Create a risk using the GRC: Workbench

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read

    • Risk managers can create risks directly from the GRC: Workbench.

    Before you begin

    Role required: sn._risk.admin or sn.risk.manager

    Procedure

    1. Navigate to https://myCompany.service-now.com/$grc_workbench.do.
    2. Select the Risk Dependencies tab at the top, then select the Relationships tab below it.
    3. On the left, in the Risks section, click Create Risk.
    4. On the form, fill in the fields.
      Table 1. Risk form
      Field Description
      Name Name for the risk. Field is auto-populated if the risk is generated from a risk statement, but can be changed without affecting the relationship between the risk and risk statement.
      Number Unique identification number. This field is automatically populated.
      State Risk state. Possible choices are:
      • Draft In this state, all risk users can modify the risk. Only available when creating a one-off control. One-off controls are possible but not recommended.
      • Attest When the risk is created from a risk statement, controls are in this state.
        Note:
        When a risk is set back to draft, the assessment is canceled.
      • Review Risks are automatically moved to review from the assessment phase.
      • Monitor In this state, all risk managers can move the risk from review to monitor.
      • Retired Risk managers or administrators can move a risk from Monitor to Retired. Indicators do not run when the risk is in this state.
        Note:
        When a risk is retired, any assessment associated with it is canceled.
      Owning group Owning group for the risk.
      Category Category of risk which applies to the profile.
      • Legal
      • Financial
      • Operational
      • Reputational
      • Legal/Regulatory
      • Credit
      • Market
      • IT
      Field is auto-populated if risk is generated from a risk statement.
      Owner Owner for the risk.
      Note:
      The owner is always added as a respondent.
      Statement Statement this risk is associated with.
      Entity Entity related to the risk.
      Note:
      Only active entities are shown.
      Description Description of the risk and how it is a threat to the organization.
      Additional Information More details that help others understand the risk record.
    5. Click the Assessment tab.
    6. On the form, fill in the fields.
      Table 2. Risk Scoring form
      Field Description
      Assessment Assessment to attach to this risk.
      Assessment respondents Users assigned to the assessment of this risk.
      Note:
      Only a user with the sn_grc.user role can be added as a respondent.
      When both the Assessment and Assessment respondents fields are set, assessments are created when you click Assess.
    7. Click the Scoring tab.
    8. On the form, fill in the fields.
      Table 3. Risk Scoring form
      Field Description
      Inherent SLE Monetary value of a risk if it occurs before any mitigation strategies are in place.
      Residual SLE Monetary value of a risk if it occurs after all mitigation strategies are in place.
      Inherent ARO Probability that a risk occurs in any given year before any mitigation strategies are in place.
      Residual ARO Probability that a risk will occur in any given year after all mitigation strategies are in place.
      Inherent ALE Annualized loss expectancy ALE = SLE x ARO before any mitigation strategies are in place.
      Residual ALE Annualized loss expectancy ALE = SLE x ARO after all mitigation strategies are in place.
      Inherent score The score of the risk before any mitigation strategies are in place.
      Residual score The score of the risk after all mitigation strategies are in place.
      Calculated ALE Annualized loss expectancy based off all calculations.
      Calculated score The corresponding score for the calculated ALE.
    9. Click the Response tab.
    10. On the form, fill in the fields.
      Table 4. Risk Response form
      Field Description
      Response
      • Accept
      • Avoid
      • Mitigate
      • Transfer
      Justification Enter a reasonable justification for the selected response
    11. Click the Monitoring tab.
      Table 5. Risk Monitoring form
      Field Description
      Control compliance Percentage of compliant controls
      Control non-compliance Percentage of non-compliant controls
      Control failure factor Sum of failed controls weighting divided by total controls weighting
      Indicator failure factor Uses the last result of each associated indicator. Number of last results failed divided by total number of indicators associated.
      Calculated risk factor This value is calculated from (Indicator failure factor + Control failure factor) / 2.
    12. Click the Activity Journal tab.
    13. Enter additional comments, as necessary.
    14. Click Submit.
      The risk is created and centered in the middle of the page. Also, the risk is selected on the right.