Extended Workflows (Available from October 20th, 2020)

Overview

ZenGRC provides an extended workflow that automatically triggers the ability to create tasks between certain actions, such as status transitions and risk thresholds. These tasks are pre-filled with information from customized templates maintained by your organization and can be used as follows:

• To gather feedback and promote awareness between stakeholders.
• To describe the work that needs to be done for appropriate assignees
• Or, they can simply be canceled without creating the task.
  
  

How Tasks Are Triggered in Your Workflow

Since tasks provide email notifications for completing an assignment, they can play a powerful role in your object management plan. You can use them to request information from multiple users, thereby allowing information gathering and review in between your statuses.

The following graphic displays an example of a risk workflow, the green dot between statuses is where tasks are triggered. A larger version of the workflow with all risk statuses is at Risk Management Statuses.

The following outlines the functionality of when and how tasks are displayed in the risk workflow:

• To trigger the creation of a new task, the risk must be in one of the following statuses:
  • Assessed
  • Remediate
  • In Remediation
• Once the risk is in one of the above statuses, an actionable drop-down displays with the following selections:
  • Accept
  • Avoid
  • Transfer
  • Remediate
    
    
    
    
• A new task displays immediately after a status in the actionable drop-down is selected. All risk owners can transfer statuses through the drop-down, but only administrators receive the task pop-up since only they can create/delegate tasks. It may be worth reviewing the roles of risk owners should you wish for them to utilize this part of the workflow
• Task details are automatically populated from the templates.
• A task can be cancelled without interrupting the workflow.
• If a decision is already made about a risk, you can quickly transfer it to one of the final steps (Accepted, Avoided, Transferred, or Closed) by using the Status drop-down in the top right. However, this does not trigger a task, and it overrides the prescriptive workflow of the actionable drop-down.

Customizing Your Workflows

The task templates contain text and variables determined by ZenGRC experts, and they are automatically added to the three default workflow groups. However, the templates can be altered to suit your organization's needs. And once they are triggered, they can be adjusted further if needed.

 Workflow Groups

The pre-populated groups include:

• Risk Workflow
• Threat Workflow
• Vulnerability Workflow

However, an unlimited number of workflow groups can exist in your instance. To add a workflow group click the "Create workflow" button on the left side, below the existing workflow groups.

To rename a group, hover over the group title and click the pen icon next to it.

To delete a group, click the trashcan icon next to the title. Keep in mind that deleting a workflow group will also delete all of the existing steps located in that group.

 Workflow Steps

An unlimited number of workflow steps can exist in each group. To add a workflow step click the "Add step" button on the bottom left side of the page, below the existing workflow steps.

To rename a step, hover over the step title and click the pen icon next to it.

To delete a step, click the trashcan icon next to the toggle switch on the right.

Setting-up a Step

Steps can be added to each workflow group. Each step is composed of the setup fields and the object template fields. The setup fields involve the following:

• Object - Specifies which object the step will activate.
• Event - What triggers the step activation.
• Outcome - Shows the event’s result.
• Action - Specifies the object template that is created. In this beta release, these setup fields can’t be modified, but that will change in upcoming releases. 

Modifying the Setup Fields

• Object - the currently available objects (for which custom workflows can be created) are Risks, Threats, Vulnerabilities, Issues, and Controls
• Event - for all objects, the Status transition option is available, while Risk objects also have a Threshold reached option selectable:
  • Status transition - If the object gets transferred using the actionable button, the task template gets triggered
  • Threshold reached - When a risk score is calculated, and the score values reach the value defined in the Outcome field, the task template gets triggered
• Outcome - based on the event setup field, the options can be the status transition actions or risk score thresholds
• Action - currently, the option to create a task is the only available action

Altering the Templates

To review or alter the templates, complete the following steps:

1. Select a workflow group in the left column and click the arrow icon next to the step title to display the template's editable fields.
   
   
   
   

2. The below screenshot highlights variables in red that pull associated risk information into the generated task. See Using Variables in the next section.
   
   
   
   
3. If there are personnel who always review tasks at certain stages, add them to the Assignees, Reviewers, or Verifiers fields. The fields can be altered when the task is generated.
4. Select Notify Assignee if the user in the Assignee field should be emailed when the task is saved. This only functions if you have instant notifications activated.
5. Click Save at the bottom of the page. This saves changes to all steps in this group.

Using Variables

The template Title and Description fields can hold variables, which automatically insert information from the objects into the task to reduce mistakes and misinformation.

The three variables include:

• %object_title% - Populates the object title into the title of the task.
• %object_description% - Populates the object's description into the task.
• %object% - Used only in the Related Object field. It provides a direct link to the risk being transferred to the new status and cannot be deleted or changed.
• %object_url% - Used only in the description field. It provides a link to the main object to which the task is mapped. Enables easir navigating to the required object.

To add a variable into the Title or Description fields, click the blue plus-circle when editing the field, and then select one of the variables from the dropdown. The selected variable will be automatically added to the previous position of the cursor.

Enabling and Disabling the Workflow Steps

By default, all steps are enabled. But they can be easily disabled without deleting content by selecting the Enabled toggle located in the top right of each template.

Rearranging the Steps

The step order can be rearranged by dragging the handle in the middle of the block. The step order has no impact on when the tasks are triggered.

Warning and Error Indicators

Both groups and steps have a little notification circle next to their titles. How to interpret the lights:

• If the circle is gray - everything is done correctly
• If the circle is yellow - the changes haven't been saved yet
• If the circle is red - there is an error in the group or step, and it needs to be fixed before the changes can be saved

Workflow Limitations

There are certain limitations to workflow groups and steps. These need to be taken into account for the workflows to function correctly.

• All groups and steps need to have a title defined
• Multiple groups can't be named exactly the same
• Two steps can't have the setup fields defined exactly the same (even if the steps are nested in different groups)

Following the Workflow

Status Transition

To trigger one of the steps defined through a status transition, the status change needs to be completed through the actionable button located below the object title.

Threshold Reached

To trigger one of the steps defined through a risk score threshold, the specified risk score needs to be calculated on the risk info page → risk scoring tab. When the specified score is calculated, and the result fits in with the predefined threshold, then the task is created.