INDICATORS, CONTROL & RISK OWNER ( ENTITY OWNER )

Damon12
Kilo Contributor

‎02-11-2020 05:02 PM

Hi

Can someone please give me a better understanding of indicators, Probably a layman's explanation 

Are control and risk owner mandatory, are they the ones to oversee the attestation and assessment 

can the control owner and risk owner be the same as attestation and assessment respondent

why is the entity owner the same as the control and risk owner

0 Helpfuls
  • 2,960 Views
7 REPLIES 7

Khang1
Mega Expert

‎02-11-2020 07:06 PM

Your question has many parts :-). I'm gonna try to address them at high level, but some might need a bit of fundamental understanding on how attestation and indicators works. I suggest to get a demo or watch a some videos on indicators and see how it works in real life. 

 

1) Entity owner is copied to the downstream risks/controls automatically when the risks/controls is first generated by an Entity Type. This is ServiceNow attempt to help reduce risks/controls set up time. In some cases it make sense, such as if your Entity is a process or an application, likely the Entity owner would own all the risks/controls associated with that process or application.

Note that you can manually change the owner for the risk/control after it's generated if your Entity owner ended up different than control owner. They don't have to be the same, just the initial set up. Also, if you create an ad-hoc risk/control in an Entity, you can define whoever the control owner would be at setup regardless of Entity owner.

 

2) Indicator is different than Attestation. They are 2 different process in ServiceNow GRC. Make sure you know that distinction since you mentioned both. You can set up indicator for either risk or control. Attestation can only be created for control, and not risk. 

 

3) Indicator pretty much allows you to set up automated task(s) for certain risks/controls. And the result of the task would update the risk/control's status. For example, you can set up an indicator to generate a task on quarterly basis so the owner can confirm the control operate effectively. If not, then fail the task and an issue will be created with control status changed to non-compliance. Due to the automated feature, the indicate will ALWAYS use the risk/control owner as the assigned to person when the task is generated. You can't change it.

 

4) Attestation is somewhat similar to indicator, but it's built into the Control workflow state and can be setup as questionnaire for vs. just pass/fail like indicator. At my company, we have a quarterly SOX attestation process where all SOX controls owners will be ask 3 questions: if they are still the right owner; if there're changes to the control; and if control failed during the quarter.

Unlike indicator, attestation is more of a survey questionnaire vs. a task. The owners can provide yes/no answer and additional information as needed. If they answered negatively to any of the questions, it would change control to non-compliant and generate an issue. 

You define who the attestation questionnaire would go to by defined 'Attestation Respondent' on the control form. This will updated automatically with the Control owner, but you can manually change or even add more than one 'attestor' for each control (for indicator you can't change from the owner). 

To perform attestation, though, you have to move the whole control back to Draft, then to Attest state, so it would require some manual process. For indicator, you can leave control in Monitor and it will keep generating tasks based on the defined schedule. 

Richard Rivett
Kilo Expert

‎02-12-2020 01:38 AM

In order to understand Indicators or KRI's in Risk speak, you need to first understand the related componments of Risk, Controls and Incidents a.k.a. Risk Events. 

Using the simple example of crossing the road, the risk of course is "Crossing the Road". The severity of the risk can differ depending on the type of road. For example the risk associated with crossing the road in the countryside is lower than that of crossing a freeway, therefore they will be allocated different risk ratings. In the same way that Risks can differ, so can the Controls used to mitigate them. For example it would not be appropriate to build a bridge across a country road or a pedestrain crossing across a freeway. 

Bringing KRI's into the equation, these are related to the number of events, and a pre determined threshold of tolerance. 

Using the same example of crossing the road, say for example the countryroad was upgraded because they have built some new houses, therefore traffic levels increase. If a risk assessment isn't performed and therefore no Controls are put in place, there could be an increase in people getting run over. This is where tolerances comes into effect. If it is one person a year that gets run over, is it worth building a pedestrain crossing (the Control)? However should you set that threshold to once a month and you breach that (the Indicator) then a Risk Issue should be created and an Action Plan(s) (Tasks in SN) put in place to determine cause and mitigating actions. 

This is why Risk and Control Assessments are key, especially where the environment changes. Without getting too in-depth it is what is referred to as a "Top-down" or "Bottom Up" approach to Risk. Bottom up being that you wait for the number of events to breach your indicator threshold in order to assess the Risk and Controls or you constantly monitor your Risk and Controls to prevents the Events/  Incidents from occuring in the first place. This is an ongoing conundrum facing world of risk, for which there is no right or wrong. 

Onto your second question. Yes they should be mandatory, but can be different people. Risk and GRC is all about acountability afterall. Typically yes they should oversee attestation, but ultimately they will have their day jobs to do, so typically it will be the second line of defence i.e. Risk and Compliance. 

Question 3. Yes they absolutely should. Just because you are the risk and control owner doesn't mean you are exempt. 

Question 4. What do you mean by entity?

 

 

 

Ashik3
Tera Expert

‎02-12-2020 12:40 PM

Hi Damon,

 

1. Indicators - helps to Automate your control check. Eg: you have a control that check for the stale users in the organisation. As a first approach, you can send a GRC attestation to the AD team so that they check if there are any stale users and manually say they are compliant (if there are no stale users)/ non compliant (if there are stale users). In this case, its purely manual and you need to trust the AD team or need to do an audit periodically to make sure the control is compliant or not.

Using Indicators you can automate this, For eg: ServiceNow automatically find the stale users and set the control to complaint or non compliant. This also means that you dont have to send manual attestations since system auto checks and sets the control status. If the system finds a stale user, it sets the control non compliant and issue is aut generated.

 

2. Are control and risk owner mandatory, are they the ones to oversee the attestation and assessment  - yes it is. they are the one's to take the responsibility of it. attestation and assessment can be taken by any one who has normal grc user / risk user roles.

3. can the control owner and risk owner be the same as attestation and assessment respondent - yes this is also possible. depends on your business use case you can configure this.

4. why is the entity owner the same as the control and risk owner- consider your entitty as a business application, the business application owner who is responsible for that business application is also responsible for the risks on that business application & responsible for implementing controls.

 

BR,
Ashik

Jan Spurlin
ServiceNow Employee
ServiceNow Employee

‎02-14-2020 05:20 AM

Each of the previous responses is good and provides some good examples. Please be careful on the difference between a Control Attestation and a Control Indicator. ServiceNow has very specific use cases for these two. The response from @Khang could be a little misleading about the difference.  There is a Video tutorial we recently created about the differences between Control Attestations, Control Indicators and Control Tests. Here is a link to that video:

https://community.servicenow.com/community?id=community_article&sys_id=e7fbfc1a1b994490d01143f6fe4bc...

And there is always the GRC Fundamentals course in Now Learning. That course is about how ServiceNow has developed an application for GRC requirements. Even if you are a GRC guru - it is the BEST place to start to understand how to maximize your ServiceNow investment in GRC.

Good luck!

Jan