Managing risk responses
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Managing Risk Responses
Managing risk responses involves selecting a strategy to address assessed risks effectively. Risk assessors can choose from four main strategies: Accept, Mitigate, Avoid, and Transfer. Each strategy outlines different approaches to managing risk and involves specific tasks and roles within the ServiceNow platform.
Show less
Key Features
- Risk Acceptance: Users must provide a plan and justification for accepting the risk and seek approval from the risk owner. Once accepted, the risk moves to the Monitor state.
- Risk Mitigation: Users create a task to outline actions for mitigating the risk, which requires review from the risk manager. Additional controls can be added during this process.
- Risk Avoidance: Users submit a plan to avoid the risk for review. The risk manager can close, comment, or delete the plan.
- Risk Transfer: Users provide a transfer plan for review, with similar options for the risk manager as in avoidance.
Key Outcomes
By effectively managing risk responses, organizations can ensure risks are addressed appropriately, leading to enhanced risk management processes and improved compliance. Each strategy allows for tailored responses that can evolve as risks and organizational needs change, facilitating continuous risk monitoring and reassessment.
A risk response is the strategy used to deal with risks after the risks are assessed.
After risks are assessed, the assessor determines how to approach those risks. To deal with the risks, the assessor can choose from the following types of risk responses or strategies:
- Accept: Accept the risk as it is.
- Mitigate: Identify and implement additional controls to mitigate the risk.
- Avoid: Change the plan to completely avoid the risk.
- Transfer: Transfer or share the risk with a third party.
After an assessor identifies the best strategy, the assessor then creates risk response tasks and assigns them to the risk user with the role sn_risk.user. Each strategy is explained as follows:
- Risk acceptance
- When risk users accept a risk, they provide a plan for how they want to accept the risk, provide a justification for accepting the risk, and seek additional approval from the risk owner. Closure of the acceptance task
implies you are accepting this risk for that time period. The risk then moves to the Monitor state. After the specified time period is over, you can re-initiate the workflow to assess the risk and then you can again
respond to the risk. The risk owner can then respond with one of the following options:
- Approve
- Reject
- Cancel
- Request more information
- Decide that it is no longer required
- Risk mitigation
- When risk users choose to mitigate a risk, a risk mitigation task is created. The risk user must provide a plan for how to mitigate the risk and request a review from the risk manager. When the risk mitigation task is in
the Draft or Work In Progress state, you can either create more risk-mitigating controls for the risk or add existing controls from the library. The reviewer with the role sn_risk.manager then reviews the plan and selects
one of the following options:
- Close
- Revert to draft state and provide additional comments
- Cancel
- Delete
- Risk avoidance
- When risk users choose to avoid a risk, they provide a plan for how they want to avoid the risk and request a review from the risk manager. The reviewer then reviews the plan and can select one of the following options:
- Close
- Revert to Draft state and provide additional comments
- Cancel
- Delete
- Risk transfer
- When risk users choose to transfer a risk, they provide a plan for how they want to transfer the risk and request a review from the risk manager. The reviewer then reviews the plan and can select one of the following options:
- Close
- Revert to Draft state and provide additional comments
- Cancel
- Delete
Note:
The risk response workflow is not available for an object assessment.