What is the difference between Risk Events and Issue on ServiceNow IRM.

Sara Kiyono · ‎06-10-2025

Hi Everybody,

Can some please help me with some clear examples explaining the difference between Risk Events and Issues. What are scenarios when we raise Risk Events and in which case we will raise Issues?

Arun_Manoj · ‎06-10-2025

Hi @Sara ,

Reporting an Issue

An employee is reporting a known problem, gap, or failure in a policy, process, or control that needs to be addressed.

Example Scenarios:

"Access logs are not being reviewed as required."
"A system control failed and backup was not taken."
"A third-party contractor violated a data policy."
"We missed a compliance report deadline."

What happens next:

The report goes through issue triage.
It’s assessed for severity, ownership, and remediation.
It may become a Risk Issue, Compliance Issue, or Audit Issue in ServiceNow.
Tracked to resolution with due dates and accountable owners.

Used when something is broken or non-compliant and needs to be fixed.

Reporting a Risk Event
An employee is reporting an incident, observation, or occurrence that could impact the organization’s risk profile — even if nothing has failed yet.

"We received a suspicious email with a malicious link."
"There was a 5-minute outage in our core banking system."
"A regulator released a new rule affecting our operations."
"Customer data was mistakenly emailed — no breach confirmed."
What happens next:
The event is reviewed to assess its impact on existing risks or to identify new risks.
It might lead to:
Re-evaluating risk scores
Creating new risk statements
Triggering a formal investigation
In ServiceNow, it could be linked to existing risks or feed into risk assessments.
Used when something potentially risky occurs, even if no control has failed.

Thanks
Arun

View solution in original post

SANDEEP DUTTA · ‎06-11-2025

Hi Sara,

Correct !!R isk Events are the actual Risk which could happen if a risk materializes.

Issues are either created automatically due to a control testing failure or any automated process as per the workflow and you can create issues manually as well to highlight there is a problem in the process in IRM.

In short, you have got it right in understanding.

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.

View solution in original post

Arun_Manoj · ‎06-10-2025

Hi @Sara,

Risk events are potential or actual financial and non-financial losses, near misses, and gains that occur within an organization. Risk events are also known as loss events or loss entries.

To effectively manage risks, it's essential to monitor risk events. You must relate them to existing risks, perform a root-cause analysis, and track the remedial tasks. Organizations use risk events to understand their losses and to manage their risks more efficiently. Risk events do not only lead to losses. At times, risk events also result in gains for an organization. For example, in the banking industry, if there’s an error in a trading algorithm, it might result in a gain for an organization.

Any employee can report a risk event. After a risk event is reported, it is analyzed by the risk manager.

Risk events can be of two types: Internal risk events Events that occur within your organization. External risk events Events that occur in other organizations but are shared with the industry to ensure that other organizations can prevent them.

You can create a risk event using either the Service Portal or your ServiceNow instance. Risk events provide the following:

Concrete data that enables you to better quantify and validate existing risks.
Visibility into new risks because risk events often recur.

You can view the risk events dashboards by navigating to Risk Events > Overview.

You can measure the effectiveness of your company's risk management program by how quickly and completely it identifies and reacts to risk and compliance issues.

Issues can be submitted using two methods, depending on the type of user involved:

Employees and business users within your company can self-identify an issue and submit it via the ServiceNow® Service Portal. Following submission, a triage issue is automatically created and the issue triage process begins.
GRC users can manually create an issue from within their instance to document audit observations and remediations, and compliance and risk issues.

Note: Various types of issues can also be automatically generated under the following conditions (these types of issues are not triaged):

Control issue: Created when a control attestation is completed, indicating that the control is not implemented, or when an indicator fails.
Control test issue: Created when a control test is closed complete with the control effectiveness set to Ineffective.

The goals of issue management

The goals of issue management include:

Eliminating noise.
Consolidating duplicate issues.
Focusing on issues that expose the organization to the greatest risk.
Identifying and prioritizing remediation actions.
Identifying new issues across the business operations.
Analyzing operational weakness in policies, processes, and controls.

SO LONG STORY SHORT, YOU SHOULD GO WITH RISK EVENTS TO BE MANAGED USING RISK MANAGEMENT NOT ISSUES.

If the solution is helpful, Please give helpful

Thanks

Arun

SANDEEP DUTTA · ‎06-11-2025

Hi @Arun_Manoj ,

If you are copying from other answer, please mention or provide reference of the source please.

This was copied from this answer :https://www.servicenow.com/community/grc-forum/risk-events-vs-issue-management/m-p/2907188/page/2

which was posted by me from my previous account.