Roles installed with Risk Management

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Roles installed with Risk Management

    The Risk Management module in ServiceNow includes several roles that enhance user capabilities within the Governance, Risk, and Compliance (GRC) framework. These roles are essential for managing risks effectively and are activated upon the installation of the GRC: Risk Management application. Each role comes with specific permissions that determine the extent of user access and functionality within the application.

    Show full answer Show less

    Key Features

    • Risk Reader [snrisk.reader]: Provides read-only access to the Risk application and allows users to act on assigned issues, access indicator templates, and create risk events.
    • Risk User [snrisk.user]: Combines the capabilities of the Risk Reader and adds the ability to create risks and access advanced risk-related dashboards and functionalities.
    • Risk Manager [snrisk.manager]: Expands user permissions to include creating issues, risk frameworks, and remediation tasks, along with comprehensive dashboard access.
    • Risk Admin [snrisk.admin]: Grants full administrative capabilities, including the ability to create and delete risk frameworks and modify risk criteria.
    • Assessment Creator [snrisk.asmtcreator]: Specifically for creating GRC risk assessment metric types.
    • GRC Business User [sngrc.businessuser]: Enables users to perform various tasks related to risk assessments, including creating response tasks and reporting issues.

    Key Outcomes

    By leveraging these roles, ServiceNow customers can effectively manage their risk management processes, enhance collaboration among team members, and ensure compliance with regulatory requirements. Each role is tailored to meet specific needs, allowing users to work efficiently within their designated capacities while ensuring that risk management activities are thoroughly documented and managed.

    Roles are added with activation of GRC: Risk Management.

    Table 1. Roles installed
    Role title [name] Description Contains roles
    Risk Reader

    [sn_risk.reader]

    		 In addition to the inherited permissions, the risk reader has read-only access rights to the Risk application and modules. The risk reader can do the following in the GRC scope:
    • Act on issues assigned to him.
    • Have read access to all Indicator templates.
    • Can act on indicator tasks assigned to them.
    • Have read-access to indicators.
    • Have read-access to entities.

    The risk reader can do the following in the Risk Management application:

    • Act on the Remediation tasks assigned to them.
    • Have read-access to risks.
    • Take old risk assessment.
    • Have read-access to risk statement and risk framework.
    • Perform advanced risk assessment.
    • Create risk events.
    • Work on risk event tasks and issues.
    • Access all risk events and risk dashboards.
    • Have read-access to feedback.
    • sn_grc.reader
    • survey_reader
    • sn_rvw_feedback.reader
    Risk User

    [sn_risk.user]

    		 Contains the reader and business user roles in sn_grc scope, and the reader role in the Risk Management application and business user role in the sn_grc scope. In addition to the inherited permissions, the risk user can view:
    • entity types
    • entities
    • risks
    • remediation tasks
    • control
    • control objectives
    • policy exceptions

    The risk user can also create risks. The risk user can be assigned risks and has read-only access to the Policy and Compliance Management application and modules. Risk user can do everything that the risk reader can do. The risk reader can do the following in the Risk Management application:

    • Work on risk acceptance tasks and remediation tasks.
    • Create risks.
    • Access the Advanced Risk related dashboards.
    • Have read-access to the risk identification functionality of Advanced Risk and can take assessment related to risk identification.
    • Create assessment scope.
    • sn_grc.user
    • sn_compliance.reader
    • sn_risk.reader
    • survey_reader
    • sn_grc.business_user
    • sn_risk_advanced.ara_creator
    Risk Manager

    [sn_risk.manager]

    		 Contains the reader, user, and manager roles in sn_grc scope, and the reader and user roles in the Risk Management application. In addition to the inherited permissions, the risk manager can do the following in the GRC scope
    • Create issues and issue ratings.
    • Create entity, entity types, and entity classes and class rules.
    • Create content references.
    • Create indicators and indicator templates.
    • Have read-access to entity tier.

    In the Risk Management application, the risk manager can:

    • Create risk frameworks
    • Create risk statements
    • Create risks
    • Create risk event response template.
    • Create risk identifications and can view the dashboard related to risk identification.
    • Create remediation tasks.
    • Create assessment scheduler.
    • Associate risk statements to Information objects using Associate risk statements module.
    • sn_grc.manager
    • sn_risk.user
    Risk Admin

    [sn_risk.admin]

    		 Contains the reader, user, manager, and admin roles in sn_grc scopes, and the reader, user, and manager roles in the Risk Management application. In addition to the inherited permissions, in the GRC scope, the risk admin can create an entity tier. In the Risk Management application, the risk administrator can:
    • Delete risk frameworks.
    • Delete entity, tables, indicator, risks, issues, tasks.
    • Create risk statements and risks.
    • Modify admin properties.
    • Modify risk criteria.
    • Create causes and consequences of risk event.
    • Access to risk, advanced risk related properties.
    • Create risk identification configuration.
    • Create a risk assessment methodology, all types of factors.
    • Perform administrative activities.
    • Configure a feedback integration setup for any record type.
    • sn_grc.admin
    • sn_risk.user
    • sn_risk.manager
    • sn_grc_appr.admin
    • sn_rvw_feedback.admin
    Assessment Creator

    [sn_risk.asmt_creator]

    		 The assessment creator is used for creating GRC risk assessment metric types. assessment_admin
    GRC Business User

    [sn_grc.business_user]

    		 Users with this role can perform the following tasks:
    • Take risk assessment.
    • Create risk response tasks.
    • View risk statements.
    • View risk assessment scope.
    • View and report risk events.
    • Work on assigned risk event tasks.
    • View indicator supporting data.
    • Respond to indicator tasks.
    • Respond to risk identification questionnaire.
    • Respond to metrics data tasks.
    • Report issues.
    • Submit issue triage requests.
    • Work on assigned remediation tasks.
    • Work on assigned issues.
    • If there is an integration with Project Portfolio Management:
      • View the Project Risk Overview dashboard
      • Create risks from library.
      • Elevate enterprise risks.
      • Initiate any object assessment.
    		 None