Managing risk responses

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing Risk Responses

    A risk response strategy addresses risks after they have been assessed. Assessors can select from four main risk response strategies: Accept, Mitigate, Avoid, and Transfer. Each strategy involves creating associated tasks and assigning them to users with specific roles within ServiceNow.

    Show full answer Show less

    Key Features

    • Risk Acceptance: Users submit a plan and justification for accepting the risk, seeking approval from the risk owner. Once accepted, the risk moves to the Monitor state and can be reassessed later.
    • Risk Mitigation: A risk mitigation task is generated where users outline their mitigation plan and submit it for review. Additional controls can be added during the Draft or Work In Progress states.
    • Risk Avoidance: Users create a plan to avoid the risk, which is then submitted for review. The reviewer can approve or provide feedback to refine the plan.
    • Risk Transfer: Users propose how to transfer the risk, requesting a review from the risk manager who can approve or suggest changes.

    Key Outcomes

    Implementing these risk response strategies helps customers effectively manage risks by defining clear plans, obtaining necessary approvals, and allowing for collaboration among team members. The structured workflow ensures that risks are continually monitored and addressed appropriately.

    A risk response is the strategy used to deal with risks after the risks are assessed.

    After risks are assessed, the assessor determines how to approach those risks. To deal with the risks, the assessor can choose from the following types of risk responses or strategies:
    • Accept: Accept the risk as it is.
    • Mitigate: Identify and implement additional controls to mitigate the risk.
    • Avoid: Change the plan to completely avoid the risk.
    • Transfer: Transfer or share the risk with a third party.
    After an assessor identifies the appropriate risk response strategy, they can create risk response tasks and assign them to users with any of the following roles:
    • sn_grc.business_user
    • sn_grc.business_user_lite
    • sn_risk.implementation_business_user (feature role)
    Each strategy is explained as follows:
    Risk acceptance
    When risk users accept a risk, they provide a plan for how they want to accept the risk, provide a justification for accepting the risk, and seek additional approval from the risk owner. Closure of the acceptance task implies you are accepting this risk for that time period. The risk then moves to the Monitor state. After the specified time period is over, you can re-initiate the workflow to assess the risk and then you can again respond to the risk. The risk owner can then respond with one of the following options:
    • Approve
    • Reject
    • Cancel
    • Request more information
    • Decide that it is no longer required
    Risk mitigation
    When risk users choose to mitigate a risk, a risk mitigation task is created. The risk user must provide a plan for how to mitigate the risk and request a review from the risk manager. When the risk mitigation task is in the Draft or Work In Progress state, you can either create more risk-mitigating controls for the risk or add existing controls from the library. The reviewer with the role sn_risk.manager then reviews the plan and selects one of the following options:
    • Close
    • Revert to draft state and provide additional comments
    • Cancel
    • Delete
    Risk avoidance
    When risk users choose to avoid a risk, they provide a plan for how they want to avoid the risk and request a review from the risk manager. The reviewer then reviews the plan and can select one of the following options:
    • Close
    • Revert to Draft state and provide additional comments
    • Cancel
    • Delete
    Risk transfer
    When risk users choose to transfer a risk, they provide a plan for how they want to transfer the risk and request a review from the risk manager. The reviewer then reviews the plan and can select one of the following options:
    • Close
    • Revert to Draft state and provide additional comments
    • Cancel
    • Delete
    Note:
    The risk response workflow is not available for an object assessment.