Lesson 6.4 - Audit Trail and Ownership¶
“Everyone Thought Someone Else Owned It”¶
A configuration change is approved verbally, an quote-source incident is discussed in chat, and exposure monitoring is “being watched.” The next day, no one can confirm who made the change, what was verified, or whether the follow-up was completed.
Operational governance exists to prevent this ambiguity.
- Understand why audit trail and ownership matter.
- Define accountable ownership for incidents, changes and reviews.
- Use simple records that support follow-up and audit.
- Distinguish responsibility from authority.
| Item | Minimum Record |
|---|---|
| Incident | Timeline, impact, assigned owner, actions, closure evidence |
| Change | Request, approval, configuration, test, verification, rollback plan |
| Risk review | Scope, data, conclusion, assigned owner, next action |
| Handover | Open items, priorities, named responsible parties |
| Escalation | Message, recipient, timestamp, follow-up |
| Concept | Meaning |
|---|---|
| Responsibility | Who performs or follows up the task |
| Accountability | Who is answerable for the outcome |
| Authority | Who is permitted to approve or execute action |
| Consultation | Who provides technical/risk input |
| Information | Who must be updated |
A Dealer may be responsible for documenting and escalating a risk, but not authorized to change a production parameter.
Pending Change Without Shift Leader / Follow-up¶
A session configuration change is noted in handover as “pending.” No assigned owner is named, no approval record is attached, and no deadline exists. The next shift assumes it is being handled. The change misses the required timing window.
Correct governance: - Assign a named Shift Leader or follow-up person. - Record approval status. - Define due time and verification method. - Keep it visible until closed.
Operational governance makes risk work repeatable. ownership, authority and audit trail prevent critical tasks from disappearing between shifts or teams.
End of Chapter 6 Module A
Completion Criteria¶
- Can explain the key risk or operational objective of this lesson
- Can identify the required systems, data, or evidence to review
- Can describe the correct escalation or handling process
- Can apply the lesson correctly in a supervised scenario