User groups determine the applications and fields users can access within the Risk Management app. The app has seven default user groups:
- Risk Team: Users in this group can launch and complete assessments in order to ensure that each risk the company faces has been properly documented. They are the main users of the application and will own the risk management function at the organization (the "second line of defense")
- Risk Limited Users: Users in this group are the first line of defense and act as a catch-all for all light users in the organization. It grants them access to all of the Owner roles listed in the below user groups.
- Risk Owner & Delegate: Users in this group are responsible for risks within the app. Risk owners are business users responsible for documenting controls, determining residual risk, defining each risk's treatment, and determining whether issues or corrective actions are required.
- Control Owner & Delegate: Users in this group are responsible for ensuring a control is adequate for their organization's risks and that control documentation is kept up-to-date.
- Issue Owner & Delegate: These users are responsible for documenting issues discovered during an assessment. The issue owner then creates a corrective action to mitigate the issue, which is assigned to the corrective action owner. Issue owners must monitor corrective actions until they are completed.
- Corrective Action Owner & Delegate: These users manage the corrective actions assigned to them by the issue owner. Corrective action owners must monitor corrective actions until they are completed.
- Indicator Owner: Users in this group are responsible for the key risk indicators assigned to a specific risk. The indicator owner must ensure that the indicator's current value is kept up to date to show whether or not it is within acceptable parameters.
- Loss Event Owner: Users in this group are responsible for providing information relating to the investigation and analysis of an operational risk loss event. The loss event owner will work with the risk team to provide relevant details on losses & recoveries, root cause analysis, and necessary corrective actions.
- Policy Owner: Users in this group are responsible for ensuring policies are up to date, including document the policy narrative, attaching supporting documents to the policy, and adding comments.
- Risk Team (Standard ERM): Users in this group have access to the Standard Risk Management app, a simplified version of the Risk Management app.
- Administrator (Risk Management): Users in this group are able to make changes to app data that regular users cannot . This includes having full access to all object types, being able to create new library objects, and being able to make any workflow transition necessary.