GRC - Risk manager unable to see buttons for mitigation task

mday · ‎01-23-2024

Our scenario is that our compliance team has created a Risk and it is owned by a standard GRC user. The assessment was taken and the response was set to mitigation. A mitigation task opened as expected and the GRC user who is assigned to the task wrote out a plan and set the task to the "Review" state. However, when the Risk Manager went to review, they did not have access to the buttons "Close" or "Back to Draft" for approving/requesting for more details about the plan.

I reviewed the documentation (found here: https://docs.servicenow.com/bundle/vancouver-governance-risk-compliance/page/product/grc-workspace-r...) and it says the following:

I am confused because I opened a support ticket about this and they said that only the "assigned to" user or the owner of the risk has access to these buttons. Is it not expected that the mitigation is reviewed by the compliance manager at this stage? What is the purpose of the review state in the mitigation task?

Any help would be appreciated!

Community Alums · ‎01-25-2024

Hi @mday ,

That's a correct response from Support.

A risk response is the strategy used to deal with risks after the risks are assessed.

After risks are assessed, the assessor determines how to approach those risks. To deal with the risks, the assessor can choose from the following types of risk responses or strategies:

Accept: Accept the risk as it is.
Mitigate: Identify and implement additional controls to mitigate the risk.
Avoid: Change the plan to completely avoid the risk.
Transfer: Transfer or share the risk with a third party.

After an assessor identifies the best strategy, the assessor then creates risk response tasks and assigns them to the risk user with the role sn_risk.user.

mday · ‎01-25-2024

Thanks for the response Sandeep,

That all makes sense. However, what is the purpose of the Review state of the response task? Is it expected that the assessor reviews their own work? Is there a stage where the Compliance team would be able to review and "approve" of their response/plan?

Thank you!

Community Alums · ‎01-29-2024

Hi @mday ,

Since it's part of Risk management, The risk Manager takes the lead rather the Compliance team/Manager.

But this can differ based on your organizational strategy.

usually in the review state the risk manager looks at the response strategy in terms of avoiding, mitigating, transferring, or accepting and then decide whether to push the risk forward to the Monitor state.

So, as per your requirement, you can involve your Compliance team to Review and move the Risk to monitor state ( for you this would mean they have approved).

mday · ‎01-30-2024

Hi @Community Alums ,

Thank you again for the response! I confuse Compliance and Risk manager because they are the same for our org. Sorry about that.

Either way, that is what they are trying to do. They would like to review the Risk Mitigation task while it is in the "Review" state, but they can't push the button to change the state because they are not provided access Out of the Box.