Review Scheduling

Flow's review scheduling system ensures risks are reassessed on a regular cadence. Configurable review periods, automated overdue detection, and notification workflows keep your risk register current and your team accountable.

Overview

Review scheduling provides:

• Configurable Review Cadence - Set default and per-risk review periods
• Automated Overdue Detection - Cron-based scanning for overdue reviews
• Notification System - Alerts for risk owners when reviews are due or overdue
• Review Tracking - Complete audit trail of review history
• Upcoming Reviews - Dashboard view of reviews due in the next 30 days

Review Cadence Configuration

Organization Defaults

Set the default review cadence in Settings > Organization:

• Default Review Period - Number of days between reviews (default: 90 days)
• Applies to all new risks unless overridden at the individual risk level
• Can be changed at any time; existing risks retain their current schedule

Per-Risk Overrides

When creating or editing a risk, specify a custom review period:

• Override the organization default for individual risks
• Set shorter periods for critical or rapidly evolving risks
• Set longer periods for stable, low-severity risks
• Specified in days (1–365)

Overdue Review Detection

Automated Scanning

Flow runs a background job that periodically scans for overdue reviews:

1. Identifies risks where nextReviewAt is in the past
2. Excludes closed risks from review requirements
3. Creates notification records for risk owners
4. Logs all overdue detections in the audit trail

Duplicate Prevention

To avoid notification fatigue, the system checks for recent notifications:

• Notifications are deduplicated within a 7-day window
• If a risk owner was notified within the past 7 days, no duplicate is sent
• The deduplication window ensures persistent but non-excessive reminders

Review Workflow

Marking a Risk as Reviewed

When a risk owner completes a review:

1. Navigate to the risk and select the review action
2. Optionally add review notes documenting findings
3. Optionally specify a custom extension period
4. The system records:
   • Last Reviewed At - Timestamp of the review
   • Last Reviewed By - User who performed the review
   • Next Review At - Calculated from the current date plus the review period
5. An audit log entry is created capturing the review details

Review Extensions

The next review date is calculated as:

Next Review Date = Current Date + Review Period

Where the review period is either:

• The custom extension specified during the review
• The organization's default review cadence (typically 90 days)

Monitoring Reviews

Overdue Reviews

Query overdue reviews for your organization to see:

• Risk title and description
• Risk owner name
• Number of days overdue
• Original scheduled review date

Upcoming Reviews

View reviews due within the next 30 days:

• Sorted by review date (soonest first)
• Shows days until review is due
• Includes risk owner assignment
• Enables proactive scheduling and preparation

Audit Trail

All review activities are logged in the audit system:

• review_overdue_notification - Recorded when an overdue notification is created
• reviewed - Recorded when a risk review is completed
• Each entry includes before/after state, actor, and timestamp

Best Practices

• Align to Risk Level - Set shorter review periods for Critical and High risks
• Prepare in Advance - Use the upcoming reviews view to prepare for scheduled reviews
• Document Findings - Always add review notes to create a continuous assessment record
• Act on Changes - If a review reveals changed conditions, update the risk assessment immediately
• Review the Cadence - Periodically assess whether the default review period still aligns with your risk environment