Page Comparison

Overview

ZenGRC provides a state-based risk management workflow that  that automatically triggers the ability to create tasks between certain risk statuses. They These tasks are pre-filled with information from customized templates maintained by your organization . These tasks and can be used as follows:

• To gather feedback and promote awareness between risk stakeholders.
• To describe the work that needs to be done for the appropriate assignee.
• Or, they can simply be canceled without creating the task.
  
  

How Tasks Are Triggered in Your Workflow

The following outlines the functionality of when and how tasks are displayed in the risk workflow:

• The actionable drop down that triggers a new task is located below the risk name on the details page and only displays when the risk is in the following statuses:
  • Assessed
  • Remediate
  • In Remediation
  
  Image RemovedImage Added

• All risk owners can transfer statuses through the actionable drop-down, but only administrators receive the task pop-up since only they can create/delegate tasks. It may be worth reviewing the roles of risk owners should you wish for them to utilize this part of the workflow
• A new task displays immediately after a status in the actionable drop-down is selected.
• When a risk is in an Assessed status and a new status is selected, the following occurs (even if you cancel the task that displays):
  • Accept transfers the risk to Accepting.
  • Avoid transfers the risk to Avoiding.
  • Transfer transfers the risk to Transferring.
  • Remediate transfers the risk to In remediation.
• When a risk is in an In remediation status and a new status is selected, the following occurs (even if you cancel the task that displays):
  
• Accept transfers the risk to Accepting.
Avoid transfers the risk to Avoiding.
• Transfer transfers the risk to Transferring.
• Task details are automatically populated from the templates.
• A task can be cancelled without interrupting the workflow.
• Risk statuses can be updated at any time using If a decision is already made about a risk, you can quickly transfer it to one of the final steps (Accepted, Avoided, Transferred, or Closed) by using the Status drop-down in the top right. However, this does not trigger a task, and it overrides the prescriptive workflow of the actionable drop-down.

The following graphic displays a green dot between the statuses where tasks display. A larger version of the workflow with all risk statuses is at Risk Management Statuses.

Task Templates Overview

Templates can populate six fields in a task and include the following:

• Title
• Description
• Assignees
• Reviewers
• Verifiers
• Related object. This is a locked field that automatically maps the task to the active risk.

Using Variables

The template Title and Description fields can hold variables, which automatically insert information from the risk into the task to reduce mistakes and misinformation.

The three variables include:

• %object_title% - Used to populate the risk title into the title of the task.
• %object_description% - Used to populate the risk's description into the task.
• %object% - Used only in the Related Object field. It is a direct link to the risk being transferred to the new status and cannot be deleted or changed.

More information about variables is provided in the following sections.

Setting up the Task Templates

The task templates contain text and variables determined by ZenGRC experts. However, the templates can be altered to suit your organization's needs.

To review or alter templates, complete the following steps:

1. Click Settings | Risk Settings.
2. Select the Tasks tab.
   
Image Removed
3. 
   Image Added
   
   
4. The Accept - Task Template is listed first. Scroll to see additional templates. The below screenshot outlines highlights variables in red . The variables that pull associated risk information into the generated task.
   
   
   
   
5. If there are personnel who always review tasks at a certain stage, add them to the Assignees, Reviewers, or Verifiers fields. The fields can be altered when the task is generated.
6. Select Notify Assignee if the user in the Assignee field should be emailed when the task is saved. This only functions if you have instant notifications activated.
7. Click Save at the bottom of the page. This saves the changes to all templates.

Following the Risk Workflow

ZenGRC provides a suggested workflow using statuses that can be viewed at Risk Management Statuses. This workflow begins with Draft and Identified statuses. When .

The risk must first be assessed prior to activities such as avoidance or mitigation.

Assessing the Risk

Once a risk is in an Identified status, the following workflow can then be followed:

1. Click the Assess button below the risk name. (This changes to the actionable drop-down after click.)
   
   Image Modified
   
   
2. The status
is changed
3. changes to Under
Assessment and
4. Assessment and the risk scoring tab opens for
you to score
5. scoring the risk.
6. Select
risk
7. scoring options and click Calculate. During this status, we recommend just scoring inherent risks. If the risk goes to remediation, then the residual risks can be calculated.
   
   Image Modified
   
Once
8. 
   
9. After calculating the scoring
is calculated
10. , click Complete Assessment under the risk name.
This activates
11. The button becomes the actionable drop-down with selections
that
12. to trigger task creation
and branches the workflow
13. .
Select a status
14. The risk, now in an Assessed status, has the following selections in the drop-down:
    If Accept is selected, a new task displays and is populated with information from the Accept - Task Template. Note how the risk name populates in the
    1. 1. Accept
       2. Avoid
       3. Transfer
       4. Remediate
          
          Image Added
          

    Remediating the Risk

    After a risk is placed in an Assessed status, the following workflow can be used when Remediate is selected in the actionable drop-down:

    1. Click the Start Remediation button below the risk name. (This changes to the actionable drop-down after click.)
       
       Image Added
       
       
    2. The status changes to In Remediation and a new task displays using the Remediate - Task Template. 
    3. The risk name populates the task Title field where the variable was placed in the template.
       
    Image Removed
    If Transfer is selected, a
    4. 
       Image Added
       
       
    5. Alter the task as needed.
    6. Click Save or cancel the task altogether and the risk changes to In Remediation (even if the task is cancelled).
    7. The newly created task displays in the risk's Mapped Objects tab.
    8. If the remediation involves putting new controls in place, the task assignee should map the controls to the risk in order to enable monitoring.
    9. The actionable button now displays Accept, Avoid and Transfer.
    10. The selection of any of these puts the risk into the same workflow as described in the below scenarios.

    Accepting the Risk

    After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Accept is selected in the actionable drop-down:

    1. A new task displays and is populated with information from
    the Transfer
    2. the Accept - Task Template.
    3. The risk name populates the task Title field where the variable was placed in the template.
    4. Alter the task as needed and click Save or cancel the task altogether.
    If Avoid is selected, a
    5. The risk changes to Accepting (even if the task is cancelled).
    6. The newly created task displays in the risk's Mapped Objects tab.
    7. If the task assignee has conditions required before the risk can be accepted, they must be noted in the task prior to acceptance.
    8. Once all steps are taken, the task assignee or the risk owner clicks Complete Acceptance in the risk.
    9. The risk and the task can then be closed. 

    Transferring the Risk

    After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Transfer is selected in the actionable drop-down:

    1. A new task displays and is populated with information from
    the Avoid
    2. the Transfer - Task Template.
    If Remediate is selected, a
    3.  
    4. The risk name populates in the task Title field where the variable was placed in the template.
    5. Alter the task as needed and click Save or cancel the task altogether.
    6. The risk status changes to Transferring (even if the task is cancelled).
    7. The newly created task displays in the risk's Mapped Objects tab.
    8. The task assignee must document confirmation that the risk has been successfully transferred, along with to whom and/or what department.
    9. Once all steps are taken, the task assignee or the risk owner clicks Complete Transfer in the risk.
    10. The risk and the task can then be closed. 

    Avoiding the Risk

    After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Avoid is selected in the actionable drop-down:

    1. A new task displays and is populated with information from
    the Remediate
    2. the Avoid - Task Template.
    3. The risk name populates in the task Title field where the variable was placed in the template.
    4. Alter the task as needed and click Save or cancel the task altogether.
    5. The risk status changes to Avoiding.
    6. The newly created task
    now
    7. displays in the risk's Mapped Objects tab.
    Alternatively, click Cancel to close the dialog without creating the task. Or click Save & Add Another to create additional tasks. If you decide to cancel the task, the risk will still be transferred to the new status.
    8. The task assignee needs to document how activities leading to the risk will now be avoided.
    9. Once all steps are taken, the task assignee or the risk owner then clicks Complete Avoidance in the risk.
    10. The risk and the task can then be closed.