Flow GRC Docs

Actions & Controls

Comprehensive guide to managing actions and controls in Flow with kanban workflows, control linking, effectiveness tracking, and automated assignment.

Flow's actions and controls system provides comprehensive workflow management for risk treatment implementation. Use kanban-style boards, control linking, and automated tracking to ensure effective risk mitigation and compliance.

Overview

The actions and controls module delivers:

  • Kanban Board Interface with drag-and-drop status management
  • Control Framework with effectiveness tracking and compliance mapping
  • Action-Control Linking with smart categorization
  • Due Date Management with overdue notifications
  • Progress Tracking with detailed status reporting
  • Multi-framework Support for compliance requirements

Actions Management

Kanban Workflow

Flow uses a visual kanban approach for action management:

Status Columns

  • Todo: Newly created and planned actions
  • In Progress: Actions currently being implemented
  • Done: Completed actions with verification

Drag-and-Drop Interface

  • Move actions between status columns
  • Automatic status updates
  • Real-time progress tracking
  • Visual workflow management

Action Creation

Create actions from multiple sources:

From Risk Register

  • Direct action creation from risk rows
  • Automatic risk-action linking
  • Context-aware action types
  • Pre-filled risk information

From Controls

  • Implementation actions for new controls
  • Assessment actions for existing controls
  • Testing actions for control validation
  • Remediation actions for control gaps

Standalone Actions

  • General risk management tasks
  • Compliance activities
  • Assessment projects
  • Administrative tasks

Action Types

Smart categorization based on purpose:

Implementation

  • Deploy new security controls
  • Implement policy changes
  • Install technical solutions
  • Train personnel on procedures

Assessment

  • Evaluate existing controls
  • Conduct risk assessments
  • Perform compliance audits
  • Review policy effectiveness

Testing

  • Validate control operation
  • Test incident response procedures
  • Verify backup systems
  • Assess security measures

Remediation

  • Fix identified vulnerabilities
  • Address compliance gaps
  • Improve control deficiencies
  • Correct process weaknesses

Action Details

Comprehensive action information:

Basic Information

  • Title and description
  • Action type and category
  • Assigned owner and team
  • Priority level

Scheduling

  • Due date and timeline
  • Start date planning
  • Milestone tracking
  • Dependency management

Progress Tracking

  • Completion percentage
  • Status updates
  • Work notes
  • Attachment support

Integration

  • Linked risks and controls
  • Related actions
  • Framework mapping
  • Compliance requirements

Controls Framework

Control Types

Flow supports three primary control types:

Preventive Controls

  • Reduce likelihood of risk occurrence
  • Examples: Access controls, segregation of duties
  • Implementation before risk events
  • Proactive risk management

Detective Controls

  • Identify when risks have occurred
  • Examples: Monitoring, logging, auditing
  • Real-time or periodic detection
  • Early warning systems

Corrective Controls

  • Minimize impact after risk occurrence
  • Examples: Incident response, backup systems
  • Reactive risk management
  • Damage mitigation

Control Effectiveness

Track and measure control performance:

Effectiveness Ratings

  • High: Control consistently prevents/detects/corrects
  • Medium: Control generally effective with minor gaps
  • Low: Control has significant limitations or gaps

Effectiveness Factors

  • Design adequacy
  • Operating effectiveness
  • Coverage completeness
  • Implementation maturity

Control Assessment

Regular evaluation of control performance:

Assessment Frequency

  • Quarterly effectiveness reviews
  • Annual comprehensive assessments
  • Ad-hoc evaluations after incidents
  • Continuous monitoring where applicable

Assessment Methods

  • Control testing and validation
  • Process walkthroughs
  • Documentation review
  • Sample testing

Action-Control Integration

Linking Actions to Controls

Establish clear relationships:

Control Implementation Actions

  • Deploy new preventive controls
  • Install detective monitoring
  • Implement corrective procedures
  • Document control processes

Control Assessment Actions

  • Test control effectiveness
  • Review control documentation
  • Validate control operation
  • Update control procedures

Control Improvement Actions

  • Enhance existing controls
  • Address identified gaps
  • Optimize control processes
  • Automate manual controls

Smart Categorization

Flow automatically suggests action types based on:

  • Associated control type
  • Risk treatment strategy
  • Compliance requirements
  • Historical patterns

Due Date Management

Scheduling System

Comprehensive timeline management:

Due Date Setting

  • Manual date selection
  • Template-based scheduling
  • Dependency-driven dates
  • Risk-based prioritization

Reminder System

  • Email notifications (planned)
  • Dashboard alerts
  • Visual indicators
  • Escalation procedures

Overdue Tracking

Monitor and manage overdue actions:

Visual Indicators

  • Red highlighting for overdue items
  • Days overdue calculation
  • Priority-based sorting
  • Owner notification

Escalation Process

  • Automated manager notification (planned)
  • Risk owner alerts
  • Executive dashboard inclusion
  • Performance impact tracking

Workflow Views

Kanban Board

Visual workflow management:

  • Drag-and-drop: Easy status updates
  • Swim lanes: Organize by priority or owner
  • Filtering: Focus on specific criteria
  • Search: Quick action location

Table View

Detailed list management:

  • Sortable columns: Flexible organization
  • Bulk operations: Efficient management
  • Export capabilities: Data extraction
  • Advanced filtering: Complex criteria

Action Details Drawer

Comprehensive information panel:

  • Full action details: Complete information
  • Progress tracking: Status and notes
  • Related items: Linked risks and controls
  • Activity history: Change tracking

Control Library Integration

Pre-built Controls

Access comprehensive control library:

Framework Controls

  • ISO 27001: Information security controls
  • NIST CSF: Cybersecurity framework controls
  • COSO ERM: Enterprise risk management controls
  • SOC 2: Service organization controls

Control Templates

  • Standard control descriptions
  • Implementation guidance
  • Testing procedures
  • Effectiveness criteria

Multi-framework Mapping

Single controls can map to multiple frameworks:

  • Cross-framework visibility: See all mappings
  • Compliance reporting: Framework-specific views
  • Gap analysis: Identify missing elements
  • Efficiency optimization: Avoid duplicate controls

Integration with Risk Management

Risk-Action Workflow

Seamless integration with risk register:

From Risk Assessment

  • Identify required actions during risk evaluation
  • Automatic action creation with risk context
  • Treatment plan implementation tracking
  • Progress monitoring and reporting

Risk Status Updates

  • Action completion affects risk status
  • Residual risk calculation updates
  • Treatment effectiveness measurement
  • Review schedule adjustments

Treatment Implementation

Actions support all treatment strategies:

Accept Treatment

  • Documentation actions for acceptance rationale
  • Monitoring actions for accepted risks
  • Review actions for periodic reassessment

Mitigate Treatment

  • Control implementation actions
  • Process improvement actions
  • Training and awareness actions

Transfer Treatment

  • Insurance procurement actions
  • Contract negotiation actions
  • Third-party assessment actions

Avoid Treatment

  • Process elimination actions
  • Alternative approach implementation
  • Impact mitigation actions

Performance Metrics

Action Analytics

Track action management effectiveness:

Completion Metrics

  • On-time completion rate
  • Average time to complete
  • Overdue action percentage
  • Resource utilization

Quality Metrics

  • Re-opened action rate
  • Control effectiveness improvement
  • Risk reduction achievement
  • Stakeholder satisfaction

Control Performance

Monitor control effectiveness:

Coverage Metrics

  • Percentage of risks with controls
  • Control gap identification
  • Framework coverage assessment
  • Redundancy analysis

Effectiveness Metrics

  • Average effectiveness rating
  • Improvement trends
  • Testing success rates
  • Incident reduction correlation

Best Practices

Action Management

Clear Ownership

  • Assign specific individuals, not teams
  • Define clear responsibilities and authority
  • Set realistic timelines
  • Provide necessary resources

Regular Updates

  • Weekly progress reviews
  • Monthly status reporting
  • Quarterly effectiveness assessment
  • Annual strategy review

Control Implementation

Design Principles

  • Controls should be measurable
  • Implementation should be cost-effective
  • Testing should be regular and documented
  • Improvement should be continuous

Documentation Standards

  • Clear control descriptions
  • Step-by-step procedures
  • Testing methodologies
  • Exception handling

Getting Started

  1. Create First Action: Use kanban board to add new action
  2. Link to Risk: Associate action with relevant risk
  3. Set Due Date: Establish realistic timeline
  4. Assign Owner: Designate responsible individual
  5. Track Progress: Update status as work progresses
  6. Link Controls: Associate with relevant controls
  7. Monitor Dashboard: Review action metrics and trends

Flow's actions and controls system ensures systematic implementation of risk treatments while providing the visibility and accountability needed for effective risk management.

Introduction

Search Documentation

Search through documentation, navigate to pages, or run quick actions