Versions Compared

Old Version 24

changes.mady.by.user Tristan Mohn

Saved on

compared with

New Version Current

changes.mady.by.user Victoria Buhler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Page Contents

Table of Contents
indent18px

Overview

ZenGRC provides a state-based risk management workflow that automatically triggers the ability to create tasks between certain risk statuses. These tasks are pre-filled with information from customized templates maintained by your organization and can be used as follows:

  • To gather feedback and promote awareness between risk stakeholders.
  • To describe the work that needs to be done for the appropriate assignee.
  • Or, they can simply be canceled without creating the task.

Note
titleIMPORTANT

Risk objects follow a different status set up from other ZenGRC objects. Statuses can be reviewed at Risk Management Statuses.

How Tasks Are Triggered in Your Workflow

The following outlines the functionality of when and how tasks are displayed in the risk workflow:

  • The actionable drop down that triggers a new task is located below the risk name on the details page and only displays when the risk is in the following statuses:
    • Assessed
    • Remediate
    • In Remediation

    Image Added
  • All risk owners can transfer statuses through the actionable drop-down, but only administrators receive the task pop-up since only they can create/delegate tasks. It may be worth reviewing the roles of risk owners should you wish for them to utilize this part of the workflow
  • A new task displays immediately after a status in the actionable drop-down is selected.
  • Task details are automatically populated from the templates.
  • A task can be cancelled without interrupting the workflow.
  • If a decision is already made about a risk, you can quickly transfer it to one of the final steps (Accepted, Avoided, Transferred, or Closed) by using the Status drop-down in the top right. However, this does not trigger a task, and it overrides the prescriptive workflow of the actionable drop-down.

The following graphic displays a green dot between the statuses where tasks display. A larger version of the workflow with all risk statuses is at Risk Management Statuses.

Image Added

Task Templates Overview

Templates can populate six fields in a task and include the following:

  • Title
  • Description
  • Assignees
  • Reviewers
  • Verifiers
  • Related object. This is a locked field that automatically maps the task to the active risk.

Using Variables

The template Title and Description fields can hold variables, which automatically insert information from the risk into the task to reduce mistakes and misinformation.

The three variables include:

  • %object_title%Used to populate the risk title into the title of the task.
  • %object_description% Used to populate the risk's description into the task.
  • %object% - Used only in the Related Object field. It is a direct link to the risk being transferred to the new status and cannot be deleted or changed.

More information about variables is provided in the following sections.

Setting up the Task Templates

The task templates contain text and variables determined by ZenGRC experts. However, the templates can be altered to suit your organization's needs.

To review or alter templates, complete the following steps:

  1. Click Settings | Risk Settings.
  2. Select the Tasks tab.

    Image Added

  3. The Accept - Task Template is listed first. Scroll to see additional templates. The below screenshot highlights variables in red that pull associated risk information into the generated task.

    Image Added

  4. If there are personnel who always review tasks at a certain stage, add them to the Assignees, Reviewers, or Verifiers fields. The fields can be altered when the task is generated.
  5. Select Notify Assignee if the user in the Assignee field should be emailed when the task is saved. This only functions if you have instant notifications activated.
  6. Click Save at the bottom of the page. This saves the changes to all templates.

Following the Risk Workflow

ZenGRC provides a suggested workflow using statuses that can be viewed at Risk Management Statuses. This workflow begins with Draft and Identified statuses.

The risk must first be assessed prior to activities such as avoidance or mitigation.

Assessing the Risk

Once a risk is in an Identified status, the following workflow can then be followed:

  1. Click the Assess button below the risk name. (This changes to the actionable drop-down after click.)

    Image Added

  2. The status changes to Under Assessment and the risk scoring tab opens for scoring the risk.
  3. Select scoring options and click Calculate. During this status, we recommend just scoring inherent risks. If the risk goes to remediation, then the residual risks can be calculated.

    Image Added

  4. After calculating the scoring, click Complete Assessment under the risk name. The button becomes the actionable drop-down with selections to trigger task creation.
  5. The risk, now in an Assessed status, has the following selections in the drop-down:
    1. Accept
    2. Avoid
    3. Transfer
    4. Remediate

      Image Added

Remediating the Risk

After a risk is placed in an Assessed status, the following workflow can be used when Remediate is selected in the actionable drop-down:

  1. Click the Start Remediation button below the risk name. (This changes to the actionable drop-down after click.)

    Image Added

  2. The status changes to In Remediation and a new task displays using the Remediate - Task Template. 
  3. The risk name populates the task Title field where the variable was placed in the template.

    Image Added

  4. Alter the task as needed.
  5. Click Save or cancel the task altogether and the risk changes to In Remediation (even if the task is cancelled).
  6. The newly created task displays in the risk's Mapped Objects tab.
  7. If the remediation involves putting new controls in place, the task assignee should map the controls to the risk in order to enable monitoring.
  8. The actionable button now displays Accept, Avoid and Transfer.
  9. The selection of any of these puts the risk into the same workflow as described in the below scenarios.

Accepting the Risk

After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Accept is selected in the actionable drop-down:

  1. A new task displays and is populated with information from the Accept - Task Template.
  2. The risk name populates the task Title field where the variable was placed in the template.
  3. Alter the task as needed and click Save or cancel the task altogether.
  4. The risk changes to Accepting (even if the task is cancelled).
  5. The newly created task displays in the risk's Mapped Objects tab.
  6. If the task assignee has conditions required before the risk can be accepted, they must be noted in the task prior to acceptance.
  7. Once all steps are taken, the task assignee or the risk owner clicks Complete Acceptance in the risk.
  8. The risk and the task can then be closed. 

Transferring the Risk

After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Transfer is selected in the actionable drop-down:

  1. A new task displays and is populated with information from the Transfer - Task Template. 
  2. The risk name populates in the task Title field where the variable was placed in the template.
  3. Alter the task as needed and click Save or cancel the task altogether.
  4. The risk status changes to Transferring (even if the task is cancelled).
  5. The newly created task displays in the risk's Mapped Objects tab.
  6. The task assignee must document confirmation that the risk has been successfully transferred, along with to whom and/or what department.
  7. Once all steps are taken, the task assignee or the risk owner clicks Complete Transfer in the risk.
  8. The risk and the task can then be closed. 

Avoiding the Risk

After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Avoid is selected in the actionable drop-down:

  1. A new task displays and is populated with information from the Avoid - Task Template.
  2. The risk name populates in the task Title field where the variable was placed in the template.
  3. Alter the task as needed and click Save or cancel the task altogether.
  4. The risk status changes to Avoiding.
  5. The newly created task displays in the risk's Mapped Objects tab.
  6. The task assignee needs to document how activities leading to the risk will now be avoided.
  7. Once all steps are taken, the task assignee or the risk owner then clicks Complete Avoidance in the risk.
  8. The risk and the task can then be closed. 


Include Page
di:RH Navigation
di:RH Navigation