In Advanced Risk Assessment can a Group Factor contain Group Factors that themselves contain Manual Factors?

Nick T · ‎06-24-2022

I'm creating a RAM in Advanced Risk and want to create the following structure - IMPACT (Group factor) containing 2 Group Factors (Confidentiality & Integrity) and 1 Manual Factor (Availability). Each of the C & I Group factors include manual factors, each with a qualitative scoring range of VH(5),H(4),M(3),L(2),VL(1) for assessment of Financial, Service, Customer, Privacy, Reputational and Regulatory Impacts.

Despite publishing in the correct order I cannot get the inherent assessment to accept the IMPACT Group factor for the x axis of the heatmap, so I am presuming I have nested too far!

Any ideas how I may be able to assess these impacts for each of CI & A in a more elegant manner?

Sebastien Fix1 · ‎07-04-2022

Have you completed the Qualitative Rating Criteria sheet? It is mandatory for Heamap X/Y-axis reference list. Even for a single manual factor.

https://docs.servicenow.com/en-US/bundle/sandiego-governance-risk-compliance/page/product/grc-risk/t...

See "Heatmap Configuration" section

Nick T · ‎07-04-2022

Yes, I have done this. I've also re-configured the group factor so that only manual factors can be included and the heatmap works fine.

However, I'm still left with trying to work out how Confidentiality, Integrity and Availability can be group factors that are included within an overarching group factor called Impact.

Ashutosh Pande2 · ‎12-06-2023

Hi Nick,

Just curious, were you able to group the group factors Confidentiality, Integrity and Availability under the group factor called Impact? thanks!

Naveen Kumar4 · ‎12-08-2023

Hi @Nick T ,

Nested group factors are not supported in Advanced risk assessments.

Configuring the X-axis and Y-axis in the heatmap allows you to select values based solely on factors, encompassing either choices or transformation criteria.

Thanks,

Naveen