How to create a risk when an issue is auto generated?

Niharika Pothan · ‎07-15-2019

Hi,

I have a question about creating a risk when my control status becomes Non - compliant and an issue is created.

From my understanding, when a control owner attests a control and the control status changes to 'Non - compliant' -> An issue is auto - generated. Control owner has 2 options -> 1. Create a Policy Exception OR 2. Create a remediation task.

So assuming, A control owner will create a policy exception and request for approval from Compliance Manager. A compliance Manager will review the policy exception. So my question is - if compliance manager thinks that there is a risk then 'How can he a create a risk'? or Request for a risk assessment?

In Policy Exception section, even though there is a Risk assessment stage in Policy exception life cycle, i don't see an option to request for risk assessment. All i can see is a)Request for more information b) Approve OR c) Reject.

Do we need to customize/create a risk manually or is there something that i'm missing?

Thank you.

Notorious BFG · ‎07-17-2019

Hi Niharika,

You're not missing anything - currently there isn't a baseline way to create a one off risk directly from a failed control...

...and I agree that this is something could be a useful tool for a risk manager!

So:

When I've seen this come up in the past my suggestion has been to leverage the POWER OF AUTOMATION (via the Flow Designer)! You could approach this one of several ways, but I'll just enumerate one as an example:

First we create a trigger condition that will kick off our flow, in this case I've elected to use the conditions "Control Status is 'Non-Compliant'" AND someone has added the following note in the comments of the control "Risk assessment required". Keep in mind you could instead kick off this flow logic using a UI action or putting a check box in a new field, etc.:

Then, using the information from the failed control, we create a new Risk record in the risk table:

Then we create a relationship between the failed control and our new risk in the M2M table:

Lastly, we could send the Risk manager a notification that the risk is ready for assessment, or simply push the new risk into the proper state and kick off an assessment. As you can see, there's lots of powerful ways we could go about automating this process!

Best,

Ben

ʕﾉಠᴥಠʔﾉ*:･ﾟ✧.

View solution in original post

anithanarayan · ‎07-16-2019

Hi Niharika,

I am still learning GRC, but please see if the below answers your question.

When creating Policy exception, we select a policy statement which has the associated non-compliant control, the policy and the issue.

Check for the applicable control, if you have created a risk there (under controls), then during Policy Exception Approval phase, you get the "Request Risk Assessment" option. (Check the screenshot below)

If under the applicable control, there is no risk created then "Request Risk Assessment" option does not appear. (Check the 2nd screenshot.)

Hope this helps.

Niharika Pothan · ‎08-01-2019

Hi Anitha,

This completely makes sense why i'm not able to see the risk assessment phase. Thank you for explaining with screenshots.

Appreciate your help.

Regards,

Niharika Pothani

Anushree Randad · ‎07-17-2019

Thanks for responding anithanarayan!

Niharika,

As Anithanarayan mentioned, the 'Requests Risk Assessment' option will be available only if your controls have associated risks. Typically risk creation process is independent of policy exception process. So you could create risks and in your risk register and associate them with controls and when you request policy exception for those controls, you would be able to perform risk assessment on them as well.

Let us know if we can help you further with additional questions!

Notorious BFG · ‎07-17-2019

Hi Niharika,

You're not missing anything - currently there isn't a baseline way to create a one off risk directly from a failed control...

...and I agree that this is something could be a useful tool for a risk manager!

So:

When I've seen this come up in the past my suggestion has been to leverage the POWER OF AUTOMATION (via the Flow Designer)! You could approach this one of several ways, but I'll just enumerate one as an example:

First we create a trigger condition that will kick off our flow, in this case I've elected to use the conditions "Control Status is 'Non-Compliant'" AND someone has added the following note in the comments of the control "Risk assessment required". Keep in mind you could instead kick off this flow logic using a UI action or putting a check box in a new field, etc.:

Then, using the information from the failed control, we create a new Risk record in the risk table:

Then we create a relationship between the failed control and our new risk in the M2M table:

Lastly, we could send the Risk manager a notification that the risk is ready for assessment, or simply push the new risk into the proper state and kick off an assessment. As you can see, there's lots of powerful ways we could go about automating this process!

Best,

Ben

ʕﾉಠᴥಠʔﾉ*:･ﾟ✧.