What is the difference between Risk Events and Issue on ServiceNow IRM.

Sara Kiyono · ‎06-10-2025

Hi Everybody,

Can some please help me with some clear examples explaining the difference between Risk Events and Issues. What are scenarios when we raise Risk Events and in which case we will raise Issues?

Arun_Manoj · ‎06-10-2025

Hi @Sara ,

Reporting an Issue

An employee is reporting a known problem, gap, or failure in a policy, process, or control that needs to be addressed.

Example Scenarios:

"Access logs are not being reviewed as required."
"A system control failed and backup was not taken."
"A third-party contractor violated a data policy."
"We missed a compliance report deadline."

What happens next:

The report goes through issue triage.
It’s assessed for severity, ownership, and remediation.
It may become a Risk Issue, Compliance Issue, or Audit Issue in ServiceNow.
Tracked to resolution with due dates and accountable owners.

Used when something is broken or non-compliant and needs to be fixed.

Reporting a Risk Event
An employee is reporting an incident, observation, or occurrence that could impact the organization’s risk profile — even if nothing has failed yet.

"We received a suspicious email with a malicious link."
"There was a 5-minute outage in our core banking system."
"A regulator released a new rule affecting our operations."
"Customer data was mistakenly emailed — no breach confirmed."
What happens next:
The event is reviewed to assess its impact on existing risks or to identify new risks.
It might lead to:
Re-evaluating risk scores
Creating new risk statements
Triggering a formal investigation
In ServiceNow, it could be linked to existing risks or feed into risk assessments.
Used when something potentially risky occurs, even if no control has failed.

Thanks
Arun

View solution in original post

SANDEEP DUTTA · ‎06-11-2025

Hi Sara,

Correct !!R isk Events are the actual Risk which could happen if a risk materializes.

Issues are either created automatically due to a control testing failure or any automated process as per the workflow and you can create issues manually as well to highlight there is a problem in the process in IRM.

In short, you have got it right in understanding.

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.

View solution in original post

Sara Kiyono · ‎06-11-2025

@Arun_Manoj

Thanks for sharing the specific examples!!
Am I correct in understanding that a risk event is “an actual event that could happen if a risk materializes” and the issue is “something that should be corrected, such as a policy, process, or control”?

SANDEEP DUTTA · ‎06-11-2025

Hi Sara,

Correct !!R isk Events are the actual Risk which could happen if a risk materializes.

Issues are either created automatically due to a control testing failure or any automated process as per the workflow and you can create issues manually as well to highlight there is a problem in the process in IRM.

In short, you have got it right in understanding.

Thanks,
Sandeep Dutta

Please mark the answer correct & Helpful, if i could help you.

Dr Atul G- LNG · ‎06-11-2025

@SANDEEP DUTTA any thoughts here?

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************