The level of risk for each control is determined by the organization that the control was derived from. If the baseline was developed from several sources, the control's risk will be discussed and changed in accordance policy change management procedures.
Reports of non-compliant controls are given to stakeholders for action and given a grace period to fix or request an exemption for non-compliance. After this grace period is completed, the control will be counted against the stakeholder's risk score.
The results are provided as regular reports for the teams to begin analysis and Risk Mitigation activities.