Roles and permissions

The following roles can evaluate risks:

Anyone with manager permissions for the assessment
Anyone with manager permissions on the evaluation
Limited access users must also be members of the risk register

You’ll do the majority of your assessment work in the Evaluations tab. From here, you can assess risks and record your findings. You can also assign evaluation work to different team members. As always, you can communicate with team members about a particular evaluation via the Activity Feed.

This article explains how to assess evaluations linked to risks in a risk assessment. For information on evaluating controls or requirements, see Evaluating controls, requirements, and risks. For information on evaluating proposed risks, see Evaluating proposed risks.

Tip: Active evaluations can also be accessed via Work items. From the left menu, select Work items, then select the Evaluations tab.

Note: The evaluation status automatically changes from Not started to In progress when you begin updating the risk field values in the left pane.

A note about the risk evaluation user interface

The risk evaluation user interface differs from the control and requirement evaluation user interface. These differences are intentional and reflect ongoing efforts to improve usability, accessibility, and overall user experience. The updated interface is designed to make your time spent evaluating a risk smoother and more efficient.

Risk evaluations feature a new split pane view. The left pane contains information about the target object, i.e., the risk being evaluated, while the right pane contains information about the evaluation itself, such as linked objects, proof, and so on.

Note: The fields displayed in the left pane reflect the risk fields selected during the assessment creation process. For example, if you only selected 'inherent risk', 'inherent impact', and 'mitigation', only those three fields would appear in the left pane.

Understanding risk evaluation statuses

As a risk is evaluated, the evaluation record can be in any one of the following statuses:

Not started - Work on the evaluation has not yet begun.
In progress - The evaluation is underway.
Submitted - The evaluation has been submitted for review.
In review - The organization is reviewing the evaluation.
Closed - The evaluation has been canceled.
Approved - All information in the evaluation has been verified and accepted.

If the evaluation doesn't have an approval configured, you can manually change its status at any time. The status is changed as follows:

Not started to In progress - Triggered when the evaluation assignee changes the detail data on the evaluation, or any of the risk fields being evaluated. Can also be set manually.
All other status changes - The evaluation assignee selects the new status from the status list.

If the evaluation has an approval configured, you can't manually change its status. The status is changed automatically based on other actions as follows:

Not started to In progress - Triggered when the evaluation assignee changes the Description, Observations field, or any of the risk fields being evaluated.
In progress to Submitted - Triggered when the evaluation assignee clicks the Submit button. The fields being evaluated are locked and cannot be edited.
Submitted to In review - Triggered when the first of multiple approvers changes the status of the approval record to In progress or completes their approval and marks it as Approved.
Submitted to Approved - Triggered when only one approval is required, and the approver has completed their review and marked it Approved.
Submitted to In progress - Triggered when:
- An approver completes their review and selects Request changes.
- The Cancel Approvals button is clicked. The Cancel Approvals button is only available until an approver starts their review.
In review to Approved - Triggered when all required approvals are completed and marked Approved.

Note: There is no transition to the Closed status for evaluations that have an approval workflow configured. You can archive the evaluation instead.

Evaluating risks

Note: When the risk evaluation status is set to Approved, Hyperproof updates the original risk record with any changes made to the evaluated risk fields.

From the left menu, select Assessments.
Select your assessment.
Select the Evaluations tab.
A list of evaluations is displayed.
Select the evaluation you want to assess.
From the left pane, do any or all of the following:
1. Change the status of the evaluation
  - Not started - Work on the evaluation has not yet begun.
  - In progress - The evaluation is underway.
  - Submitted - The evaluation has been submitted for review.
  - In review - The organization is reviewing the evaluation.
  - Closed - The evaluation has been canceled.
  - Approved - All information in the evaluation has been verified and accepted.
  Note: You can't manually change the status of a risk evaluation when an approval workflow is configured. Once the evaluation is submitted, the status is updated automatically as you move through the approval process.
  
  Note: When an evaluation is marked as 'Approved', a confirmation window appears, alerting the user that the associated risk will be automatically updated with the evaluation's values. Once an evaluation is approved, the status can't be changed.
2. The fields in the left pane are determined by the evaluation fields selected during risk assessment creation. You can:
  1. Change the name of the evaluation.
  2. Set the inherent risk, inherent likelihood, inherent impact, rationale, and/or tolerance.
    Inherent risk - The level of risk if no mitigation is performed. This value is determined by the risk being evaluated.
    Inherent likelihood with rationale - The measure of a risk occurring without any preventative measures (controls) in place. This value is determined by the risk being evaluated.
    Inherent impact with rationale - The measure of impact an event has on an organization when there are no preventative measures (controls) in place. This value is determined by the risk being evaluated.
    Tolerance - The level of risk that an organization is willing to bear. This value is determined by the risk being evaluated.
  3. Set or change the risk category - The category is the classification to which the risk belongs, e.g., Breach. This value is determined by the risk being evaluated.
  4. Set or change the response action.
  5. Set or change the owner - The owner is the individual in your organization responsible for the risk. This value is determined by the risk being evaluated.
  6. Enter or edit the description - The description is an overview of the risk. This value is determined by the risk being evaluated.
  7. Set or edit any custom fields associated with the risk.
  8. View or link controls - Displays controls that are linked to the risk. This value is determined by the risk being evaluated.
  9. Set or edit mitigation and rationale values for linked controls
From the right pane, do any or all of the following:
1. Add a user or group to the evaluation
2. Click the facepile to manage user permissions for the evaluation.
  - Manager - Can manage and share content, and manage object members and settings.
  - Contributor - Can share, add, and remove files from objects where they are a member.
  - Viewer - Can view information about objects where they are a member or have inherited access.
3. Hover over the current description to change it.
4. Expand the Research section to add tasks or surveys.
  Surveys must be configured first from the Assessments > Risk Surveys tab.
  
  Note: If you are evaluating a proposed risk created by a risk intake survey, you can view the survey response by clicking the survey title in the Research table. See Evaluating proposed risks.
5. Expand the Details section and do any or all of the following:
  1. Set the evaluation priority.
  2. View the evaluation source.
  3. Edit the due date.
  4. View the Created on and Updated on dates
  5. Enter your observations
6. Expand the Assignee section and do any or all of the following:
  1. Assign the evaluation to a user or group.
  2. Change the current assignee or group.
7. Expand the Past evaluations section to link to a previous evaluation (these are previously approved evaluations related to the risk being assessed).
8. Expand the Linked objects section to link a related object to the evaluation.
9. Expand the Related issues section to link related issues to the evaluation.
10. Expand the Proof section to link proof to the evaluation.
  
  Tip: Proof that is indirectly linked to the evaluation is shown with an Indirect link icon.
11. Communicate with team members via the Activity Feed.
12. Archive the evaluation.

Tip: Looking to score controls (either numerically or categorically)? Create a custom field on your evaluations.