Roles installed with Risk Management

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Roles Installed with Risk Management

    The Risk Management module in ServiceNow introduces various roles that define user access and capabilities within the Governance, Risk, and Compliance (GRC) framework. Each role has distinct permissions enabling users to interact with risk data effectively, promoting efficient risk management processes.

    Show full answer Show less

    Key Features

    • Risk Reader [snrisk.reader]: Offers read-only access to risk applications and modules, allowing users to act on assigned issues, view indicators, and access risk event dashboards.
    • Risk User [snrisk.user]: Combines reader and business user permissions, enabling tasks such as creating risks, managing remediation tasks, and accessing advanced dashboards.
    • Risk Manager [snrisk.manager]: Extends user capabilities by allowing the creation of risk frameworks, statements, and remediation tasks, and accessing risk identification features.
    • Risk Admin [snrisk.admin]: Provides comprehensive administrative control, including the ability to delete and modify risk-related entities, frameworks, and configurations.
    • Assessment Creator [snrisk.asmtcreator]: Facilitates the creation of GRC risk assessment metric types.
    • GRC Business User [sngrc.businessuser]: Empowers users to manage risk assessments, report issues, and interact with assigned tasks and indicators.

    Key Outcomes

    By utilizing these roles, ServiceNow customers can effectively manage risk processes, enhance collaboration across teams, and ensure compliance with organizational policies. Each role is designed to streamline risk management activities, enabling users to focus on their specific responsibilities within the GRC framework.

    Roles are added with activation of GRC: Risk Management.

    Table 1. Roles installed
    Role title [name] Description Contains roles
    Risk Reader

    [sn_risk.reader]

    		 In addition to the inherited permissions, the risk reader has read-only access rights to the Risk application and modules. The risk reader can do the following in the GRC scope:
    • Act on issues assigned to him.
    • Have read access to all Indicator templates.
    • Can act on indicator tasks assigned to them.
    • Have read-access to indicators.
    • Have read-access to entities.

    The risk reader can do the following in the Risk Management application:

    • Act on the Remediation tasks assigned to them.
    • Have read-access to risks.
    • Take old risk assessment.
    • Have read-access to risk statement and risk framework.
    • Perform advanced risk assessment.
    • Create risk events.
    • Work on risk event tasks and issues.
    • Access all risk events and risk dashboards.
    • Have read-access to feedback.
    • sn_grc.reader
    • survey_reader
    • sn_rvw_feedback.reader
    Risk User

    [sn_risk.user]

    		 Contains the reader and business user roles in sn_grc scope, and the reader role in the Risk Management application and business user role in the sn_grc scope. In addition to the inherited permissions, the risk user can view:
    • entity types
    • entities
    • risks
    • remediation tasks
    • control
    • control objectives
    • policy exceptions

    The risk user can also create risks. The risk user can be assigned risks and has read-only access to the Policy and Compliance Management application and modules. Risk user can do everything that the risk reader can do. The risk reader can do the following in the Risk Management application:

    • Work on risk acceptance tasks and remediation tasks.
    • Create risks.
    • Access the Advanced Risk related dashboards.
    • Have read-access to the risk identification functionality of Advanced Risk and can take assessment related to risk identification.
    • Create assessment scope.
    • sn_grc.user
    • sn_compliance.reader
    • sn_risk.reader
    • survey_reader
    • sn_grc.business_user
    • sn_risk_advanced.ara_creator
    Risk Manager

    [sn_risk.manager]

    		 Contains the reader, user, and manager roles in sn_grc scope, and the reader and user roles in the Risk Management application. In addition to the inherited permissions, the risk manager can do the following in the GRC scope
    • Create issues and issue ratings.
    • Create entity, entity types, and entity classes and class rules.
    • Create content references.
    • Create indicators and indicator templates.
    • Have read-access to entity tier.

    In the Risk Management application, the risk manager can:

    • Create risk frameworks
    • Create risk statements
    • Create risks
    • Create risk event response template.
    • Create risk identifications and can view the dashboard related to risk identification.
    • Create remediation tasks.
    • Create assessment scheduler.
    • Associate risk statements to Information objects using Associate risk statements module.
    • sn_grc.manager
    • sn_risk.user
    Risk Admin

    [sn_risk.admin]

    		 Contains the reader, user, manager, and admin roles in sn_grc scopes, and the reader, user, and manager roles in the Risk Management application. In addition to the inherited permissions, in the GRC scope, the risk admin can create an entity tier. In the Risk Management application, the risk administrator can:
    • Delete risk frameworks.
    • Delete entity, tables, indicator, risks, issues, tasks.
    • Create risk statements and risks.
    • Modify admin properties.
    • Modify risk criteria.
    • Create causes and consequences of risk event.
    • Access to risk, advanced risk related properties.
    • Create risk identification configuration.
    • Create a risk assessment methodology, all types of factors.
    • Perform administrative activities.
    • Configure a feedback integration setup for any record type.
    • sn_grc.admin
    • sn_risk.user
    • sn_risk.manager
    • sn_grc_appr.admin
    • sn_rvw_feedback.admin
    Assessment Creator

    [sn_risk.asmt_creator]

    		 The assessment creator is used for creating GRC risk assessment metric types. assessment_admin
    GRC Business User

    [sn_grc.business_user]

    		 Users with this role can perform the following tasks:
    • Take risk assessment.
    • Create risk response tasks.
    • View risk statements.
    • View risk assessment scope.
    • View and report risk events.
    • Work on assigned risk event tasks.
    • View indicator supporting data.
    • Respond to indicator tasks.
    • Respond to risk identification questionnaire.
    • Respond to metrics data tasks.
    • Report issues.
    • Submit issue triage requests.
    • Work on assigned remediation tasks.
    • Work on assigned issues.
    • If there is an integration with Project Portfolio Management:
      • View the Project Risk Overview dashboard
      • Create risks from library.
      • Elevate enterprise risks.
      • Initiate any object assessment.
    		 None