Issue Management workflow

rohitg
Giga Contributor

‎11-09-2020 08:05 AM

Hi,

This ask is with reference to our very known Critical GRC pillar, issue and Actions Management.

I believe this is one place which goes hand in hand with every module / app in the GRC space (anything goes wrong can trigger an issue and needs action plans to fix it). Now with regards to this, i am not completely sure how can i leverage ServiceNow Issue and Action management workflow providing there has to be multiple people playing some kind of role to execute / review / approve and finally close the issue.

Baseline functionality allows one person to literally do everything, starting from Identifying an Issue (Manually or System driven (control test failure / indicator failure). I wonder if someone has got any good examples where they may have configured issue management lifecycle where we have Issue Owner, Issue Approver etc.

Lastly, what is the difference between issue remediation vs. issue acceptance? How will it make any difference? Why can't we simply have Remediate / Accept / Reject kind of process?

Happy to hear your thoughts on the above and learn something from you guys.

Regards,

Rohit

0 Helpfuls
  • 2,878 Views
8 REPLIES 8

rohitg
Giga Contributor
In response to SanjivMeher

‎11-12-2020 09:46 AM

Agreed. Let me give you a real time scenario.

During the audit execution, auditor makes a control TOE as Ineffective, which result in Control Non-Compliance and hence, Issue gets generated automatically and gets assigned to the Auditor (again automatically, as he/she is the one who made that control as Inefficient). Now i need to configure this logic, as the Control owner should own this issue (Assigned to), as the control failure is against his/her control. 

Now comes the tricky part, if for any reasons Control owner says, i don't agree to this issue as i have provided all the required evidences against this control (he/she may provide all that in the issue form) and simply click a button, Reject (with mandatory comments). Now if the Auditor believes this is not right and Issue remains Active, the Auditor should be able to make the state change back to New / WIP or something else (i don't know). From here on, Control owner should be able to respond to it and say, yes, i am either happy to Remediate it, Accept it or even Mitigate it and hence, adding respective tasks to it, which i believe is missing partially right now.

Lastly, there is no place where Auditor / Compliance Lead has any role to play in the workflow (in OOTB workflow) where they can participate and do something about it.

Hope my use case is even clearer to you now. 🙂

My only point is, if i get the above configured, will it be considered as Configuration / enhancement or simply customisation? 

Regards,

Rohit

0 Helpfuls

SanjivMeher
Kilo Patron
Kilo Patron
In response to rohitg

‎11-12-2020 09:52 AM

Cool. We have similar use case.

What I have done is made the state field as readonly for both Auditors and the owner. 

And created buttons for them. For example I have created a button Submit for review with a new field Explanation. If they select Submit for review and provide an explanation, it moves to Review state where the auditor receives an email to review the submission. Auditor reviews it and have button 'Approve' and 'Reject'. If they Approve, issue closes. If they Reject, a Rejection comment is mandatory. issue moves back to Work in progress and owner receives an email with rejection comments.

All the issues are tracked in a Dashboard. We have also added a field VP to the issue, to track them by VP and showcase it in meetings, so that it gets highlights if a team is not doing its work.


Please mark this response as correct or helpful if it assisted you with your question.
0 Helpfuls

Phil Swann
Tera Guru
Tera Guru

‎11-09-2020 02:45 PM

I think you need to upgrade to V11 of GRC and look at some of the additional features available, such as the Issue Manager fields... PLUS, if you are on IRM Professional, take a look at the Advanced Core applications which includes Issue Triage (plus Audit Observation under Advanced Audit), and I think you will find some much needed enhancements to these areas of the process lifecycles... 

0 Helpfuls

rohitg
Giga Contributor
In response to Phil Swann

‎11-12-2020 08:09 AM

Hi Phil - thanks for your reply.

Yes, I know about all these updates and are following them closely. As mentioned above to Meher, I am kind of stuck at one place, why and how 1 person is doing all the things? If this is the case, why do we need all the states in the Issue workflow?

But as Meher, Jan and you have suggested, will have to tweak it completely to make it fit for purpose.

Regards,

Rohit

0 Helpfuls