Risk Form Lifecycle - Respond -> Review-> Monitor States

Ludmila Vinahra · ‎02-09-2022

Hello. I have a question about the purpose of the following states in a Risk form: Respond, Review and Monitor.

When a Risk Owner selects the Risk Response type (mitigate, avoid etc.) it generates a Risk Response task where a Risk Owner puts the Plan and asks to review it. Do I understand correctly that the purpose of Risk Response task is only to capture and approve the Action Plan? If yes, when happens the plan realization? As once a Risk Owner closes the Risk Response task, the plan is populated into the Plan field under the Response tab,and the Risk Form is auto moved to Review state.

What happens at the Review state? Who performs the review? What is being reviewed? Where do we understand that the Action plan has been performed and what are the outcomes from it?

After the Review the Risk Owner moves it to Monitor state, where I assume the Risk Owner performs the nurturing. Can you please share any process guidelines? Thank you!

Ashish Shah · ‎02-09-2022

@Ludmila Vinahradava - I noted that you were asking questions about Risk Form Lifecycle. I am the lead business architect of SNow Risk Management at Chevron and would like to understand how your organization has implemented Risk Lifecycle and is using it.

Would you be willing to have a discussion with me and some of my peers to share some information?

Please let me know. You can reach me directly at: ashish.p.shah@chevron.com

Ahmed Drar · ‎02-11-2022

Hi Ludmila, usually in the review state the risk manager looks at the response strategy in terms of avoiding, mitigating, transferring, or accepting and then decide whether to push the risk forward to the Monitor state.

Please mark my answer as ✅ Correct / Helpful based on the Impact.

Ludmila Vinahra · ‎02-11-2022

Thank you Ahmed.

Do you know at which state the work is being actually performed on the Action Plan described in the Risk Response Task? As on the task the action plan is documented, but when it comes to its actual implementation at which state it normally occurs?

Ahmed Drar · ‎02-11-2022

This is a great question. I just upvote it

from a risk management standpoint, this work is done in the risk treatment phase. In ServiceNow, the monitor state is the place of tracking risk management execution.

It becomes a bit tricky if you ask about the 'actual implementation' - here is why

let's say Maria is a risk user:

- she responds to RSK001 by taking acceptance action, so she creates policy expectation EXCP009 to document that - technically the implementation is done however RSK001 is now in Review state and still needs to be reviewed and push to monitor state by the Risk manager.

- she responds to RSK003 by taking mitigating action, so she selected already existing controls that had already been implemented as part of her plan - technically the implementation is done however RSK003 is now in Review state and still needs to be approved and pushed to monitor state by the Risk manager.

- she responds to RSK006 by taking mitigating action, so she created a few controls to be implemented as part of her plan. Now, the risk manager reviews the plan and pushes it to monitor state - in this instance controls related to RSK006 are to be implemented & RSK006 is in Monitor state

In every Org, there must be an understanding of what every state entails especially the ones that require a type of approval

I hope this helps.