Page Comparison

Overview

ZenGRC provides a state-based risk management workflow that automatically triggers the ability to create tasks between certain risk statuses. These tasks are pre-filled with information from customized templates maintained by your organization and can be used as follows:

• To gather feedback and promote awareness between risk stakeholders.
• To describe the work that needs to be done for the appropriate assignee.
• Or, they can simply be canceled without creating the task.
  
  

How Tasks Are Triggered in Your Workflow

The following outlines the functionality of when and how tasks are displayed in the risk workflow:

• The actionable drop down that triggers a new task is located below the risk name on the details page and only displays when the risk is in the following statuses:
  • Assessed
  • Remediate
  • In Remediation
  
  

• All risk owners can transfer statuses through the actionable drop-down, but only administrators receive the task pop-up since only they can create/delegate tasks. It may be worth reviewing the roles of risk owners should you wish for them to utilize this part of the workflow
• A new task displays immediately after a status in the actionable drop-down is selected.
• Task details are automatically populated from the templates.
• A task can be cancelled without interrupting the workflow.
• If a decision is already made about a risk, you can quickly transfer it to one of the final steps (Accepted, Avoided, Transferred, or Closed) by using the Status drop-down in the top right. However, this does not trigger a task, and it overrides the prescriptive workflow of the actionable drop-down.

The following graphic displays a green dot between the statuses where tasks display. A larger version of the workflow with all risk statuses is at Risk Management Statuses.

Task Templates Overview

Templates can populate six fields in a task and include the following:

• Title
• Description
• Assignees
• Reviewers
• Verifiers
• Related object. This is a locked field that automatically maps the task to the active risk.

Using Variables

The template Title and Description fields can hold variables, which automatically insert information from the risk into the task to reduce mistakes and misinformation.

The three variables include:

• %object_title% - Used to populate the risk title into the title of the task.
• %object_description% - Used to populate the risk's description into the task.
• %object% - Used only in the Related Object field. It is a direct link to the risk being transferred to the new status and cannot be deleted or changed.

More information about variables is provided in the following sections.

Setting up the Task Templates

The task templates contain text and variables determined by ZenGRC experts. However, the templates can be altered to suit your organization's needs.

To review or alter templates, complete the following steps:

1. Click Settings | Risk Settings.
2. Select the Tasks tab.
   
   
   
   
3. The Accept - Task Template is listed first, but you can scroll . Scroll to see additional templates. The below screenshot highlights variables in red . The variables that pull associated risk information into the generated task.
   
   
   
   
4. If there are personnel who always review tasks at a certain stage, add them to the Assignees, Reviewers, or Verifiers fields. The fields can be altered when the task is generated.
5. Select Notify Assignee if the user in the Assignee field should be emailed when the task is saved. This only functions if you have instant notifications activated.
6. Click Save at the bottom of the page. This saves the changes to all templates.

Following the Risk Workflow

ZenGRC provides a suggested workflow using statuses that can be viewed at Risk Management Statuses. This workflow begins with Draft and Identified statuses.

The risk must first be assessed prior to activities such as avoidance or mitigation.

Assessing the Risk

Once a risk is in an Identified status, the following workflow can then be followed:

1. Click the Assess button below the risk name. (This changes to the actionable drop-down after click.)
   
   
   
   
2. The status changes to Under Assessment and the risk scoring tab opens for scoring the risk.
3. Select scoring options and click Calculate. During this status, we recommend just scoring inherent risks. If the risk goes to remediation, then the residual risks can be calculated.
   
   
   
   
4. After calculating the scoring, click Complete Assessment under the risk name. The original Assess button is now The button becomes the actionable drop-down with selections to trigger task creation.
5. The risk, now in an Assessed status, has the following selections in the drop-down:
   1. Accept
   2. Avoid
   3. Transfer
   4. Remediate
      
      Image Added
      

Remediating the Risk

After a risk is placed in an Assessed status, the following workflow can be used when Remediate is selected in the actionable drop-down:

1. Click the Start Remediation button below the risk name. (This changes to the actionable drop-down after click.)
   
   Image Added
   
   
2. The status changes to In Remediation and a new task displays using the Remediate - Task Template. 
3. The risk name populates the task Title field where the variable was placed in the template.
   
   Image Added
   
   
4. Alter the task as needed
and click Save
5. .
6. Click Save or cancel the task altogether and the risk changes to In Remediation (even if the task is cancelled).
7. The newly created task now displays in the risk's Mapped Objects tab.
8. If the remediation involves putting new controls in place, the task assignee should map the controls to the risk in order to enable monitoring.
9. The risk, now actionable button now displays Accept, Avoid and Transfer.
10. The selection of any of these puts the risk into the same workflow as described in the below scenarios.

Accepting the Risk

After a risk is placed in an Assessed or In Remediation status,

the following

workflow can be used when Accept is selected in the actionable drop-down:

Image Removed
If Accept is selected, a
1. A new task displays and is populated with information from the Accept - Task Template.
Note how the
3. The risk name populates
in
4. the task Title field where the variable was placed in the template.
5. Alter the task as needed and click Save or cancel the task altogether.
6. The risk changes to Accepting (even if the task is cancelled).

Image Removed
8. The task assignee needs to either click Complete Acceptance in the risk or document steps in the risk Comments section to be taken prior newly created task displays in the risk's Mapped Objects tab.
9. If the task assignee has conditions required before the risk can be accepted, they must be noted in the task prior to acceptance.
10. Once all steps are taken, the task assignee or the risk owner clicks Complete Acceptance in the risk.
11. The risk and the task can then be closed. If Transfer is selected, a

Transferring the Risk

After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Transfer is selected in the actionable drop-down:

1. A new task displays and is populated with information from the Transfer - Task Template. The . 
2. The risk name populates in the task Title field where the variable was placed in the template.
3. Alter the task as needed and click Save or cancel the task altogether.
4. The risk status changes to TransferringTransferring (even if the task is cancelled).
5. The task assignee needs to either click Complete Transfer in the risk or document steps in the risk Comments section to be taken prior to transferencenewly created task displays in the risk's Mapped Objects tab.
6. The task assignee must document confirmation that the risk has been successfully transferred, along with to whom and/or what department.
7. Once all steps are taken, the task assignee or the risk owner clicks Complete Transfer in the risk.
8. The risk and the task can then be closed. If Avoid is selected, a

Avoiding the Risk

After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Avoid is selected in the actionable drop-down:

1. A new task displays and is populated with information from the Avoid - Task Template. The
2. The risk name populates in the task Title field where the variable was placed in the template.
3. Alter the task as needed and click Save or cancel the task altogether.
4. The risk status changes to Avoiding.
5. The newly created task displays in the risk's Mapped Objects tab.
6. The task assignee needs to either click Complete Avoidance in the risk or document steps in the risk Comments section to be taken prior to transferenceto document how activities leading to the risk will now be avoided.
7. Once all steps are taken, the task assignee or the risk owner then clicks Complete Avoidance in the risk.
8. The risk and the task can then be closed. If Remediate is selected, a separate workflow is created for remediation.Click the Start Remediation button below the risk name. (This changes to the actionable drop-down after click.)
   Image Removed
   The status changes to In Remediation and a new task displays using the Remediate - Task Template. 
9. If the remediation involves putting new controls in place, the task assignee should map the controls to the risk in order to enable monitoring.
10. The actionable button now displays Accept, Avoid and Transfer. The selection of any of these puts the risk into the same workflow as described in the above scenarios.
Alternatively, click Cancel to close the dialog without creating the task. Or click Save & Add Another to create additional tasks.