Risk Acceptance

David347 · ‎06-08-2022

We are setting up GRC and using OOTB as much as possible but we have a slightly different response to our Risk Acceptance workflow.

The OOTB behaviour is that the response approach of 'Accept' for a risk requires an approval from the risk owner.

We would like to extend the approval logic where the risk has an impact to the enterprise and residual risk scoring.

Example if the risk impacts a local area then risk owner can accept but if that risk impact threat rating is higher than say 16 out of 20, or it effects multiple business areas then it needs to be escalated to a senior level for review.

We are being advised that this falls into 'pro-code' customisation. But from the standard approach below it does look like the enterprise escalation is standard?

Ahmed Drar · ‎06-08-2022

every organization has a pretty much different risk acceptance process. so in fact, this type of workflow configuration is expected. and from a technical stand-point, the configuration needs to be done to one workflow(Risk acceptance approval)

Thanks,

Ahmed

Please mark my answer as ✅ Correct / Helpful based on the Impact

David347 · ‎06-10-2022

Can you elaborate on your answer please. Where do i create that workflow?

Ahmed Drar · ‎06-13-2022

You don't need to create a new workflow.

Navigate to Workflow editor
Search Risk acceptance approval workflow
edit the workflow to accommodate your needs

Sebastien Fix1 · ‎06-12-2022

You need to go to Workflow Designer since the BR is only there to check is risk.owner is empty and if not it triggers the WF Risk Acceptance Approval. The issue there is that the "random" value (16 or 20) you choose to escalate would be coded in the WF itself. You would need to put in place a check to verify that there is a user_id for the "senior level" to escalate to.