Risk Workspace in the Risk Management Workspace

The IRM: Risk Management Workspace is a role-based, single-pane experience built on NowExperience UI for risk professionals. Introduced in the Rome release, it lets risk stakeholders view risk posture, execute assessments, monitor KRIs and KCIs, manage issues, and act — all without switching applications.

To learn more about the Risk Management Workspace, including a live demo walkthrough, visit our IRM Risk Management Speed Learning Series on YouTube or review here.

Three pillars that define the Workspace

• Modern UI. Surfaces the standard GRC: Risk Management app’s capabilities — risk registers, assessments, KRIs/KCIs, and issues — through a Now Experience workspace instead of the classic module list and forms.
• Role-driven design. Each persona (IT risk manager, operational risk manager, business operational risk manager) gets a tailored homepage, widgets, and task lists aligned to their responsibilities.
• Single-pane view. Users see overall risk posture, can drill into entities and relationships (including 360° views), and act on tasks and indicators, all without leaving the workspace.

The result is faster decision-making, better communication of risk, reduced app sprawl, and risk management embedded into day-to-day work.

Workspace vs. Classic UI

The Classic UI relies on standard list-and-form navigation with no role-specific homepages, no integrated heatmap workbench, and no out-of-the-box guided playbooks.

The Workspace provides:

• Persona-based home pages,
• Consolidated task inbox,
• 360° relationship viewer
• Risk Heatmap Workbench with movement, trend, and appetite tracking
• Guided playbooks for risk identification and assessment scheduling
• Entity-wise risk profile matrix
• Grid UI for bulk metric response and approval
• WCAG 2.1 AA accessibility

Same data, same platform, but using a completely different operating model.

Advanced Risk unlocks additional functionality

With Advanced Risk adoption, the Workspace becomes a full risk lifecycle platform across three capability pillars:

• Assessment Engine. Features four-stage guided workflow (Inherent → Controls → Residual → Target), qualitative through quantitative approaches, guided scheduling, and Assessment Projects with Grid Mode for bulk Risk and Control Self-Assessments (RCSA).
• Heatmap and Reporting. Adds Risk Heatmap Workbench with movement, trend, and appetite overlays. Score rollup across entity and risk hierarchies. Amber/Red appetite thresholds with digitized breach escalation.
• Risk Events and Identification. Captures losses, near-misses, and non-financial events with root-cause analysis. Adds Basel dashboards and ORX integration for financial services environments. Guided playbook for first-line risk identification with entity-specific questionnaires.

Without Advanced Risk, the Workspace operates in a limited state: classic legacy risk scores, survey-based assessments only, a basic static heatmap, and no risk score rollup, risk events, risk appetite, or guided risk identification.

Best practices for implementation

• Setup: Install and validate in sub-production first. Enable recommended plugins (Matrix Report, GRC Metrics, Parallel Review and Feedback). Load demo data at install time.
• Role governance: Assign workspace roles via groups, not individuals. Align personas to your org structure — Business Op Risk Manager for first-line BU risk managers, IT Risk Manager for IT domain specialists, Operational Risk Manager for the central risk team.
• Adoption enablement: Use the Best Practices Portal implementation checklist. Run persona-based orientation sessions. Configure homepage widgets per team. Demo the Heatmap Workbench early for exec engagement. Enable copy previous responses in RAM. Use ATF tests after each upgrade.

Frequently Asked Questions

1. What plugins are required to activate the Risk Management Workspace? At minimum, install GRC: Risk Management (com.sn_risk) followed by GRC: Risk Management Workspace (com.sn_risk_workspace). For full value, also install Matrix Report, GRC Metrics, and Parallel Review and Feedback. GRC: Advanced Risk (com.sn_risk_advanced) is optional but recommended to unlock the full risk lifecycle platform.

2. Is the Workspace User role (sn_grc_workspace.user) enough to access the Risk Workspace? The generic Workspace User role alone is not sufficient for GRC: Risk Management Workspace access. Users need one of the three workspace personas: IT Risk Manager, Operational Risk Manager, or Business Operational Risk Manager.

3. What user personas are available, and which require Advanced Risk? Three personas are supported. The IT Risk Manager (sn_risk_workspace.IT_risk_manager) is available with the base Workspace installation. The Operational Risk Manager (sn_risk_workspace.operational_risk_manager) and Business Operational Risk Manager (sn_risk_workspace.business_op_risk_manager) are only installed when the GRC: Advanced Risk application is activated.

4. How do business users (1st line of defense) participate in the risk program? Business users, risk assessors, and assessment approvers access their tasks through the GRC Tasks page in Employee Center — not the Workspace. This requires the GRC Business User role (sn_grc.business_user). The GRC Tasks page is only available once the Workspace plugin is installed.

5. What does the Workspace look like without Advanced Risk? The Workspace activates but operates in a limited state: classic legacy risk scores on the homepage, survey-based assessments only, a basic static heatmap with no Heatmap Workbench, no risk score rollup, no Risk Events, no risk appetite, and no guided Risk Identification playbook. Only the IT Risk Manager persona is available.

6. Is the Risk Heatmap Workbench available without Advanced Risk? The Heatmap Workbench requires the GRC: Advanced Risk plugin. Without it, only a basic static heatmap is available.

7. What are the key pages in the Risk Management Workspace? The Workspace includes eight purpose-built pages: Homepage (role-based risk posture and tasks), Heatmap Workbench (risk movement, trend, and appetite — requires Advanced Risk), Metric Tasks (KRI/KCI data submission and approval), Tasks (centralized inbox for all outstanding work), Issues (triage, insights, and remediation tracking), List (hierarchical navigation to every GRC object), Dashboards (Risk Overview and Operational Risk Management PA dashboards), and Entity Risk Profile Matrix (cross-entity aggregated risk ratings in a single board-ready grid).

8. Where can I find guidance or support to set up a risk management workspace in ServiceNow? We recommend you watch the Risk Management Speed Learning Series on YouTube to learn more. ServiceNow provides in-app documentation, product documentation, and an active user Community with best practices for configuring and operating risk management workspace. Instructor-led and on-demand resources are also available for new users and administrators in ServiceNow University.
   
   

Resources

• Product Documentation  
• GRC: Risk Management Workspace — full product docs (search 'GRC Risk Workspace' on docs.servicenow.com)
• GRC: Risk Management Workspace plugin page — lookup ServiceNow Store (com.sn_risk_workspace)
• Risk Workspace Release Notes — Latest release notes for GRC
• Learn how to use Risk Workspace product documentation
• Related applications – GRC: Matrix report, GRC: Parallel Review and Feedback, GRC: Metrics, and more
• Implementation & Configuration
  • Risk Management implementation checklist — Best Practices (Now Create) (mandatory + optional steps)
  • Setup checklist for GRC: Advanced Risk — com.sn_risk_advanced configuration steps
  • Risk Heatmap Documentation — KB0994328 on Now Support Knowledge Base
  • Any object integration in workspace — KB0961251 on Now Support
• Community & Learning
  • Risk Management Speed Learning Series (community article + full playlist)
  • GRC Community — Ask/answer questions (community.servicenow.com/grc)
  • Known Error Portal — search for known error articles
  • Best practices portal – search Governance, Risk, and Compliance best practices