Measures of Improvement (MoI's)

Measures of Improvement (MoIs)

Introduction

In CERRIX, Measures of Improvement (MoIs) are used to follow up on findings, test results, or incidents. They provide a structured way to record improvement actions, assign responsibilities, and track progress – all within a single integrated workflow.

Why Use MoIs in CERRIX?

MoIs help you:

• Register actions that emerge from audits, risks, events, or control test results

• Assign owners and deadlines for each action

• Monitor progress and status of every measure

• Generate reports showing which actions are open, delayed, or completed

How It Works in Practice

MoIs are created from various modules in CERRIX (Risks, Controls, Control Testing, Incidents, Finding Reports). When you create an MoI, you assign roles that each have specific responsibilities.

The MoI automatically moves through a workflow with these statuses:

Created → In progress → Ready for acceptance → Accepted / Rejected → Closed

Every change or status update is recorded in the history, creating a complete audit trail.

Roles in Improvement Management

Your role determines what you can do within an MoI. Each MoI has one responsible party, a reviewer, and optionally an auditor or delegate.

Responsible (Owner)

The Responsible party is ultimately accountable for executing the action. Their responsibilities include:

• Tracking progress and uploading evidence

• Updating status from "In progress" to "Ready for acceptance"

• Ensuring the improvement is completed by the deadline

Delegate

The Delegate performs tasks on behalf of the Responsible party. They can:

• Execute assigned activities

• Update progress and upload documents

• Add comments and evidence

However, Delegates cannot set final status or close the MoI – that remains with the Responsible party.

Reviewer

The Reviewer checks the quality of completed actions. They:

• Validate that improvements were properly implemented

• Approve or reject the action before the auditor closes it

• Ensure evidence is sufficient and complete

Auditor (Optional)

The Auditor typically creates MoIs based on findings from audits or test plans. They:

• Assess whether actions have been sufficiently executed

• Close the MoI after it's been approved

• Maintain oversight of the improvement process

Workflow Summary

Risk/Control/Incident/Finding creates MoI → Responsible executes → Delegate supports → Reviewer validates → Auditor closes

This structure ensures clear accountability at every stage and prevents improvements from stalling or being forgotten.

MoI Workspace

The MoI workspace is your central overview of all improvement measures within your organisation. Here you can quickly see which actions are running, who's responsible, and what the progress is.

What You See in the Workspace

The workspace displays:

• A list of all open and completed MoIs

• Columns showing Status, Priority, Responsible, Due date, and Progress

• Filters at the top to search by subject, responsible party, or status

• Colour indicators for progress (e.g., red = delayed, green = completed)

MoI Statuses

• Unconfirmed – newly created, not yet accepted by the responsible party

• In progress – action is being executed

• Ready for acceptance – submitted for review

• Accepted – approved by reviewer, ready to close

• Rejected – returned to "In progress" for further work

• Closed – completed and archived

Understanding these statuses helps you quickly assess the health of your improvement programme and identify actions that need attention.

Creating a New MoI

Where Can You Create MoIs?

MoIs can be created from multiple locations in CERRIX:

• From a risk (Risk MoI tab)

• From a test plan (Control Improvement MoI tab)

• From an event or incident (Event MoI tab)

• From a finding report (Linked MoIs tab)

This flexibility ensures improvements can be captured wherever they're identified in your GRC process.

Steps to Create an MoI

Navigate to the relevant module (risk, control, incident, or finding) and click Add MoI.

Core Information

Start with the essential details:

• Name – Brief title of the measure (e.g., "Implement password complexity rules")

• Subject – Detailed description of the improvement needed

• Priority – Urgency level (Low, Medium, High)

• Implementation score – Feasibility rating (1-5 scale, where 5 is most achievable)

Planning

Add timeline information:

• Start date – When work on the improvement will begin

• Due date – Deadline for completion

Be realistic with due dates. Rushed improvements often fail, while overly generous deadlines reduce urgency.

Role Assignment

Assign the people who will work on the MoI:

• Responsible – The primary owner accountable for delivery

• Delegate – The person who will do the actual work (optional)

• Reviewer – Who will validate the completed improvement

• Auditor – Who oversees the process (optional)

Additional Context

Provide background and guidance:

• Finding description – What problem or gap was identified?

• Recommendation – What should be done to address it?

• Management response – How does management intend to resolve this?

These fields create a complete record of why the improvement is needed and how it will be achieved.

Linkages

Connect the MoI to related objects:

• Business dimensions – Which processes or departments are affected

• Risks – Which risks will be reduced by this improvement

• Controls – Which controls will be strengthened

• Documents – Supporting evidence or specifications

These connections ensure the MoI doesn't exist in isolation but integrates with your broader GRC framework.

Activating the Workflow

Click Save MoI to create the improvement measure. The workflow starts automatically, and tasks are distributed to all assigned roles. Each person receives notifications about their responsibilities and can track the MoI through their task list.

MoI Workflow

Every MoI follows a defined workflow managed automatically by CERRIX.

1. Created / Unconfirmed

The MoI has been created but not yet confirmed by the responsible party or auditor. This gives the assigned person a chance to review the action, ask questions, or request clarification before accepting ownership.

2. In Progress

The action has started. The Responsible party and Delegate work on executing the improvement. During this phase:

• Progress percentage is updated regularly

• Evidence is collected and uploaded

• Status updates are recorded

• Challenges or delays are documented in comments

Keeping progress current helps everyone understand the MoI's status without constant meetings or email threads.

3. Ready for Acceptance

The Responsible party marks the action as complete. This signals that:

• All improvement activities have been finished

• Supporting evidence has been uploaded

• The action is ready for validation

The Auditor or Reviewer receives an automatic notification to begin their assessment.

4. Accepted / Rejected

The Reviewer evaluates the completed work:

Accepted – The improvement meets requirements and can be closed. Evidence is sufficient and the action achieved its intended effect.

Rejected – The improvement is insufficient and returns to "In progress". The Responsible party receives feedback about what needs to be corrected or completed.

Rejection isn't a failure – it's quality control. It ensures improvements genuinely address the underlying problem rather than creating superficial compliance.

5. Closed

The MoI is finalised and archived. All details remain visible in the audit trail for future reference. Closed MoIs demonstrate your organisation's commitment to continuous improvement and provide evidence for auditors and regulators.

Tracking History

Use the History tab within any MoI to see:

• Complete progression through workflow stages

• Status changes with timestamps

• Comments and communications

• Document uploads

• Progress updates

This audit trail is invaluable during reviews and audits, as it shows not just what was done but when and by whom.

Best Practices

Good MoI registration prevents actions from stalling, accelerates audits, and makes follow-up transparent.

Be Specific – Use the SMART Method

Formulate improvements according to SMART principles:

• Specific – Clear and unambiguous

• Measurable – Quantifiable outcomes or deliverables

• Achievable – Realistic given available resources

• Relevant – Addresses the underlying problem

• Time-bound – Has a clear deadline

Vague improvements rarely get completed. Specific ones create accountability.

Always Link to the Source

An MoI must be traceable back to the risk, control, test, or incident that created it. This linkage ensures improvements aren't random activities but targeted responses to identified problems.

Add Evidence

Upload documents that support execution or validation. Evidence might include:

• Updated procedures or documentation

• System screenshots showing configuration changes

• Training completion records

• Test results demonstrating the improvement works

Without evidence, you can't prove the improvement was actually implemented.

Use Priority and Due Date Effectively

Set realistic deadlines that create urgency without being impossible. Balance priority across your MoI portfolio – not everything can be High priority.

Unrealistic deadlines lead to missed commitments and erode confidence in the improvement programme.

Update Progress Regularly

For long-duration improvements, update the percentage complete field periodically. This shows momentum and helps identify stalled actions early.

If progress stops for legitimate reasons (resource constraints, dependencies), document this in comments so stakeholders understand why.

Document Management Responses Carefully

Record not just what was done, but why specific approaches were chosen. This context helps future reviewers understand the decision-making process and prevents redundant discussions.

Close MoIs Promptly When Complete

Leaving completed actions open distorts reporting and makes it difficult to understand your current improvement load. Once an action is genuinely finished and accepted, close it.

Regular closure also provides a sense of achievement and demonstrates progress to leadership.

Exercises

Exercise 1: Create a New MoI

1. Create a new MoI from a control or test plan

2. Complete all required fields: name, subject, priority, due date, and responsible party

3. Link a risk or control

4. Click Save MoI

Exercise 2: Progress Through the Workflow

1. Update the MoI status to "In progress"

2. Upload a document as evidence

3. Mark the MoI as "Ready for acceptance"

4. Have a colleague (or trainer) review and either Accept or Reject it

Exercise 3: Review Reporting

1. Return to the MoI workspace

2. Filter for "Closed" and "In progress" status

3. Compare completed actions versus ongoing ones

4. Export the filtered list to Excel for discussion with your manager