Configure and publish a control effectiveness assessment to assess the effectiveness of controls in mitigating inherent risks.

1. Navigate to your RAM form which has inherent risks as an assessment type.
2. Under the Assessment Types related list, click Control Assessment.
3. On the form, fill in the fields.

   Table 1. Control Assessment form

   Field	Description
   Risk assessment methodology	Name of the RAM used for control assessment. This field is automatically set based on your RAM.
   State	State of the RAM. This field is automatically set to Draft.
   Assessment contribution	Type of factor contribution. This field is automatically set to Qualitative contribution.
   Calculate based on	Option to assess the types of control. Choices are the following: Control environment assessment: Select this option if you do not want to assess individual controls, but instead want to assess the overall effectiveness of the control environment. Individual assessment of controls: Select this option if you want to perform an assessment for individual controls. For example, you can select the risk of employees accepting bribes and then assess each existing control to mitigate the risk of bribery. This option is available only when the Policy and Compliance Management (com.sn_compliance) plugin is activated.
   Control identification	Option to decide how to identify the controls in the risk assessment instance. Choices are the following: None From Library: Use this option when you want to identify controls from the library on the risk assessment instance. Ad-hoc: Use this option when you want to identify new controls on the risk assessment instance. From Library and Ad-hoc: Use this option when you want to identify controls from the library as well as identify new controls. This field appears only when the Calculate based on field has the value Individual assessment of controls.
   Factor for overall effectiveness	Manual factor that is applied to all controls that you add in the assessment instance during the assessment. This field appears only when the Individual assessment of controls option is selected from the Calculate based on field.
   Qualitative scoring logic	Formula for calculating the scoring logic. Choices are the following: Sum: Sum of the factor responses. Minimum: Minimum value of the factor responses. Maximum: Maximum value of the factor responses. Average: Average value of the factor responses. Product: Value derived by multiplying the factor responses. Weighted average: Average value of the weighting of factors. This value is then classified as low, medium, or high. Script: User-defined formula to calculate the score. This option is not available if you select Individual assessment of control in the Calculate based on field. This option is available only to users with the sn_grc.developer role.
   Qualitative script variables	Format of the script and the variables used in the script. This field is available only when Script is selected from the Qualitative scoring logic field.
   Qualitative script	User-defined script to compute the scoring logic. This field enables you to have more control over the score computation.
   Assessment Results Mapping
   This section appears only when the control assessment is being done on an Object.
   Control effectiveness	Column where the control effectiveness rating value is stored. After the assessment, the control effectiveness result is copied to the column selected in this field.

4. Click the Factors section and click Edit.
   The Factors related list appears only when Control environment assessment is selected from the Calculate based on field.
5. Add the necessary factors from the Collection list to the Factors list, and click Save.
6. Click the Qualitative Rating Criteria related list and click New.
7. On the form, fill in the fields.

   Table 2. Qualitative Rating Criteria form

   Field	Description
   Lower rating interval	Range for qualitative risk ratings. For example, for a range of 0–10, you can enter 0 as the lower range. And for a range of 11– 20, the value can be 11 as the lower range.
   Risk rating	Severity of the risk. You can enter ratings such as Low, Medium, or High. For example, assume that the lower rating interval for the Low rating is 0, and that the lower rating interval for the Medium rating is 11. If the risk score is 15, then the rating criterion is Medium because 15 is in the range of 11–20.
   Overridden score	Score that the risk assessor can use to override the computed score.
   Risk color style	Color code style for the background color on the risk rating value and for the text color on the risk assessment instance. For example, for a high risk, you can select the Red color style with the background color as red and the text as black.

   Note: Do not enter negative values in the Qualitative Rating Criteria form.
8. Click Submit.
9. Click Publish.