We've updated the ServiceNow Community Code of Conduct, adding guidelines around AI usage, professionalism, and content violations. Read more

impact of Risk framework retires

Akki1
Tera Contributor

3 hours ago

I’m trying to understand the system and data impacts of retiring a Risk Framework.

Specifically, I’d like clarity on the following:

  • What happens to downstream records associated with the retired risk framework (for example, risk statements, risks, controls, etc.)?
  • Are impacts cascaded further down the hierarchy (child records of child records)?
  • How are RCSA Assessments affected if they are linked to risks under the retired framework?
  • What is the impact on Issue records, action plans, or any other related records?
  • Are these records automatically retired/inactivated, left unchanged, or do they require manual remediation?
  • Are there any best practices or precautions to follow before retiring a risk framework (e.g., data migration, reassignment, reporting considerations)?

Any insights from real implementations or documentation references would be greatly appreciated.

0 Helpfuls
  • 44 Views
1 REPLY 1

yashkamde
Kilo Sage

2 hours ago

Hello @Akki1 ,

Basically In many projects, instead of fully retiring the framework immediately, organizations first disable new risk creation and assessments, migrate necessary records to the new framework, and only then mark the old framework as retired to avoid reporting inconsistencies.

There is no automatic cascading retirement to deeper hierarchy records such as control objectives, indicators, or related issues. Records linked further down the structure are kept unchanged to preserve audit and historical data.

In ServiceNow Risk and Control Self‑Assessment (RCSA), existing assessments tied to those risks remain valid and unchanged, though future assessment generation may need to be manually stopped. Similarly, Issues, remediation tasks, and action plans are not automatically retired because they are linked to risks or controls.

Typically, these records remain active unless they are manually updated, migrated, or closed as part of governance cleanup.

 

Record Types -> Impacts :

Risk Framework -> Marked Retired / Inactive

Risk Statements -> Remain unchanged

Risks -> Remain active

Controls -> Remain active

RCSA Assessments -> No automatic change

Issues -> No automatic change

 

Recommended Best Practice is :

Impact Analysis > Reporting Snapshot > Reassignment or Migration > Deactivate Future Processes > Communication with risk owners > Test in Sub-Prod Instance

 

Refer this :

https://www.servicenow.com/products/integrated-risk-management.html 

https://www.servicenow.com/uk/products/risk-management/what-is-integrated-risk-management.html 

0 Helpfuls