Articles on: Documents
This article is also available in:

Asset, Risks, and Controls Governance

🛡 Governance

"Connect risks, assets, and controls — and track how your architecture actually looks."
Brainframe GRC helps you keep track of how your assets, risks, and controls interact with each other to give you a helicopter view of your system.


1️⃣ Governance Document Types


Every governance document is assigned one of three types, which determines its role in your framework:


Type

Purpose

Risk

Represents the impact and probability of a threat materialising

Asset

Represents a system, process, or resource that needs to be protected

Control

Defines a measure put in place to reduce or manage a risk


The Governance Tab adapts its layout depending on which type the document is, showing the relevant information and options for that context.


📌 Linked documents are bi-directional — a link created from a Risk document will also appear on the linked Asset or Control document.



2️⃣ Linked Entities by Document Type


🔴 Risk Documents


Risk documents display the following linked sections:


  • Linked Controls — Controls that have been put in place to address this risk.
  • Linked Assets — Assets that are exposed to or affected by this risk.


This gives you a complete picture of both what is being done about a risk and what is at stake if it materialises.





🔵 Asset Documents


Asset documents display the following linked sections:


  • Linked Risks — Risks that apply to or threaten this asset.
  • Linked Controls — Controls in place that protect this asset.
  • Max Potential Impact / Consequences — The maximum business impact if this asset is compromised (unchanged existing section).


This allows asset owners to understand both their exposure and their coverage in a single view.


](https://storage.crisp.chat/users/helpdesk/website/-/3/f/2/6/3f26ce462760bc00/screenshot-2026-06-16-at-17355_1aeu9gx.png =981x220)





🟢 Control Documents


Control documents display the following linked sections:


  • Linked Risks — The risks that this control is designed to mitigate.
  • Linked Assets — The assets that benefit from this control.
  • Risk Reduction — The estimated reduction in risk provided by this control (unchanged existing section).


This gives control owners full visibility into what their control is protecting and why it exists.





3️⃣ Mitigation Implementation Status


For every linked Control relationship — whether viewed from the Control document itself, a linked Risk document, or a linked Asset document — you can configure and track the mitigation implementation status.


This answers the critical question: "Has this control actually been put into practice?"


Available Statuses


Status

Meaning

Not configured

Implementation status has not yet been assessed

Not implemented

The control exists but has not been applied

Partially implemented

The control is in place for some scope or cases only

Implemented

The control is fully applied and operational


Setting the Status


The implementation status is set via a dropdown, accessible directly within the linked control entry on any associated document.


  1. Open any governance document (Risk, Asset, or Control).
  2. Locate the relevant linked control in the Linked Controls section (or the control's own governance tab).
  3. Click the implementation status dropdown next to the linked entry.
  4. Select the appropriate status.



📌 The status is stored once and displayed consistently across all linked documents. Updating it from one document automatically reflects the change everywhere that control relationship appears.



4️⃣ Synchronisation Across Linked Documents


A core design principle of the Governance Tab is that mitigation implementation state is always consistent, regardless of which document you view it from.


For example:


  • A Risk document linked to Control A shows Control A's implementation status as Partially implemented.
  • Opening the Control A document itself — or any other Asset linked to Control A — will show the same Partially implemented status.
  • Updating the status from any of those documents instantly updates it everywhere.


There is a single shared source of truth for each linked control relationship — no duplication, no drift.



5️⃣ Best Practices


  • 🔗 Always link controls back to risks and assets so your framework remains traceable end-to-end.
  • 📋 Set implementation statuses early — even marking something as Not implemented is valuable for gap analysis and audit readiness.
  • 🔄 Review statuses regularly as controls are deployed, updated, or retired.
  • 🧮 Use Control documents as your single point of truth for implementation status — the sync ensures all linked documents stay up to date automatically.
  • 📂 Keep your governance document types accurate — the linked sections displayed in the Governance Tab depend on the type assigned to each document.



🎯 Visual Checklist


  • [x] Governance documents assigned correct types (Risk / Asset / Control)
  • [x] Risks linked to relevant Assets and Controls
  • [x] Assets linked to relevant Risks and Controls
  • [x] Controls linked to relevant Risks and Assets
  • [ ] Mitigation implementation status set for all linked controls
  • [ ] Implementation statuses reviewed and up to date
  • [ ] Governance tab reviewed by document owners ahead of next audit


Updated on: 16/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!