Managing risk responses

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing Risk Responses

    A risk response is essential for addressing assessed risks, allowing users to determine how to manage those risks effectively. After assessment, users can choose from four primary risk response strategies: Accept, Mitigate, Avoid, and Transfer. Each strategy requires specific actions and approvals to ensure proper management of risks.

    Show full answer Show less

    Key Features

    • Accept: Users can accept a risk by providing a justification and seeking approval from the risk owner. Once accepted, the risk moves to the Monitor state.
    • Mitigate: Users create a mitigation plan and request a review. Additional controls can be added during the drafting phase, and the manager can approve, revert, or cancel the task.
    • Avoid: Users submit a plan to avoid the risk for review by the risk manager, who has similar options for task management as in mitigation.
    • Transfer: Users propose a transfer plan, which must also be reviewed by the risk manager, with the same response options available.

    Key Outcomes

    By effectively managing risk responses, ServiceNow users can ensure that risks are addressed appropriately, leading to better risk management outcomes. Users are empowered to track the progress of risk responses, engage with stakeholders for approvals, and refine their risk management strategies over time. Note that the risk response workflow is not applicable for object assessments.

    A risk response is the strategy used to deal with risks after the risks are assessed.

    After risks are assessed, the assessor determines how to approach those risks. To deal with the risks, the assessor can choose from the following types of risk responses or strategies:
    • Accept: Accept the risk as it is.
    • Mitigate: Identify and implement additional controls to mitigate the risk.
    • Avoid: Change the plan to completely avoid the risk.
    • Transfer: Transfer or share the risk with a third party.
    After an assessor identifies the appropriate risk response strategy, they can create risk response tasks and assign them to users with any of the following roles:
    • sn_grc.business_user
    • sn_grc.business_user_lite
    • sn_risk.implementation_business_user (feature role)
    Each strategy is explained as follows:
    Risk acceptance
    When risk users accept a risk, they provide a plan for how they want to accept the risk, provide a justification for accepting the risk, and seek additional approval from the risk owner. Closure of the acceptance task implies you are accepting this risk for that time period. The risk then moves to the Monitor state. After the specified time period is over, you can re-initiate the workflow to assess the risk and then you can again respond to the risk. The risk owner can then respond with one of the following options:
    • Approve
    • Reject
    • Cancel
    • Request more information
    • Decide that it is no longer required
    Risk mitigation
    When risk users choose to mitigate a risk, a risk mitigation task is created. The risk user must provide a plan for how to mitigate the risk and request a review from the risk manager. When the risk mitigation task is in the Draft or Work In Progress state, you can either create more risk-mitigating controls for the risk or add existing controls from the library. The reviewer with the role sn_risk.manager then reviews the plan and selects one of the following options:
    • Close
    • Revert to draft state and provide additional comments
    • Cancel
    • Delete
    Risk avoidance
    When risk users choose to avoid a risk, they provide a plan for how they want to avoid the risk and request a review from the risk manager. The reviewer then reviews the plan and can select one of the following options:
    • Close
    • Revert to Draft state and provide additional comments
    • Cancel
    • Delete
    Risk transfer
    When risk users choose to transfer a risk, they provide a plan for how they want to transfer the risk and request a review from the risk manager. The reviewer then reviews the plan and can select one of the following options:
    • Close
    • Revert to Draft state and provide additional comments
    • Cancel
    • Delete
    Note:
    The risk response workflow is not available for an object assessment.