Skip to main content

How to Link Risks to Controls and Vendors

Implementation Team
Updated

Introduction

Risks are an integral part of GRC, with crucial connections to the controls you have in place and the vendors you manage. Complyance allows you to link risks across the platform to help you assess the effectiveness of your current controls, establish accountability by linking risks to vendors, and track which risks may be affected if a control fails or a vendor is breached.

You can find your risk register in Complyance on the left-hand sidebar. Click on the name of any risk to open it on the Details tab.

To link Controls to your Risk: 

From the details Tab, navigate the right-hand sidebar and click on the controls icon. 

You can link your risk to both primary and secondary controls:

  • Primary control: These are the key compensating or related controls for this risk. Primary controls' status is reflected in the control validity for this risk. A primary control is the main safeguard put in place to prevent a specific risk.
  • Secondary control: These are the supporting compensating or related controls for this risk. Secondary controls' status is NOT reflected in the control validity for this risk. A secondary control supports the primary control or mitigates the risk if the primary fails. 

For example, enforcing multi-factor authentication is a primary control against unauthorized access, while monitoring login attempts is a secondary control that helps detect and respond if the primary is bypassed.

To link a control click on the '+ Link primary control' and '+ Link secondary control' blue buttons. A pop-up will appear allowing you to:

  • Search for controls by name

  • Use AI recommendations to find relevant controls to link

 

To link Vendors to your Risk

To link vendors to your risk, navigate the right-hand sidebar of your open risk and click on the references icon.

Select the grey box titled Click to add references to open a pop-up window where you can search for the vendor(s) to link to the risk. 

Once linked, you can open a vendor record and view all associated risks along with their current status.

 

Risk register field updates

For quick visibility, you can add linked controls and vendors to your risk register:

  1. Open the risk register from the left-hand sidebar.

  2. Click the Settings cog in the top right of the register.

  3. To add linked controls, click the eye icon next to Linked controls.

  4. To add linked vendors, click the eye icon next to Linked vendors.

The register will now display the statuses of controls and vendors linked to each risk.

Note: These fields are dynamic and cannot be found under Settings > Risk Fields because they reside only in their specific tabs—the Controls tab and the References tab.

 

Common Reports

For the links which are most important to you and your team you can create reports to identify these. 

To create the report:

  1. Navigate to the Reports tab on the left-hand side bar
  2. Select "+ New Report"
  3. Name the report to align with what you are filtering, for example 'High Risks with Failing Controls'
  4. Select the type "Risks" 

Next, add filters to narrow down your report:

  • Filter Inherent Risk and select High and Very High.

  • Filter Linked control status and select Failing.

This report will display all very high risks with controls that are failing—highlighting where risk treatment is at risk and requires action. The report updates dynamically, so it will automatically include any relevant new data.

 

 

Still have questions? Reach out to our support team via the Support Center for assistance.

Related articles