a single framework in Essential Compliance. Frameworks can have many obligations (1:n relationship).
An obligation can have multiple sub-obligations and a sub-obligation can only have one parent (1:n relationship). Multiple levels of sub-obligations can be created. |
Policy | A specialized type of control that is often treated separately from other controls. A policy is a high-level, management-approved statement defining what the organization must do and why (to meet the organization's obligations).
Policies are usually written to align with, encompass, and address all related obligations. Policies can be connected to other system resources (including related policies) in many-to-many relationships (n:n).
A policy can have multiple sub-policies and a sub-policy can only have one parent (1:n relationship). Multiple levels of sub-policies can be created. |
Control | A specific measure or process that an organization employs to help ensure it is meeting it's policy statements and obligations.
In the Essentials Platform, "controls" and "mitigations" are the same resource and can be used seamlessly between Essential Compliance, Essential ERM and other modules. Users with Essential Compliance permissions will see control terminology more often and will have access to additional data fields and functions when accessing controls/mitigations. |
Evidence Task | An Evidence Task is a scheduled activity used to collect, review, and track evidence demonstrating that a compliance requirement, control, or policy is being followed and maintained. Evidence Tasks can be used either to perform a formal test or verification activity, or simply to gather and document supporting information or records. |
Theme | A cross-cutting tag used to group and filter obligations, policies, and controls across frameworks. |
Portfolio | An access-control boundary — users only see resources in portfolios they've been granted access to. |
How Compliance Flows Together
A typical compliance structure might look like:
Framework → Obligations → Policies & Controls → Evidence Tasks
For example:
Framework: Anti-Money Laundering
Obligation: Client identification and record-keeping
Policy: Customer Due Diligence Policy
Control: Verify identity documentation at account opening
Evidence Task: Quarterly review and retention of customer identity verification records to confirm compliance with the Customer Due Diligence Policy
Some organizations link obligations directly to controls through risks, while others link obligations to policies and then to controls. Essential Compliance supports both approaches — the use of obligations is optional for organizations using more prescriptive frameworks (e.g., SOC2, IT frameworks).
Additional Connected Resources
Essential Compliance also supports connecting additional resources to obligations, policies, controls, and evidence tasks, depending on how your organization has configured the system. Examples of connected resources may include risks, action plans, indicators/metrics, incidents, and other related records.
In practice, admin users can configure the details screen for each resource type to support their organization’s desired compliance workflow and processes. For example, if an organization wants users to perform risk assessments on obligations, an administrator could enable the attached Risks section on the Obligation details screen and position it before the Controls subsection so that users consider risk exposure before defining mitigation activities.