While the use of risk interviews is optional, compliance interviews must be used in compliance projects in order to generate compliance metrics. In these projects, the requirements from one or more authoritative documents to be analyzed are selected. Next, the objects of the analysis must be selected, which can be people, assets, or business components. The compliance levels with the requirements selected will be measured for each object selected exclusively through the use of interviews.
For each object selected for the analysis, a compliance survey must be selected to generate the interview. A response set is also selected for each survey in order to provide the response options presented to interviewees. Each response option is previously associated with compliance metrics, so according to the responses compliance metrics are calculated automatically. An interviewee must be selected for each object, and a reviewer can optionally be assigned to validate or modify the responses to the interview provided by the interviewee (see figure below).
In addition to the types of questions supported by generic and risk surveys (Text, Number, Date/Time, List of Options, etc.), compliance surveys also use a special type of question known as a Compliance question (see figure below).
When compliance surveys are created, the Compliance questions included in them may be associated with requirements from one or more authoritative documents. This maps the questions against the requirements, allowing compliance metrics to be generated for the associated requirement according to the response selected by an interviewee.
When a question is associated with a child requirement, the relationship is established only with this child requirement. In the example shown in the figure below, Compliance question 2 from page 1 was associated with requirement 1.2, which is a child requirement under parent requirement 1. Other requirements on the same level as requirement 1.2 (for example, requirement 1.1) are not affected by this association, nor are requirements from higher or lower levels.
Similarly, when a question is connected to a parent requirement, the relationship is established only with the parent requirement. In the example shown in the figure below, Compliance question 1 from page 2 was associated with requirements 2 and 3. Other requirements on the same level as requirements 2 and 3 (for example requirement 1 and 4) are not affected by the association, nor are requirements from lower levels.
A Compliance question can be associated with various requirements from different authoritative documents, or it can be associated with no requirements at all. When it is not associated with any requirements, this question will contribute to the calculation of the Compliance Index and Compliance Level for an object associated with the interview, but will not contribute to the same calculation for any requirement or authoritative document.
A response set is associated with each compliance interview generated in a project. A response set provides an adequate scale for specific types of evaluations that an interview seeks to discover (for example: the maturity of processes, the reasons why a requirement was not met, etc.) (see figure below). While other types of questions support various response formats, Compliance questions will only have the response options included in the response set associated with the interview.
The association between a compliance interview and a response set allows the two compliance metrics used in the system to be produced directly for each question according to the responses provided. This is possible because each response option provided for the interviewee already has compliance metrics associated with it, which are configured when the response set is created. Interviewees select a certain option, and a certain Compliance Index already associated with the question is generated, which, in turn, is associated with a Compliance Level (see figure below).
Through the relationship between the Compliance questions and the requirements in authoritative documents, the compliance metrics obtained for the compliance questions may be consolidated for the requirements, for the authoritative document itself, and for the objects. It’s important to note that only Compliance questions use the options defined in the response set associated with the interview, and these are used by the system to calculate the Compliance Index and the Compliance Level, in addition to being the only type of question which can be associated with requirements.
Note that response options do not have to be created for Compliance questions in compliance surveys as they do for List of Options questions in risk surveys, since these options will be obtained automatically from a response set when an interview is generated based on the survey. Compliance questions have some unique characteristics that distinguish them from other questions that can be included in compliance surveys, namely:
• Only Compliance questions can be associated with one or more requirements from authoritative documents. These relationships are established in the Requirements tab in the survey editor.
• When an interview based on a compliance survey is generated in a project, the interview is associated with a previously created response set. A response set offers a set of response options that will be used for all the Compliance questions in the interview. Thus, all the Compliance questions will have the same response options available.
• Each response option in a response set is associated with two metrics, the Compliance Index and the Compliance Level. Thus, when an interviewee (or reviewer) selects one of the response options for a Compliance question, the system generates the compliance metrics for the question.
• As the Compliance questions are associated with requirements from one or more authoritative documents, the consolidated compliance metrics for the requirements associated with the questions or for the authoritative documents where the requirements are included can be obtained based on the metrics obtained for the individual questions.
• The Compliance Index and Compliance Level can also be calculated for objects analyzed in compliance projects, as well as for the object/requirement pair.
Compliance questions are required. However, as in risk surveys, rules can also be created to control which questions will be visible to interviewees depending on answers to previous questions. This prevents interviewees from being obliged to answer questions which may not make sense to answer depending on answers to other questions. Comments and attachments can also be required depending on the answers provided to other questions by creating rules for this purpose, as long as fields for comments and attachments were enabled for the questions.
Below is a summary of the steps involved in creating a compliance survey:
1. An authoritative document is created in the system in the Compliance Knowledge section of the Knowledge module (see figure below).
2. An authoritative document includes a list of requirements, which are used to measure compliance (see figure below).
3. A compliance survey is created in the Surveys section of the Knowledge module (see figure below).
4. A compliance survey includes a series of questions, and these questions may have requirements associated with them (see figure below).
5. Requirements from one or more authoritative documents are associated with questions when the survey is created (see figure below).
6. Requirements are included in the scope of a compliance project (see figure below).
7. The objects for which compliance will be evaluated are added to the scope of a compliance project (see figure below).
8. The survey and response set are selected when adding objects to the scope of the project (see figure below). Interviewees and reviewers assigned by default can be changed by editing the objects.
9. When the interview is answered, compliance metrics are automatically generated for the project (see figure below).