How to create a risk when an issue is auto generated?

Niharika Pothan · ‎07-15-2019

Hi,

I have a question about creating a risk when my control status becomes Non - compliant and an issue is created.

From my understanding, when a control owner attests a control and the control status changes to 'Non - compliant' -> An issue is auto - generated. Control owner has 2 options -> 1. Create a Policy Exception OR 2. Create a remediation task.

So assuming, A control owner will create a policy exception and request for approval from Compliance Manager. A compliance Manager will review the policy exception. So my question is - if compliance manager thinks that there is a risk then 'How can he a create a risk'? or Request for a risk assessment?

In Policy Exception section, even though there is a Risk assessment stage in Policy exception life cycle, i don't see an option to request for risk assessment. All i can see is a)Request for more information b) Approve OR c) Reject.

Do we need to customize/create a risk manually or is there something that i'm missing?

Thank you.

Notorious BFG · ‎07-17-2019

Hi Niharika,

You're not missing anything - currently there isn't a baseline way to create a one off risk directly from a failed control...

...and I agree that this is something could be a useful tool for a risk manager!

So:

When I've seen this come up in the past my suggestion has been to leverage the POWER OF AUTOMATION (via the Flow Designer)! You could approach this one of several ways, but I'll just enumerate one as an example:

First we create a trigger condition that will kick off our flow, in this case I've elected to use the conditions "Control Status is 'Non-Compliant'" AND someone has added the following note in the comments of the control "Risk assessment required". Keep in mind you could instead kick off this flow logic using a UI action or putting a check box in a new field, etc.:

Then, using the information from the failed control, we create a new Risk record in the risk table:

Then we create a relationship between the failed control and our new risk in the M2M table:

Lastly, we could send the Risk manager a notification that the risk is ready for assessment, or simply push the new risk into the proper state and kick off an assessment. As you can see, there's lots of powerful ways we could go about automating this process!

Best,

Ben

ʕﾉಠᴥಠʔﾉ*:･ﾟ✧.

View solution in original post

Niharika Pothan · ‎08-01-2019

Hi Ben,

I really appreciate you going through the automation in flow designer. I certainly learnt a new method of working on my process flow. This is really helpful.

Thank you.

Regards,

Niharika Pothani

Emad4 · ‎07-31-2019

Thanks for the question and responses, I certainly learned a few things. 🙂

The only thing I will add is that Control Failure is not a Risk in its own right, it may impact risk rating of multiple risks though. The way that ServiceNow take that impact into effect is via Control Failure Factor in Risk Monitoring tab which will change the Calculated Risk Factor.

Cheers,

Emad

Niharika Pothan · ‎12-16-2020

Thank you all for your responses.