Hi Nithin,

A Risk have the following states: "Draft", "Assess", "Respond", "Review", "Monitor" and "Retired". When you move a Risk from Draft to Assess it will generate an assessment to each of respondents. If you fill up the "Owner" field, it will become automatically a respondent. The out of the box assessment is "Risk Assessment". The assessment will be copied from the Risk Statement (if set up). After generated, it will be displayed under the "My Assessment" if you are one of the respondents. As soon the assessment is completed, the Risk will automatically become in state "Respond" awaiting for an action from the Risk Manager. From that moment, the Risk Manager should take a Response action - accept, avoid, mitigate or transfer - and based on those option a response task will be generated (I've posted an article about the response tasks types few weeks ago). For example if you pick "accept" it will generate a Risk Acceptance Task which you can find it on the Risk Response Task tab. I picked this one because this task is special - it is the only one that requires approval. As soon as you move the state of the acceptance task to "Review", it will update the Risk to "Review" state. From that moment, the Risk Manager should review the risk and move the Risk to "Monitor" or update the response task in order to obtain more information. The final state of a risk is "Monitor" unless you want to retire the risk and you will move the risk to state "Retired".

Hope this gives you some head start regarding the out of the box RCSA (Risk Control Self Assessment) process. I can provide you a real scenario use case if you need.

About the entities up to roll up values, have you got the chance to watch the video https://community.servicenow.com/community?id=community_article&sys_id=46858e44db95c8506064eeb5ca961...?

Many thanks
Raf