As a GRC user, you can manually create issues to document policy, risk, or audit observations, or to accept any GRC problems. You can also identify the source of the issue to help analyze and classify the issues.

Before you begin

Role required: (per product)

  • In Policy and Compliance Management: sn_grc.business_user, sn_grc.business_user_lite
  • In Risk Management: sn_grc.business_user
  • In Audit Management: sn_grc.business_usersn_grc.business_user_lite
Note: Starting with Version 12.0.1 of the products mentioned above, the minimum role for the Assigned to user on the Issues form is GRC Business User [sn_grc.business_user]. The minimum role for the Issue manager is GRC User [sn_grc._user].

For more information on the access control limitations to issues, see GRC business user role to control access and track usage of compliance tables.

Procedure

  1. Navigate to one of the following locations:
    • All > Policy and Compliance > Issues > Create New.
    • Risk > Issues > Create New.
    • Audit > Issues > Create New.
    Note: Starting with Version 12.0.1 of the products mentioned above, the minimum role for the Assigned to user on the Issues form is GRC Business User [sn_grc.business_user]. The minimum role for the Issue manager is GRC User [sn_grc._user].
  2. On the Issue form, fill in the fields.

    The due date under the Dates tab is automatically calculated based on the issue rating. You can manually override the calculated due date. The Task SLAs related list creates and displays SLAs based on the Due date.

  3. Save the issue record.
    The tabs at the bottom of the screen enable you to perform various tasks for remediating the issue. You can add policy exceptions and create remediation tasks. Additionally, you can view other issues, indicator results, and task SLAs related to the issue.
    Note: Starting with Version 12.0.1, the Task SLA tab creates and displays SLAs based on the Due date. Notifications are sent to the issue owner and issue manager when the issue Due date reaches 50%, then 75%, then when it breaches. If the Assigned to and Due date fields are not empty and the issue is not in the New state, an SLA is created for the issue.

    If the due date for the SLA changes, a new SLA is created. The SLA is completed when the issue transitions to Closed Complete or Closed Incomplete. Also, the SLA is cancelled if the Due date or Assigned to fields are empty, or the state is New.

    Also starting with Version 12.0.1, remediation tasks can be created with the Assigned to user and issue manager user roles, as well as any user with the GRC Business User role.