GRC - Risk manager unable to see buttons for mitigation task
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-23-2024 04:39 PM
Our scenario is that our compliance team has created a Risk and it is owned by a standard GRC user. The assessment was taken and the response was set to mitigation. A mitigation task opened as expected and the GRC user who is assigned to the task wrote out a plan and set the task to the "Review" state. However, when the Risk Manager went to review, they did not have access to the buttons "Close" or "Back to Draft" for approving/requesting for more details about the plan.
I reviewed the documentation (found here: https://docs.servicenow.com/bundle/vancouver-governance-risk-compliance/page/product/grc-workspace-r...) and it says the following:
I am confused because I opened a support ticket about this and they said that only the "assigned to" user or the owner of the risk has access to these buttons. Is it not expected that the mitigation is reviewed by the compliance manager at this stage? What is the purpose of the review state in the mitigation task?
Any help would be appreciated!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-25-2024 04:49 AM
Hi @mday ,
That's a correct response from Support.
A risk response is the strategy used to deal with risks after the risks are assessed.
- Accept: Accept the risk as it is.
- Mitigate: Identify and implement additional controls to mitigate the risk.
- Avoid: Change the plan to completely avoid the risk.
- Transfer: Transfer or share the risk with a third party.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-25-2024 08:40 AM
Thanks for the response Sandeep,
That all makes sense. However, what is the purpose of the Review state of the response task? Is it expected that the assessor reviews their own work? Is there a stage where the Compliance team would be able to review and "approve" of their response/plan?
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-29-2024 08:05 PM
Hi @mday ,
Since it's part of Risk management, The risk Manager takes the lead rather the Compliance team/Manager.
But this can differ based on your organizational strategy.
usually in the review state the risk manager looks at the response strategy in terms of avoiding, mitigating, transferring, or accepting and then decide whether to push the risk forward to the Monitor state.
So, as per your requirement, you can involve your Compliance team to Review and move the Risk to monitor state ( for you this would mean they have approved).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-30-2024 08:44 AM
Hi @Community Alums ,
Thank you again for the response! I confuse Compliance and Risk manager because they are the same for our org. Sorry about that.
Either way, that is what they are trying to do. They would like to review the Risk Mitigation task while it is in the "Review" state, but they can't push the button to change the state because they are not provided access Out of the Box.