Managing risk responses

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing Risk Responses

    Managing risk responses involves selecting strategies to address assessed risks. After evaluation, assessors can choose from four primary risk response strategies: Accept, Mitigate, Avoid, and Transfer. Each strategy requires a structured approach that includes creating risk response tasks for specific user roles within ServiceNow.

    Show full answer Show less

    Key Features

    • Risk Acceptance: Users accept risk with a detailed plan and justification, seeking approval from the risk owner. Once accepted, the risk moves to a Monitor state, allowing periodic reassessment.
    • Risk Mitigation: Users create tasks to mitigate risks, providing mitigation plans for review by a risk manager. Control measures can be added during the Draft or Work In Progress states.
    • Risk Avoidance: A plan to completely avoid the risk is submitted for review, where the risk manager can approve or ask for revisions.
    • Risk Transfer: Users outline how to shift risk responsibility to a third party, which also requires managerial review and approval.

    Key Outcomes

    By effectively managing risk responses, ServiceNow customers can ensure risks are systematically handled, documented, and reviewed. This organized approach facilitates timely decision-making and enhances overall risk management within their operations. Note that the risk response workflow is not applicable for object assessments.

    A risk response is the strategy used to deal with risks after the risks are assessed.

    After risks are assessed, the assessor determines how to approach those risks. To deal with the risks, the assessor can choose from the following types of risk responses or strategies:
    • Accept: Accept the risk as it is.
    • Mitigate: Identify and implement additional controls to mitigate the risk.
    • Avoid: Change the plan to completely avoid the risk.
    • Transfer: Transfer or share the risk with a third party.
    After an assessor identifies the appropriate risk response strategy, they can create risk response tasks and assign them to users with any of the following roles:
    • sn_grc.business_user
    • sn_grc.business_user_lite
    • sn_risk.implementation_business_user (feature role)
    Each strategy is explained as follows:
    Risk acceptance
    When risk users accept a risk, they provide a plan for how they want to accept the risk, provide a justification for accepting the risk, and seek additional approval from the risk owner. Closure of the acceptance task implies you are accepting this risk for that time period. The risk then moves to the Monitor state. After the specified time period is over, you can re-initiate the workflow to assess the risk and then you can again respond to the risk. The risk owner can then respond with one of the following options:
    • Approve
    • Reject
    • Cancel
    • Request more information
    • Decide that it is no longer required
    Risk mitigation
    When risk users choose to mitigate a risk, a risk mitigation task is created. The risk user must provide a plan for how to mitigate the risk and request a review from the risk manager. When the risk mitigation task is in the Draft or Work In Progress state, you can either create more risk-mitigating controls for the risk or add existing controls from the library. The reviewer with the role sn_risk.manager then reviews the plan and selects one of the following options:
    • Close
    • Revert to draft state and provide additional comments
    • Cancel
    • Delete
    Risk avoidance
    When risk users choose to avoid a risk, they provide a plan for how they want to avoid the risk and request a review from the risk manager. The reviewer then reviews the plan and can select one of the following options:
    • Close
    • Revert to Draft state and provide additional comments
    • Cancel
    • Delete
    Risk transfer
    When risk users choose to transfer a risk, they provide a plan for how they want to transfer the risk and request a review from the risk manager. The reviewer then reviews the plan and can select one of the following options:
    • Close
    • Revert to Draft state and provide additional comments
    • Cancel
    • Delete
    Note:
    The risk response workflow is not available for an object assessment.