# Risk event-driven certification
Risk event-driven certification is automatically triggered for users who experience a risky event in their profile. It works the same way as any other review — the difference is in how users are selected.
In OpenIAM version 4.2.2, three events are classified as risky:
* Title change
* Supervisor change
* Department change
When a user experiences one of these events, a new audit log entry is created once the provisioning service detects it.
Clicking the **Details** icon on the audit log entry shows the following attributes:
Attribute
Description
RISK_WAS_ADDRESSED
false — the user's access has not been reviewed since the risk event occurred.
true — the user's access has already been reviewed.
RISK_EVENT_TYPE
The type of risk event that triggered the log entry.
PREV_VALUE
The value before the change.
NEW_VALUE
The value after the change.
DESCRIPTION
A brief description of the action that occurred.
***
## Running a risk event-driven review
1. If the log entry shows `RISK_WAS_ADDRESSED: false`, go to **Access Control → Access Certification**.
2. Open the **Risk events** tab.
3. Select the risk event type (e.g., `TITLE_CHANGE`).
4. Click **Preview users** to display all users with that event whose access has not yet been reviewed.
5. Start the campaign. This launches a review for all previewed users.
The approver will see the campaign in their review queue and must review each access item.
6. When the approver clicks **Complete**, the risk is addressed and the audit log entry updates to `RISK_WAS_ADDRESSED: true`.
After completion, the list of previewed users for that risk event type will be empty, since their access has been reviewed.
***
## Notes on record counts
The number of risk events shown in the **Risk events** tab does not directly correspond to the number of access review items in the initiated campaign. Risk events indicate the number of **users** whose access should be reviewed. The number of access review items equals the total number of entitlements for those users.
When a reviewer is also part of the campaign as a user under review, situations where a user reviews their own access are automatically avoided — those items are transferred to the user's manager.
{% hint style="info" %}
The count shown in SelfService tile view and entitlement view may differ from a manual count. For example, SelfService may show 49 records while manual calculation yields 44 entitlements. The 49 records are **access review items**, not entitlements. If one role is held by two users who are both in the campaign, there are two access review items for that role — one per user.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs-beta.openiam.com/access-review/risk-event-driven-certification.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.