All business units

Risk, legal & compliance

Make every consequential review traceable.

Map the intake, evidence, handoffs, and accountable decisions behind risk, legal, privacy, security, and compliance work without turning a review packet into an automatic decision.

This is an inferred reference inventory for functional mid-market teams, not a claim about any particular customer or operating model.

Starts with
A request, obligation, alert, contract, incident, or review date enters a controlled backlog.
Moves through
The case is classified, assigned, connected to source records, checked against policy, and prepared for the right reviewer.
Ends with
An accountable person records the decision, rationale, conditions, evidence, and next action, including any exception or escalation.

Every unit is a chain of handoffs.

These are the recurring algorithms that make the unit work. Each one turns an input into a decision, a next step, or a more complete case for the next owner.

  1. Governance and control model

    Maintain the risk language, control ownership, thresholds, and review rules that make decisions consistent and attributable.

    • Maintain risk taxonomy
    • Map risk domains to accountable owners
    • Define control objectives
    • Perform control testing
    • Assign control owners
    • Set control frequencies
    • Define review thresholds
    • Approve risk appetite statements
    • Version control descriptions
    • Record control exceptions
    • Retire superseded controls
  2. Risk intake and triage

    Turn reported risks and control issues into complete cases with a clear priority, owner, due date, and escalation path.

    • Capture risk issue
    • Validate issue record
    • Classify risk type
    • Score inherent risk
    • Set triage priority
    • Conduct issue triage
    • Assign accountable owner
    • Set remediation due date
    • Route urgent issue
    • Merge duplicate issues
    • Close invalid issue
    • Escalate unresolved triage
  3. Legal request intake

    Give counsel the facts, context, urgency, and business owner needed to accept, route, and close legal requests responsibly.

    • Capture legal request
    • Validate requester and business context
    • Classify legal matter
    • Check conflict and independence
    • Assign counsel
    • Set response deadline
    • Request missing facts
    • Escalate privileged matter
    • Record legal advice
    • Close request with disposition
  4. Contract lifecycle

    Route agreements from request through redlines, approvals, signature, storage, renewal, amendment, and controlled closure.

    • Intake contract request
    • Validate counterparty and template
    • Identify non-standard terms
    • Route contract review
    • Conduct contract review
    • Compare redlines
    • Resolve clause comments
    • Confirm approval matrix
    • Approve business terms
    • Approve legal terms
    • Execute signature package
    • Store executed agreement
    • Track renewal and termination date
    • Amend contract
    • Close expired contract
  5. Privacy and data requests

    Screen privacy changes and data requests, gather the right records, and keep disclosure, deletion, and mitigation decisions reviewable.

    • Record processing activity change
    • Screen DPIA trigger
    • Conduct DPIA
    • Review privacy impact
    • Approve mitigation plan
    • Handle data subject access request
    • Verify requester identity
    • Search personal data sources
    • Review disclosure package
    • Respond to or extend request
    • Process deletion request
    • Record consent withdrawal
    • Assess data breach notification need
  6. Security and access reviews

    Review access, privileged changes, service accounts, and security exceptions against named owners, current evidence, and separation rules.

    • Review access request
    • Verify manager approval
    • Grant privileged access
    • Review emergency access
    • Recertify application access
    • Recertify privileged accounts
    • Remove stale access
    • Review service account ownership
    • Approve segregation of duties exception
    • Review security control change
    • Record access evidence
    • Escalate unresolved access risk
  7. Compliance obligations

    Keep obligations, applicability decisions, owners, filing dates, attestations, and exceptions connected to the controls that support them.

    • Maintain obligation register
    • Map obligation to control
    • Assign compliance owner
    • Assess obligation applicability
    • Record regulatory change
    • Review filing calendar
    • Prepare compliance attestation
    • Approve regulatory submission
    • Monitor obligation status
    • Escalate overdue obligation
    • Document exception acceptance
    • Close retired obligation
  8. Audit and evidence

    Plan audit requests, collect source evidence, resolve gaps, and track findings through remediation without losing the review trail.

    • Plan audit request
    • Scope audit sample
    • Request evidence
    • Collect audit evidence
    • Validate evidence completeness
    • Link evidence to control
    • Review evidence freshness
    • Resolve evidence gap
    • Approve evidence package
    • Respond to auditor question
    • Track audit finding
    • Validate remediation evidence
    • Close audit action
  9. Incidents and investigations

    Move incidents from intake and containment through fact review, reporting assessment, corrective action, and documented closure.

    • Log compliance incident
    • Classify incident severity
    • Preserve relevant records
    • Assign investigation lead
    • Contain active issue
    • Coordinate incident response
    • Conduct fact review
    • Interview involved owner
    • Assess reporting obligation
    • Approve incident communication
    • Record root cause
    • Assign corrective action
    • Review incident closure
    • Escalate overdue investigation
  10. Third-party risk

    Assess vendors and partners before onboarding, monitor their obligations, and route residual risk or exceptions to accountable approvers.

    • Initiate vendor assessment
    • Classify vendor criticality
    • Screen sanctions and adverse media
    • Send due diligence questionnaire
    • Review security evidence
    • Review privacy terms
    • Review subcontractor exposure
    • Score residual vendor risk
    • Approve vendor onboarding
    • Record compensating controls
    • Monitor vendor obligation
    • Reassess vendor periodically
    • Escalate vendor exception
    • Offboard high-risk vendor
  11. Policy and training

    Keep policies current, approved, published, acknowledged, and tied to the training and exceptions that make them operational.

    • Draft policy change
    • Review policy owner comments
    • Map policy to obligation
    • Approve policy version
    • Publish policy
    • Notify impacted teams
    • Assign required training
    • Track training acknowledgement
    • Follow up overdue acknowledgement
    • Grant policy exception
    • Review policy exception
    • Retire superseded policy
    • Record training completion evidence
  12. Risk data governance and escalations

    Keep risk records usable for review by governing identifiers, resolving data gaps, preparing escalations, and preserving decisions over time.

    • Define risk record data standard
    • Validate required fields
    • Reconcile duplicate risk records
    • Reconcile risk and control IDs
    • Review data quality queue
    • Resolve stale owner assignment
    • Maintain decision log
    • Prepare risk committee pack
    • Review risk dashboard exception
    • Escalate threshold breach
    • Escalate missed review
    • Record risk acceptance
    • Archive closed case records

Keep the evidence visible and the decision accountable.

Source-linked case records
Each review keeps its request, source records, evidence, owner, deadline, and decision connected to a stable case or obligation ID.
Human approval gates
The prepared packet can support a reviewer, but a named legal, risk, privacy, security, or compliance owner makes the consequential decision.
Time-bound exceptions
Exceptions include a reason, compensating control, approver, review date, and closure path instead of becoming open-ended workarounds.
Separation of duties
Requests, evidence preparation, approval, and closure remain distinct where policy or risk requires an independent check.
Confidentiality boundaries
Privileged, personal, security, and investigation records are limited to the people who need them for the review.
Escalation with context
Threshold breaches, missed deadlines, evidence gaps, and unresolved owners carry the case history and open decision into the escalation.

Start with one review backlog

Trace the review before you automate the handoff.

Choose a recurring contract, privacy, access, audit, incident, or vendor review. Map the source records, exception paths, and human decision that determine whether the case can move.