Risk Workflows - Beta

Overview

ZenGRC provides a status-based risk management workflow that automatically triggers the ability to create tasks between certain risk, threat, and vulnerability statuses. These tasks are pre-filled with information from customized templates maintained by your organization and can be used as follows:

• To gather feedback and promote awareness between risk stakeholders.
• To describe the work that needs to be done for appropriate assignees
• Or, they can simply be canceled without creating the task.
  
  

How Tasks Are Triggered in Your Risk Workflow

Since tasks provide email notifications for completing an assignment, they can play a powerful role in your risk management plan. You can use them to request information from multiple users, thereby allowing information gathering and review in between your risk statuses.

The following graphic displays a green dot between statuses where tasks display. A larger version of the workflow with all risk statuses is at Risk Management Statuses.

The following outlines the functionality of when and how tasks are displayed in the risk workflow:

• To trigger the creation of a new task, the risk must be in one of the following statuses:
  • Assessed
  • Remediate
  • In Remediation
• Once the risk is in one of the above statuses, an actionable drop-down displays with the following selections:
  • Accept
  • Avoid
  • Transfer
  • Remediate
    
    
    
    
• A new task displays immediately after a status in the actionable drop-down is selected. All risk owners can transfer statuses through the drop-down, but only administrators receive the task pop-up since only they can create/delegate tasks. It may be worth reviewing the roles of risk owners should you wish for them to utilize this part of the workflow
• Task details are automatically populated from the templates.
• A task can be cancelled without interrupting the workflow.
• If a decision is already made about a risk, you can quickly transfer it to one of the final steps (Accepted, Avoided, Transferred, or Closed) by using the Status drop-down in the top right. However, this does not trigger a task, and it overrides the prescriptive workflow of the actionable drop-down.

How Tasks Are Triggered in Your Threat or Vulnerability Workflow

Tasks for threats and vulnerabilities are used in the same manner as risks. However, there is only one status selection that triggers the automatic creation of a task. Please see documentation under Following the Threat and Vulnerability Workflows. 

Customizing Task Templates for Your Workflows

The task templates contain text and variables determined by ZenGRC experts, and they are automatically created when a risk object meets the criteria outlined in How Tasks Are Triggered in Your Workflow. However, the templates can be altered to suit your organization's needs. And once they are triggered, they can be adjusted further if needed.

Workflow Groups

Selecting one will show all the steps involved in that workflow group. The available groups include:

• Risk Workflow
• Threat Workflow
• Vulnerability Workflow

Workflow Steps

Steps are shown for each workflow group. Each step is composed of the setup fields and the object template fields. The setup fields involve the following:

• Object - Specifies which object the step will activate.
• Event - What triggers the step activation.
• Outcome - Shows the event’s result.
• Action - Specifies the object template that is created. In this beta release, these setup fields can’t be modified, but that will change in upcoming releases. 

Altering the Templates

To review or alter templates, complete the following steps:

1. Click Settings | Workflows. (Prior to July 2020, these existed on the Tasks tab on the Risk Settings page.)

2. Select a workflow group in the left column and click a template name to display editable fields.
   
   
   
   

3. The below screenshot highlights variables in red that pull associated risk information into the generated task. See Using Variables in the next section.
   
   
   
   
4. If there are personnel who always review tasks at certain stages, add them to the Assignees, Reviewers, or Verifiers fields. The fields can be altered when the task is generated.
5. Select Notify Assignee if the user in the Assignee field should be emailed when the task is saved. This only functions if you have instant notifications activated.
6. Click Save at the top of the page. This saves changes to all templates.

Using Variables

The template Title and Description fields can hold variables, which automatically insert information from the risk, threat, or vulnerability into the task to reduce mistakes and misinformation.

The three variables include:

• %object_title% - Populates the risk title into the title of the task.
• %object_description% - Populates the risk's description into the task.
• %object% - Used only in the Related Object field. It provides a direct link to the risk being transferred to the new status and cannot be deleted or changed.

Enabling and Disabling the Workflow Templates

By default, all templates are enabled. But they can be easily disabled without deleting content by selecting the Enabled toggle located in the top right of each template.

Rearranging the Templates

The template order can be rearranged by dragging the handle in the middle of the block. Template order has no impact on when the tasks are triggered.

Following the Risk Workflow

ZenGRC provides a suggested workflow using statuses that can be viewed at Risk Management Statuses. This workflow begins with Draft and Identified statuses.

The risk must first be assessed prior to activities such as avoidance or mitigation.

Assessing the Risk

Once a risk is in an Identified status, the following workflow can then be followed:

1. On the risk, click the Assess button below the risk name. (This changes to the actionable drop-down after click.)
   
   
   
   
2. The status changes to Under Assessment and the risk scoring tab opens for scoring the risk.

3. Select scoring options and click Calculate.
   

   TIP

   At this point, we recommend just scoring inherent risks. If the risk goes to remediation, then the residual risks can be calculated.

   
   
   
   

4. After calculating the scoring, click Complete Assessment under the risk name. The button becomes the actionable drop-down with selections to trigger task creation.
5. The risk, now in an Assessed status, has the following selections in the actionable drop-down:
   1. Accept
   2. Avoid
   3. Transfer
   4. Remediate
      
      
      

Remediating the Risk

After a risk is placed in an Assessed status, the following workflow can be used when Remediate is selected in the actionable drop-down:

1. Click the Start Remediation button below the risk name. (This changes to the actionable drop-down after click.)
   
   
   
   
2. The status changes to In Remediation and a new task displays using the Remediate template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow. 
3. The risk name populates the task Title field where the variable was placed in the template.
   
   
   
   
4. Alter the task as needed.
5. Click Save and the risk changes to In Remediation (even if the task is cancelled).
6. The newly created task displays in the risk's Mapped Objects tab.
7. If the remediation involves putting new controls in place, the task assignee should map the controls to the risk in order to enable monitoring.
8. The actionable button now displays Accept, Avoid and Transfer.
9. The selection of any of these puts the risk into the same workflow as described in the below scenarios.

Accepting the Risk

After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Accept is selected in the actionable drop-down:

1. A new task displays and is populated with information from the Accept template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow.
2. The risk name populates the task Title field where the variable was placed in the template.
3. Alter the task as needed and click Save.
4. The risk changes to Accepting (even if the task is cancelled).
5. The newly created task displays in the risk's Mapped Objects tab.
6. If the task assignee has conditions required before the risk can be accepted, they must be noted in the task prior to acceptance.
7. Once all steps are taken, the task assignee or the risk owner clicks Complete Acceptance in the risk.
8. The risk and the task can then be closed. 

Avoiding the Risk

After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Avoid is selected in the actionable drop-down:

1. A new task displays and is populated with information from the Avoid template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow.
2. The risk name populates in the task Title field where the variable was placed in the template.
3. Alter the task as needed and click Save.
4. The risk status changes to Avoiding.
5. The newly created task displays in the risk's Mapped Objects tab.
6. The task assignee needs to document how activities leading to the risk will now be avoided.
7. Once all steps are taken, the task assignee or the risk owner then clicks Complete Avoidance in the risk.
8. The risk and the task can then be closed. 

Transferring the Risk

After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Transfer is selected in the actionable drop-down:

1. A new task displays and is populated with information from the Transfer template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow. 
2. The risk name populates in the task Title field where the variable was placed in the template.
3. Alter the task as needed and click Save.
4. The risk status changes to Transferring (even if the task is cancelled).
5. The newly created task displays in the risk's Mapped Objects tab.
6. The task assignee must document confirmation that the risk has been successfully transferred, along with to whom and/or what department.
7. Once all steps are taken, the task assignee or the risk owner clicks Complete Transfer in the risk.
8. The risk and the task can then be closed. 

Following the Threat and Vulnerability Workflows

ZenGRC provides suggested threat and vulnerability workflows. These workflows each have one status where a task is automatically triggered.

Identifying the Threat or Vulnerability

After a threat or vulnerability is placed in a Draft status, the following workflow can be used:

1. Click Identify.
   
   
   
   
2. A new task displays and is populated with information from the Identify template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow.
3. The threat or vulnerability name populates in the task Title field where the variable was placed in the template.
4. Alter the task as needed and click Save.
5. The newly created task displays in the object's Mapped Objects tab.
6. The task assignee is asked to set an owner, write a detailed description, and map to related objects before changing the threat or vulnerability to the next status.
7. Once all steps are taken, the task assignee or the object owner then clicks Assess, which moves the object to an Under Assessment status.
8. The actionable drop-down displays with options for Accept, Avoid, Transfer, or Remediate.
   
   
   
   
9. The object now follows the workflow found at Risk Management Statuses. Note that for threats and vulnerabilities, the only task template triggered is after clicking Identify in the first step.