Workflow for risk identification in the Risk Workspace

  • Release version: Australia
  • Updated April 28, 2026
  • 1 minute to read

    • Workflows provide step-by-step guidance for completing the risk identification process in the GRC Risk Workspace.

    In the Risk Workspace, a risk manager can use the risk identification workflow to identify risks. The workflow has multiple stages. The stage progress gets updated as activities are completed. The risk identification workflow is broken it into multiple lanes. Each lane in the workflow includes one or more activities for a task owner to complete.

    The benefit of using the risk identification workflow is that you can get a detailed view on a single interface. You can also easily go back to any stage and restart an activity.

    For risk identification, after a risk identification record is created, the information gathering questionnaire is sent to the assigned user. You can also send email reminders to the users to respond to the questionnaire. After the responses are received, the risk manager can do the following activities:
    1. View the responses.
    2. Approve or reject the responses.
      Note:
      If there is rejection, the risk manager can provide a reason for rejection and resend the questionnaire.
    3. Initiate inherent assessment.
    4. Perform the risk assessment.
    5. View the assessment scores.
    6. Relate either the recommended risks or relate them from the library. Alternatively, the risk manager can also create risks.
      Note:
      Recommended risks are risks that are generated from information objects.
    7. Mark the activity as complete.
    8. Relate either the recommended policies or relate them from the library.
    9. Relate or create additional controls after the controls for various risks and policies are automatically generated.
    10. Request attestations for either all the controls or selective controls.
    It is important to remember the following points:
    • In a workflow, the stage progression is automatic, however, if you restart any activity after completing it, you have to manually move to the next stage.
    • If you finish relating the controls and then again move to risk mapping, the control-mapping stage moves to pending state.
    • When you reinitiate a workflow, a new workflow instance is created.

    For more information, see Application risk assessment using advanced risk assessment

    The following figures show the workflow stages and actions:
    Figure 1. Workflow stages
    Stages of risk identification workflow.