Hi Dan,
As per our process, roles for all systems are Created/Modified by Role Management Team.
But Business Roles Creation/Modification is done GRC Operations and Support Team and this team creates/modifies business roles as per Service Request. This is because Business roles are just containers which hold roles from different systems and main purpose of these roles is to make end user role selection easy based on their appointments or positions.
So, its GRC O&S team sole responsibility to Create/Change the business roles, Execute Risk Analysis and if there are no Violations, send it for approval. In case of violations share the Risk analysis report with Mitigation Approver for analysis and to mitigate the risks (if required).
So, basically Business Roles maintenance should be defined as part of your governance process on who maintains these roles.
Regards,
Madhu.