Roles installed with Risk Management

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Roles Installed with Risk Management

    The activation of Governance, Risk, and Compliance (GRC): Risk Management installs various roles that define user permissions and capabilities within the Risk Management module. Each role comes with specific functionalities that facilitate risk management processes, enabling users to act on assigned tasks, create risks, and manage risk-related data effectively.

    Show full answer Show less

    Key Features

    • Risk Reader [snrisk.reader]: Provides read-only access to risks, indicators, and tasks, allowing users to manage assigned issues and view key risk information.
    • Risk User [snrisk.user]: Builds on the Risk Reader's capabilities, allowing users to create risks, manage remediation tasks, and access advanced risk dashboards.
    • Risk Manager [snrisk.manager]: Expands permissions to include the creation of entity types, risk frameworks, and remediation tasks, along with comprehensive risk identification management.
    • Risk Admin [snrisk.admin]: Offers full administrative control, including the ability to delete and modify risk-related entities, create risk assessments, and configure integrations.
    • Assessment Creator [snrisk.asmtcreator]: Specialized role for creating GRC risk assessment metric types.
    • GRC Business User [sngrc.businessuser]: Empowers users to perform risk assessments, manage responses to tasks, and report on risk events.

    Key Outcomes

    By utilizing these roles, ServiceNow customers can effectively manage risk-related tasks and data across their organization. Each role supports specific actions that enhance collaboration, improve risk visibility, and streamline the risk management process, ultimately contributing to better governance and compliance outcomes.

    Roles are added with activation of GRC: Risk Management.

    Table 1. Roles installed
    Role title [name] Description Contains roles
    Risk Reader

    [sn_risk.reader]

    		 In addition to the inherited permissions, the risk reader has read-only access rights to the Risk application and modules. The risk reader can do the following in the GRC scope:
    • Act on issues assigned to him.
    • Have read access to all Indicator templates.
    • Can act on indicator tasks assigned to them.
    • Have read-access to indicators.
    • Have read-access to entities.

    The risk reader can do the following in the Risk Management application:

    • Act on the Remediation tasks assigned to them.
    • Have read-access to risks and can be an owner to a risk.
    • Take old risk assessment.
    • Have read-access to risk statement and risk framework.
    • Perform advanced risk assessment.
    • Create risk events.
    • Work on risk event tasks and issues.
    • Access all risk events and risk dashboards.
    • Have read-access to feedback.
    • sn_grc.reader
    • survey_reader
    • sn_rvw_feedback.reader
    Risk User

    [sn_risk.user]

    		 Contains the reader and business user roles in sn_grc scope, and the reader role in the Risk Management application and business user role in the sn_grc scope. In addition to the inherited permissions, the risk user can view:
    • entity types
    • entities
    • risks
    • remediation tasks
    • control
    • control objectives
    • policy exceptions

    The risk user can also create risks. The risk user can be assigned risks and has read-only access to the Policy and Compliance Management application and modules. Risk user can do everything that the risk reader can do. The risk reader can do the following in the Risk Management application:

    • Work on risk acceptance tasks and remediation tasks.
    • Create risks.
    • Access the Advanced Risk related dashboards.
    • Have read-access to the risk identification functionality of Advanced Risk and can take assessment related to risk identification.
    • Create assessment scope.
    • sn_grc.user
    • sn_compliance.reader
    • sn_risk.reader
    • survey_reader
    • sn_grc.business_user
    • sn_risk_advanced.ara_creator
    Risk Manager

    [sn_risk.manager]

    		 Contains the reader, user, and manager roles in sn_grc scope, and the reader and user roles in the Risk Management application. In addition to the inherited permissions, the risk manager can do the following in the GRC scope
    • Create issues and issue ratings.
    • Create entity, entity types, and entity classes and class rules.
    • Create content references.
    • Create indicators and indicator templates.
    • Have read-access to entity tier.

    In the Risk Management application, the risk manager can:

    • Create risk frameworks
    • Create risk statements
    • Create risks
    • Create risk event response template.
    • Create risk identifications and can view the dashboard related to risk identification.
    • Create remediation tasks.
    • Create assessment scheduler.
    • Associate risk statements to Information objects using Associate risk statements module.
    • sn_grc.manager
    • sn_risk.user
    Risk Admin

    [sn_risk.admin]

    		 Contains the reader, user, manager, and admin roles in sn_grc scopes, and the reader, user, and manager roles in the Risk Management application. In addition to the inherited permissions, in the GRC scope, the risk admin can create an entity tier. In the Risk Management application, the risk administrator can:
    • Delete risk frameworks.
    • Delete entity, tables, indicator, risks, issues, tasks.
    • Create risk statements and risks.
    • Modify admin properties.
    • Modify risk criteria.
    • Create causes and consequences of risk event.
    • Access to risk, advanced risk related properties.
    • Create risk identification configuration.
    • Create a risk assessment methodology, all types of factors.
    • Perform administrative activities.
    • Configure a feedback integration setup for any record type.
    • sn_grc.admin
    • sn_risk.user
    • sn_risk.manager
    • sn_grc_appr.admin
    • sn_rvw_feedback.admin
    Assessment Creator

    [sn_risk.asmt_creator]

    		 The assessment creator is used for creating GRC risk assessment metric types. assessment_admin
    GRC Business User

    [sn_grc.business_user]

    		 Users with this role can perform the following tasks:
    • Take risk assessment.
    • Create risk response tasks.
    • View risk statements.
    • View risk assessment scope.
    • View and report risk events.
    • Work on assigned risk event tasks.
    • View indicator supporting data.
    • Respond to indicator tasks.
    • Respond to risk identification questionnaire.
    • Respond to metrics data tasks.
    • Report issues.
    • Submit issue triage requests.
    • Work on assigned remediation tasks.
    • Work on assigned issues.
    • If there is an integration with Project Portfolio Management:
      • View the Project Risk Overview dashboard
      • Create risks from library.
      • Elevate enterprise risks.
      • Initiate any object assessment.
    		 None