> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vizkraft.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Risk & controls

> Connect GRC and audit data on Supabase, build audit and operational risk dashboards, and ask questions about findings, KRIs, and vendor risk — modeled on Veridian Group.

export const CookbookDemoVideo = ({slug, caption = "See this cookbook in Vizkraft"}) => {
  const base = `/public/recordings/cookbooks/${slug}`;
  return <figure className="not-prose my-8 overflow-hidden rounded-xl border border-gray-200 dark:border-gray-800">
      {caption ? <figcaption className="border-b border-gray-200 bg-gray-50 px-4 py-2 text-center text-sm text-gray-600 dark:border-gray-800 dark:bg-gray-900 dark:text-gray-400">
          {caption}
        </figcaption> : null}
      <video autoPlay muted loop playsInline className="w-full dark:hidden">
        <source src={`${base}/mist.webm`} type="video/webm" />
        <source src={`${base}/mist.mp4`} type="video/mp4" />
      </video>
      <video autoPlay muted loop playsInline className="hidden w-full dark:block">
        <source src={`${base}/carbon.webm`} type="video/webm" />
        <source src={`${base}/carbon.mp4`} type="video/mp4" />
      </video>
    </figure>;
};

This cookbook is for **risk, audit, and compliance** teams tracking internal controls, audit findings, key risk indicators, segregation-of-duties conflicts, and third-party risk. The examples use **Veridian Group**, a fictional diversified enterprise with a central risk and controls function.

## Who this is for

|                  |                                                          |
| ---------------- | -------------------------------------------------------- |
| **Company type** | Enterprise GRC, internal audit, operational risk         |
| **Connector**    | Supabase (PostgreSQL)                                    |
| **Teams**        | Risk management, internal audit, compliance, vendor risk |

## Get started

<Steps>
  <Step title="Connect Supabase">
    Add a Supabase connector with your project pooler host, database, and credentials. See [Add connectors](/guides/add-connectors).
  </Step>

  <Step title="Index your schema">
    Run indexing on the `public` schema. Mark the important tables listed below. See [Index your data](/guides/index-your-data).
  </Step>

  <Step title="Ask your first question">
    Try: *How many open audit findings do we have by severity?*
  </Step>

  <Step title="Build the dashboards below">
    Combine saved charts into audit committee and risk committee views. See [Create dashboards](/guides/create-dashboards).
  </Step>
</Steps>

## See it in Vizkraft

<CookbookDemoVideo slug="risk-controls" caption="Veridian Group risk and controls in Vizkraft" />

## Your data

A typical risk and controls warehouse on Supabase includes thirteen related tables:

| Table                     | What it holds                                            |
| ------------------------- | -------------------------------------------------------- |
| `audit_findings`          | Findings from audits — title, severity, status, due date |
| `business_processes`      | Processes in scope for controls and testing              |
| `control_tests`           | Test results — pass/fail, tester, test date              |
| `controls`                | Control definitions linked to business processes         |
| `departments`             | Org units and cost centers                               |
| `employees`               | Staff — role, department, contact details                |
| `key_risk_indicators`     | KRI definitions with red and amber thresholds            |
| `kri_readings`            | Time-series KRI values and notes                         |
| `policy_exceptions`       | Approved or pending policy exceptions                    |
| `risk_register`           | Enterprise risks — likelihood, impact, owner, score      |
| `sod_conflicts`           | Segregation-of-duties conflicts by employee and role     |
| `vendor_risk_assessments` | Third-party risk reviews                                 |
| `vendors`                 | Vendor master — country, category, tier                  |

### Tables to mark during indexing

* **Audit findings** — open and closed findings, severity, remediation status
* **Risk register** — active risks, scores, and ownership
* **KRI readings** and **key risk indicators** — threshold breaches and trends
* **Control tests** — pass/fail rates over time
* **SoD conflicts** — open conflicts by department
* **Vendors** and **vendor risk assessments** — third-party risk tier and concentration

## Dashboards to build

### Audit findings overview

**Answers:** What is the status of our audit program and control testing?

Include open and closed finding KPIs, policy exception counts, average exception risk level, control tests passed, severity breakdown, control test pass/fail trend, findings opened over time, and a findings detail table.

### Operational risk exposure

**Answers:** Where is the organization most exposed right now?

Include open SoD conflict KPIs, KRI red-threshold breaches, active risk count, conflicts by department, likelihood-versus-impact heatmap, vendor tier breakdown, red and amber KRI trend, KRI values against thresholds, and a table of high-scoring active risks.

## Questions to ask by role

| Role                  | Questions to try                                                                                        |
| --------------------- | ------------------------------------------------------------------------------------------------------- |
| Chief audit executive | How many audit findings are open versus closed? What is the severity mix?                               |
| Risk manager          | Which risks in the register have a score of 12 or above? How many KRIs are breaching red thresholds?    |
| Compliance officer    | How many policy exceptions are pending approval? What is the average risk level of approved exceptions? |
| Vendor risk analyst   | What is the breakdown of vendors by risk tier? Which vendors are Critical or High?                      |
| SoD analyst           | How many open segregation-of-duties conflicts do we have by department?                                 |

## Example conversations

### Vendor risk tier breakdown

**Ask:** What is the breakdown of our vendors by risk tier — show how many vendors fall into Critical, High, Medium, and Low as a pie chart.

Vizkraft returns a pie chart with tier counts and insight notes on concentration in High and Critical tiers and whether any tier has zero vendors.

**Try next:** Which Critical-tier vendors have assessments older than twelve months?

### Control testing trend

**Ask:** Show control test pass and fail counts by month for the last year.

Use this to spot months with elevated failures before audit committee meetings.

**Try next:** Which controls had the most failed tests in the last quarter?

## Metrics worth defining

Add to [Connector memory](/features/connector-memory) so definitions stay consistent across your org:

* **Risk score** — likelihood × impact (or your enterprise formula)
* **KRI breach** — reading at or above red threshold
* **Open finding** — status not equal to Closed
* **SoD conflict** — unresolved segregation-of-duties exception
* **Vendor risk tier** — Critical, High, Medium, Low classification rules
