Response Sets

This section provides orientation on managing response sets, available through the Knowledge module.

For the purposes of compliance management, a response set is a group of response options used to answer an interview in compliance projects.

Compliance projects include a scope of objects that will be analyzed and a scope of requirements from authoritative documents. The objective of a compliance project is to allow compliance with the requirements in the authoritative documents included in the scope to be measured. The compliance metrics (Compliance Index and Compliance Level) are calculated automatically as the questions generated for the project are answered - that is, as interviewees (or reviewers, if applicable) answer each question from a compliance interview, the Compliance Index (%) and Compliance Level metrics are calculated.

This is possible due to the selection of a response set for each interview, which attributes compliance metrics directly for the Compliance questions according to the options selected by interviewees. In other words, the Compliance Index (%) and Compliance Level metrics are obtained for each individual question.

When defining the scope of a compliance project, a compliance survey previously created in the Knowledge module is associated for each object that you want to analyze. A response set, interviewee, and reviewer (optionally) are also selected. Objects that can be analyzed in a compliance project may be business components, people, or assets. It is by means of these associations in the context of a compliance project that an interview is generated. As the responses for the questions from this interview are processed, the compliance metrics (Compliance Index and Compliance Level) are generated.

The Compliance Index (quantitative view) represents the percentage that organizational practices are in compliance with the guidelines described in the authoritative documents. This is calculated for each Compliance question in the analysis according to the corresponding response provided. This index is expressed as a percentage and varies from 0 to 100%. The higher the value of the Compliance Index, the more organizational practices are in compliance with the requirements and guidelines in the authoritative documents.

The Compliance Level (qualitative view), on the other hand, represents the level of compliance of each requirement in an authoritative document, according to the evidence provided (which can be in the form of controls, documents, practices, and others). It ultimately represents the values calculated for the Compliance Index and is expressed by the following options: Not Compliant, Partially Compliant, Compliant, and Not Applicable. The greater the number of non-compliant requirements, the greater the chances are of not passing an official evaluation.

Response sets offer various response options for interviewees. When a new response set is created in the Compliance module or an existing one is edited, it includes properties (title, language, description, author, etc.) and response options (Yes/No/Sometimes; Compliant/Not compliant; etc.). For example, the “Maturity” response set has specified values for the Compliance Index (%) and Compliance Level. Option 2 (Insufficient/inadequate) in the Maturity response set is associated with a Compliance Index value equal to 20%, and a Compliance Level of “Not Compliant”.

These response sets serve to refine the results, attributing a Compliance Index (0%, 20%, 40%, 60%, etc.) and a Compliance Level for each possible response option, thus eliminating the need for managers to select a binary response (compliant or not compliant) for the fulfillment of a certain rule or requirement.

For example, for the requirement “All employees should wear their badges”, different levels of compliance are possible within an organization, and the response set allows the various Compliance Index values obtained to be associated with these different levels of compliance:

The response...

results in a Compliance Index (%) of...

representing a Compliance Level of:

1 – I always wear it

100%

Compliant

2 – I regularly wear it

70%

Compliant

3 – I sometimes wear it

40%

Partially Compliant

4 – I never wear it

0%

Not Compliant

5 – We do not have badges

-

Not Applicable

 

Note that a Compliance Level of “Compliant” is possible even with different Compliant Index (%) values. That is, different compliance indices (%) are possible for the same Compliance Level (Compliant, Partially Compliant, or Not Compliant). It’s important to note that “Not Applicable” in the Compliance Level does not generate compliance metrics for the associated requirements. For this reason, it cannot be associated with a Compliance Index value. If all questions related to a certain requirement are answered as “Not Applicable”, this requirement will not appear in queries or dashboards.

Thus, response sets and their various options play an important role in generating compliance metrics in the system. Each question answered by an interviewee in a compliance interview will have an associated Compliance Index (%) value as well as a value for the Compliance Level. These values will be obtained according to a) the response provided by the interviewee and b) the corresponding response option, considering the response set that was associated with the survey in the scope of the project. Note that the set is selected for the interview as a whole; thus, all the Compliance questions in the interview will use this same response set, and the same response options will be available for the interviewee.

For details on how compliance metrics are calculated and consolidated through the use of compliance metrics associated with each option in a response set, see Chapter 6: Compliance -> Compliance Metrics.

In this section you can create your own response sets or use those provided by Modulo. These are listed in the table below:

Response Set

Purpose                 

Response Options

                           

Simplified

Strategic compliance analyses.

Not compliant

Compliant

Confirmation

Verify the implementation of controls.

Not compliant

Compliant

Maturity

Benchmarking of performance and process capability.

Non-existent/unknown (non-existent)

Insufficient/inadequate (initial)

Intuitive/identified (replicable)

Established/standardized (defined)

Monitored/controlled (managed)

Integrated/automated (optimized)

Levels

Simulate the results of a future audit.

Major/serious

Minor/not serious

Compliant

Note

Criticality

Level of criticality (=impact) for the certification based on the non-fulfilled requirements.

Critical

Significant

Minor

Non-existent

Rationale

Identify the main reason for which the requirement was not met, outlining the actions needed to correct it.

Documentation issues

Educational issues

Lack of formal evidence

Operational problems

Violation of official requirements

No problems

Phases

Verify the current status of the safety program and establish goals for improvement.

Non-existent

Policy

Procedures

Implementation

Tests/revision

Integration