Risk record [sn_risk_risk] lifecycle after it reaches 'Monitor' state?

Valqe · ‎03-19-2024

Hi all,

I have some leading pracitices related question(s) on [sn_risk_risk] record lifecycle AFTER it reaches 'Monitor state:

1) What then? How do you ensure continous monitoring? Is it just 'Indicators' or perhaps there are other mechanisms or best practices or options?

2) How do you ensure future periodic Risk Assessment (with classic risk please)? Is it something you can do to schedule i.e. anual re-assessment processes?

Thank you all 🙂

Community Alums · ‎03-19-2024

Hi @Valqe ,

Once the Risk is in "Monitor" state, there is a Scheduled job called "GRC indicator nightly run" which runs daily and executes the indicators.

When an indicator is run, you have the option to collect supporting data. Supporting data refers to the evidence that is collected when an indicator is run. Supporting data or information can be collected for the indicators through automatic data collection or manual tasks.

Indicators yield results when the indicator tasks are closed. Those results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testing. Starting with version 10.1, the system displays the actual historical data for the supporting data records from the indicator results or indicator tasks. For more information on how to create the various types of indicators, see:

Now, to answer your 2nd question, if you Navigate to All > Risk > Risk Workspace > Indicators > Risk indicators and open any risk indicator, if you now scroll down, you will see a "Schedule" tab, where you can mention when you want to run the indicator.

Also, if you are using Risk Workspace then Schedule risk assessments in the Risk Workspace

View solution in original post

Community Alums · ‎03-19-2024

Hi @Valqe ,

Once the Risk is in "Monitor" state, there is a Scheduled job called "GRC indicator nightly run" which runs daily and executes the indicators.

When an indicator is run, you have the option to collect supporting data. Supporting data refers to the evidence that is collected when an indicator is run. Supporting data or information can be collected for the indicators through automatic data collection or manual tasks.

Indicators yield results when the indicator tasks are closed. Those results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testing. Starting with version 10.1, the system displays the actual historical data for the supporting data records from the indicator results or indicator tasks. For more information on how to create the various types of indicators, see:

Now, to answer your 2nd question, if you Navigate to All > Risk > Risk Workspace > Indicators > Risk indicators and open any risk indicator, if you now scroll down, you will see a "Schedule" tab, where you can mention when you want to run the indicator.

Also, if you are using Risk Workspace then Schedule risk assessments in the Risk Workspace

Valqe · ‎03-20-2024

Thank you so much for your valuable comments @Community Alums - I really appreciate it.

It appears that 'Risk Assessment' process takes place only once in the 'regullar' lifecycle unless you revert the flow back to 'draft' and then start all over again.

Q: What is a good practice when it comes to re-assessment process? Maybe I'm wrong, but I assumed 'assessments' could take place on periodic basis and not just once. I just tried the Schedule risk assessments in the Risk Workspace resource, but I understand its only available with advanced risk management (using RAMs) and not in classic. Sharing a screenshot of a "Risk Management" workspace on Quick Actions options and I don't get to see the Schedule risk assessments option.
Am I missing something? 🙂

Thanks so much.

Valqe

Community Alums · ‎03-20-2024

Hi @Valqe ,

You cannot schedule a Classic risk assessment from workspace, you need advanced Risk for that unfortunately.