While the use of risk interviews is optional in risk projects, compliance interviews must be used in compliance projects in order to generate metrics. In these projects, there is a scope of objects and a scope of requirements from authoritative documents for which you want to measure compliance metrics (the Compliance Index and Compliance Level). In addition to having an associated compliance survey from which it originates, each compliance interview generated in a project is also associated with a response set, an object, an interviewee, and a reviewer (who may optionally be assigned to validate or modify the responses to the interview provided by the interviewee) (see figure below).
Notice that in the figure above, compliance surveys from the Knowledge module are used to generate compliance interviews within a project. The response set to be used is also selected for each survey within the project. Response sets are created and managed in the Knowledge module. Finally, the requirements from published authoritative documents (also from the Knowledge module) to be included in the project can also be selected.
Each compliance survey may contain various pages, and each page may contain text, images, and various types of questions (Text, Attachment, Date/Time, List of Options, etc.), each with different parameters and response options. In the current version of the system, there is no limit to the number of pages or questions that can be included in a survey. In addition to these types of questions – which are also supported by risk surveys –, compliance surveys include a special type of question known as a Compliance question.
When compliance surveys are created, the Compliance questions included in them may be associated with requirements from one or more authoritative documents (see figure below). The objective of this procedure is to map the questions that should be considered to measure an object’s compliance (assets, people, and business components) with a certain requirement.
A response set is associated with each compliance interview generated in a project. The figure below illustrates the relationship between a compliance interview and a response set that has previously been created and published in the Knowledge module (in this case, a set used to evaluate the maturity of processes). While other types of questions in interviews may have various types of responses, Compliance questions will only have the response options included in the response set associated with the interview.
It’s important to understand that when an interview is associated with a response set, this means that all Compliance questions from the interview will have the same response options. In the example shown in the figure above, all Compliance questions from the interview will use the response options from the Maturity response set.
The association between a compliance interview and a response set allows compliance metrics to be generated directly for each question according to the responses provided once the Compliance question has been answered by an interviewee (or the reviewer, if applicable). This is possible because each response option provided for the interviewee already has compliance metrics associated with it, which are configured when the response set is created. In the example shown below, if an interviewee selects response option D for question 2, a Compliance Index of 60% and a Compliance Level of “Compliant” are automatically generated for the question.
As discussed further ahead, it is through the relationship between Compliance questions and the requirements from authoritative documents that compliance metrics obtained for Compliance questions can be consolidated for the requirements, for the authoritative document itself, and for the objects. Keep in mind that only Compliance questions use the options specified in the response set associated with the interview, and these are used by the system to calculate the Compliance Index and the Compliance Level, in addition to being the only type of question that can be associated with requirements.