Control Effectiveness in Risk Assessment Methodology

Sushil19969106 · ‎05-03-2024

Hello Everyone,

Has anyone implemented Control Effectiveness for their Risk Assessment methodology using Automated Scripted factors.

The requirement in my case is. Suppose a Risk Assessment takes place for a Risk. When the Risk assessment is taking place, users can add Controls during the Control Assessment. So, the controls which are added if they have any Control Test completed i.e the Design Effectiveness and Operating Effectiveness are marked as Ineffective or Effective, in this case these values should be automatically picked and need to be populated in the Control Assessment for that controls respectively.

Anyhelp would be appreciated. Thanks in Advance.

Arnaud Bretz1 · ‎05-10-2024

Hi,

On your PDI, try the following:

1. https://devxxxxx.service-now.com/sys_store_app.do?sys_id=7443d9ba7373230055e9d8b0caf6a7b0 --> Bottom left you have 'repair application' and there you can select Load Demo Dataµ

2. You will find some scripted automated factor. The one which might help your case is the following *

==> "Design Effectiveness"

It does not match exactly what you want as it is targeting the compliance status of the control mapped to a risk and not the result of the Control Test you can get inspired for your usecase.

/*************************************************************************************/

/* 1. Use the predefined variables from the Variables field.

/* 2. You can define your own script variables within the script itself. For example, var x = 1;

/* 3. Factor response must be set to variable result.score;

/*************************************************************************************/

try {

/***Start of Custom Code. Please write your scoring formula below. */

var g1 = new GlideAggregate('sn_risk_m2m_risk_control');

g1.addQuery('sn_compliance_control.state', 'review');

g1.addQuery('sn_compliance_control.status', 'non_compliant');

g1.addQuery('sn_risk_risk', risk);

g1.addAggregate('count');

g1.query();

g1.next();

var failedAttestationsCount = g1.getAggregate('count');

var g2 = new GlideAggregate('sn_risk_m2m_risk_control');

g2.addQuery('sn_risk_risk', risk);

g2.addAggregate('count');

g2.query();

g2.next();

var totalControls = g2.getAggregate('count');

if (totalControls != 0) {

result.score = (failedAttestationsCount / totalControls) * 100;

var gr = new GlideRecord('sn_risk_m2m_risk_control');

gr.addQuery('sn_compliance_control.state', 'review');

gr.addQuery('sn_compliance_control.status', 'non_compliant');

gr.addQuery('sn_risk_risk', risk);

gr.query();

var supportingFields = ['sn_compliance_control.name', 'sn_compliance_control.status'];

var header = "";

for (var i = 0; i < supportingFields.length; i++) {

header = header + '"' + gr.getElement(supportingFields[i]).getLabel() + '"';

if (i != supportingFields.length - 1)

header = header + ",";

}

var data = header + "\r\n";

while (gr.next()) {

for (var j = 0; j < supportingFields.length; j++) {

var value = gr.getElement(supportingFields[j]).getDisplayValue();

if (value.indexOf(',') != -1 || value.indexOf('"') != -1) {

value = value.replace(/"/g, '""');

data = data + '"' + value + '"';

} else {

data = data + value;

}

if (j != supportingFields.length - 1)

data = data + ",";

}

data = data + "\r\n";

}

new sn_risk_advanced.ScriptFactorUtils().createSupportingData(responseId, data, 'supporting_data.csv');

} else

result.score = 0;

/***End of Custom Code. Do not modify anything below. */

if (isNaN(result.score)) {

throw 'Not a number.';

} else if (result.score == Infinity) {

throw 'Divide by zero error.';

}

} catch (ex) {

result.error = ex;

}