Hi All,
When we attest a control , the attestation has a due date by default. Once this due date is met, It should ideally cancel the attestation. But in our instance, it's not working as expected.
In the backend, there is a schedule job that runs at an interval of 30 days (OOB) , and this cancels the attestation once the due date is met. We found that there is query highlighted below in the screenshot, that excludes attestation_v2,risk_assessment and vendor risk assessments.
I am not sure why these are excluded oob. Any one experienced the same issue ?
Best,
Ashik
Hi Ashik,
I believe that this Schedule Job is mostly intended for Satisfaction Surveys, typically used for Incident management.
With Satisfaction Surveys, there won't be consequence if an Assessment is cancelled.
If ServiceNow applied that logic to every GRC Assessments, they wouldn't know what to do with the status of the affected Risks and Controls.
For example, should a control that failed to be assessed stay in the Attest state and Compliant status? That would really depend of your own processes. You need to decide who should be informed (via notifications, scheduled reports or dashboard) of assessment failures, and if this should automatically raise an Issue.
I believe this is why they excluded those GRC & Vendor Risk Management metric types, as they are used for sensitive workflow. If you want automation here, you're expected to automate your business processes yourself, or with the help of an implementation partner.
Out of the box, there is an easier way to configure assessment durations in recent ServiceNow version. If you go to "Assessments > Metric Definition > Types" you'll find that there is an Assessment duration field and a Notify manager if overdue flag.
∴
Best regards from Switzerland
Shiva, GRC Architect :¬,
If this reply assisted you, please consider marking it 👍Helpful or ✅Correct.
This enables other customers to learn from your thread.
Hi Ashik,
I believe that this Schedule Job is mostly intended for Satisfaction Surveys, typically used for Incident management.
With Satisfaction Surveys, there won't be consequence if an Assessment is cancelled.
If ServiceNow applied that logic to every GRC Assessments, they wouldn't know what to do with the status of the affected Risks and Controls.
For example, should a control that failed to be assessed stay in the Attest state and Compliant status? That would really depend of your own processes. You need to decide who should be informed (via notifications, scheduled reports or dashboard) of assessment failures, and if this should automatically raise an Issue.
I believe this is why they excluded those GRC & Vendor Risk Management metric types, as they are used for sensitive workflow. If you want automation here, you're expected to automate your business processes yourself, or with the help of an implementation partner.
Out of the box, there is an easier way to configure assessment durations in recent ServiceNow version. If you go to "Assessments > Metric Definition > Types" you'll find that there is an Assessment duration field and a Notify manager if overdue flag.
∴
Best regards from Switzerland
Shiva, GRC Architect :¬,
If this reply assisted you, please consider marking it 👍Helpful or ✅Correct.
This enables other customers to learn from your thread.
