GRC: Risk tables and hierarchy

S_53 · ‎04-30-2020

hello all,

We recently installed few grc modules and I am trying to figure out the hierarchy of risk levels and tables. We have some custom framework already set up and we have Risk levels 1,2,3,4 as individual tables. Do we have such hierarchy in grc oob tables? Can anyone please brief me around risk and its tables. Thanks in advance!

@Chuck Tomasi @Pradeep Sharma

Eric Le Martre4 · ‎05-01-2020

Hi S.

IRM/GRC is built af a top-down architecture. You define your risk Hierarchy in the Risk Statements library. Then you build your Risk Universe (Entity Classes, Entity Types, Entities).

You apply your risk to some Entity types and it generates Risk Instances (sn_risk_risk).

There is not risk hierarchy at that level. A Risk Statement is only instantiated one towards a give Entity.

Now you can relate risk to upstream or downstream risks, from related entities, but not relate several risk instances for a same Entity.

Regards

Eric

View solution in original post

sachin_namjoshi · ‎04-30-2020

Please use below for GRC Data model which has tables and relationships for risk management

https://docs.servicenow.com/bundle/orlando-governance-risk-compliance/page/product/grc-risk/referenc...

Rgards,

Sachin

Phil Swann · ‎04-30-2020

You couldn't ask for more 🙂

Eric Le Martre4 · ‎05-01-2020

Hi S.

The basic structure / hierarchy for Risks is managed in the Risk Statements (sn_risk_definition table). It is a parent/children structure. You can define as many layers of depth you need in your Risk Hierarchy. You will have embedded Risk Aggregation and Risk tolerance aggregation (with Advanced Risk license).

IRM Expert has developed an IRM High Level Data Model that I can show you, but not share (protected IP).

Best REgards

Eric

S_53 · ‎05-01-2020

Thanks for your help Eric!

How would I dig deeper into more layers if I want to after sn_risk_risk? any thoughts?

sn_risk_definition -> sn_risk_risk -> ??