IRM Lite Operator - Risk and Control Owner

Go to solution
carlosgaspa
Tera Contributor

‎08-26-2024 05:18 PM

Hi,

 

Can somebody confirm if a user with IRM Lite Operator subscription can do the following (assuming they have all the permissions/ roles available for IRM Lite Operator):

 

- Be the owner of risk or control

- Read / view all Risks and Controls (but not create, update or delete)

- Take risk assessment (but not trigger/ create a new assessment)

- Approve risk assessment (if they are the named approver)

- Complete and approve the Risk Response task

- Take control attestation (but not trigger/ create a new attestation)

 

PS - please don't direct me to general IRM Lite Operator documentation mentioned in other Lite Operator posts on this site as I have already read them. Keen to hear from those with actual experience  🙂

 

Thanks

Carlos

0 Helpfuls
  • 2,277 Views
1 ACCEPTED SOLUTION

Go to solution
jaikishan1
ServiceNow Employee
ServiceNow Employee

‎08-26-2024 10:08 PM

Hi @carlosgaspa ,

In the world of Servicenow IRM, the operators and lite operators are classified as follows:
Lite Operator: People who are business owners or managers and are required to review and approve tasks.
Operator: People who implement the policies, assess the risks, etc.

With the above definitions in context, the response to your questions is provided below:

- Be the owner of risk or control

  >>  Yes

- Read / view all Risks and Controls (but not create, update or delete)

  >> Yes. 

- Take risk assessment (but not trigger/ create a new assessment)

  >> No. 

- Approve risk assessment (if they are the named approver)

  >> Yes.  

- Complete and approve the Risk Response task

  >>  Yes 

- Take control attestation (but not trigger/ create a new attestation)

  >> Yes. (It's a survey type questionnaire)

Regards,
Jai

Please mark this as helpful if it solves your query.

Regards,
Jai

View solution in original post

4 REPLIES 4

Go to solution
jaikishan1
ServiceNow Employee
ServiceNow Employee

‎08-26-2024 10:08 PM

Hi @carlosgaspa ,

In the world of Servicenow IRM, the operators and lite operators are classified as follows:
Lite Operator: People who are business owners or managers and are required to review and approve tasks.
Operator: People who implement the policies, assess the risks, etc.

With the above definitions in context, the response to your questions is provided below:

- Be the owner of risk or control

  >>  Yes

- Read / view all Risks and Controls (but not create, update or delete)

  >> Yes. 

- Take risk assessment (but not trigger/ create a new assessment)

  >> No. 

- Approve risk assessment (if they are the named approver)

  >> Yes.  

- Complete and approve the Risk Response task

  >>  Yes 

- Take control attestation (but not trigger/ create a new attestation)

  >> Yes. (It's a survey type questionnaire)

Regards,
Jai

Please mark this as helpful if it solves your query.

Regards,
Jai

Go to solution
LachelleT
Tera Contributor
In response to jaikishan1

‎03-26-2025 06:38 AM

Can a Lite Operator perform the indicator tasks in the monitor state without having complete operator access to the entire compliance space? Is there a custom role option? If so, what custom role do you suggests for them to be able to respond to evidence requests, control attestations, and indicator tasks annually/quarterly to ensure that the control is still in place?

0 Helpfuls

Go to solution
carlosgaspa
Tera Contributor

‎08-26-2024 11:04 PM

Thanks Jai.

Your response aligns with my testing. The only point of contention is "Take Risk Assessment". I will reperform my testing using the Lite Operator and also check with my SN Customer Support team. But good to get a quick opinion that validates my findings!

0 Helpfuls

Go to solution
HarshTimes
Tera Guru
In response to carlosgaspa

‎12-10-2024 03:08 PM

A Lite Operator can perform risk assessments if you have an IRM V2 license. ARA Assessor role is part of Lite operator roles in V2 License.

0 Helpfuls