Define and assign the assessment team's roles and responsibilities.
CONTROL ID 08890
CONTROL TYPE Business Processes
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806
This Control has the following implementation support Control(s):
Assign the role of Risk Assessment Manager to applicable controls., CC ID: 12143
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Upstream companies should ensure the assessment team consults with central governments and local governments to obtain information. (Supplement on Tin, Tantalum, and Tungsten App: B.1(a), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should ensure the assessment team regularly consults with local civil society organizations. (Supplement on Tin, Tantalum, and Tungsten App: B.1(b), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Upstream companies should define the scope and capacities of the assessment team. (Supplement on Tin, Tantalum, and Tungsten App: B.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
International concentrate traders and mineral reprocessors should identify personnel to be the points of contact for the assessment team. (Supplement on Tin, Tantalum, and Tungsten App: B.2(6), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Smelters and refiners should identify personnel to be the points of contact for the assessment team. (Supplement on Tin, Tantalum, and Tungsten App: B.3(1), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Gold producers should establish as assessment team in the conflict-affected and high-risk areas of gold origin and transit to gather and maintain information on the suppliers and the circumstances of gold extraction, handling, trade, refining, and export. These teams may be established jointly with … (Supplement on Gold Step 2: § I.C.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
Gold producers should consider the size of the other organizations, their resources available to conduct due diligence, their supply chain position, their ability to access information, and the reliability of their due diligence, when considering a joint assessment team. (Supplement on Gold Step 2: § I.C.2(a), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
International gold traders, local gold exporters, and refiners should establish an assessment team in the conflict-affected and high-risk areas of gold origin and transit to gather and maintain information on the suppliers and the circumstances of gold extraction, handling, trade, refining, and expo… (Supplement on Gold Step 2: § II.C.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
International gold traders, local gold exporters, and refiners should consider the size of the other organizations, their resources available to conduct due diligence, their supply chain position, their ability to access information, and the reliability of their due diligence, when considering a joi… (Supplement on Gold Step 2: § II.C.2(a), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
The risk assessment team should include representation from all the departments within the organization, including those that are involved in the processing, storage, and transmission of CHD. Such departments may include business processes, technology and support departments, such as Human Resources… (§ 4.1 ¶ 1, Information Supplement: PCI DSS Risk Assessment Guidelines, Version 2.0)
Managing annual PCI DSS assessments (A3.1.3 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
when and by whom the monitoring and measuring shall be performed; (§ 9.1 ¶ 1 c), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
when and by whom the results from monitoring and measurement shall be analysed and evaluated. (§ 9.1 ¶ 1 d), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
ensuring the suitability, adequacy and effectiveness of the IT asset management system; (Section 5.3 ¶ 2(d), ISO/IEC 19770-1, Information technology â IT asset management â Part 1: IT asset management systems â Requirements, Third Edition, 2017-12)
who shall analyse and evaluate these results. (§ 9.1 ¶ 1 f), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
A plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents;… (§242.1001(b)(2)(iii), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
Use of information should take into consideration the completeness of the assessment and whether the process included an evaluation of internal control. Agency management should avoid duplicating reviews that assess internal controls, and should coordinate their efforts with other evaluations to the… (Section IV (B) ¶ 2, OMB Circular No. A-123, Managementâs Responsibility for Enterprise Risk Management and Internal Control)
