You are here:
Map Risks to Policy Clauses and Controls for IT Compliance
Link risks to the policy clauses they could violate and the controls that mitigate them. Mapping policy clauses to risks helps teams track which corporate rules are threatened by each risk, while mapping controls to risks helps teams track how effective your safeguards are.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, and Unlimited Editions with Agentforce IT Service. |
| User Permissions Needed | |
|---|---|
| To map risks to policy clauses and controls: | Compliance Admin permission set |
Mapping is how a risk gets connected to the rest of your compliance program. Map policy clauses to show which corporate rules a risk could violate, and map controls to identify the safeguards working against it. Once at least one control is mapped, the active scoring expression set calculates the residual risk score, the threat level that remains after your safeguards take effect.
Map a Risk to Policy Clauses
Link a risk to the policy clauses it could violate so your team has clear governance context for the threat.
- From a Risk record details page, go to the Related tab and click Map Policy Clauses.
-
Select the policy clauses that apply to the risk and save your changes.
Only active policy clauses are available to map.
Suppose your compliance team has registered a Phishing Attack risk for the North America Sales business unit and wants to make clear which corporate rules a breach could violate. They map the risk to clauses from three relevant policies — Access Control, Email Security, and Security Awareness:
- Access Control Policy Clause 3.1, Authentication Standards. Mandates MFA on Sales Cloud tenant access.
- Email Security Policy Clause 5.2, Anti-Phishing Controls. Mandates inbound email filtering with anti-phishing analysis.
- Security Awareness Policy Clause 2.4, Phishing Training. Mandates quarterly phishing awareness training for all employees.
Together these clauses tell your team exactly why the risk matters: any phishing breach in the North America Sales tenant could violate three corporate security mandates.
Map a Risk to Controls
Link a risk to the controls that mitigate it so the residual risk score reflects the safeguards in place.
- From a Risk record details page, go to the Controls tab and click Map Controls.
- Select the controls that mitigate the risk and save your changes.
Suppose your compliance team has registered a Phishing Attack risk for the North America Sales business unit. The risk has a high inherent risk score, and evaluations suggest both high impact and high likelihood, so the team wants the residual risk score to reflect the safeguards already in place. They map the mitigating controls to the risk:
- Multi-Factor Authentication v2.0. Hardware-key MFA enforced on all Sales Cloud tenant logins.
- Email Security Gateway v3.1. Inbound email filtering with anti-phishing analysis and quarantine.
- Phishing Awareness Training Program. Quarterly phishing simulation campaigns for North America Sales staff.
With these controls in place, the active scoring expression set recalculates the residual risk score on the next evaluation, showing the threat level that remains after these safeguards take effect.
