- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-29-2022 01:13 PM
Hello,
I am wondering if it is possible / recommended to build a direct relationship between Citations and Risks. I understand that this is different from baseline functionality, which is to use the built-in relationships from Citations > Controls > Risks. However, there are needs to be able to see Risks directly on the Citations and vice versa when there may not be a control in place. I think this can be done through a related list but wanted to get more insight into the pros and cons.
Thanks!
Solved! Go to Solution.
- Labels:
-
Integrated Risk Management (IRM)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-01-2022 03:38 PM
Andrew,
I wouldn't recommend linking Risks to Citations directly.
Why?
Because Risks are ephemeral and Citations aren't.
A Risk can (in theory) pop up, then disappear as the underlying Entity drives its lifecycle. If you linked them together directly, you could have poor quality metrics as a result of this.
Far better would be to link the Citation to the Risk Statement(s) (using Related Lists, available via ootb Configure>Related Lists on the Citation form) then derive the relationship's outcome (the current, dynamic level of Risk for a given Citation) by using PA/Reporting.
I built this a number of years ago to do exactly that.
HTH
R
If this reply assisted you, please consider marking it ????Helpful or ✅Correct.
This enables other customers to learn from your thread.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2022 07:04 AM
Hi Andrew,
As Richard recommended, from a data model perspective we will also recommend to link citations to Risk Statements. Risks is a transactional data while risk statements and citations are master data and therefore make sense to link the 2. From a product standpoint, we will definitely look to prioritise this on the roadmap in the future releases too.
Regards,
Utkarsh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-30-2022 04:35 AM
Hi
Citations usually aren't directly related to a Risk - at least not in the ServiceNow application.
Citations are related to Policy Statements (aka Control Objectives/Control Templates). The Policy Statements are related to Entity Types - which have individual Entities. Those are used to generate Controls for each Entity.
Do not get confused with using Risk event with Risks ,which could be seen in the related list for a citation.
To understand the Relationship of risk events to risk : Consider relating risk events to risks if you use the Risk Management application. This relationship provides data for future risk assessment and is also useful for accurate reporting. For example, if the management of an organization wants to know the total loss incurred due to internal fraud, it can only be reported if all the risks are related to the internal fraud risk event. To relate risks events to risk, set the Make risk event to risk relationship mandatory property to Yes. By default, this property is not turned on.
Mark my answer correct & Helpful, if Applicable.
Thanks,
Sandeep
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-03-2022 12:10 AM
Hi
Glad to see my answer helped You.
Kindly mark the applicable answer as Correct & Helpful both such that others can get help.
Thanks,
Sandeep
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-07-2022 08:24 PM
Hi
Any update to this ?Any follow-up required? if not
Kindly mark the answer as Correct & Helpful both such that others can get help.
Thanks,
Sandeep
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-01-2022 03:38 PM
Andrew,
I wouldn't recommend linking Risks to Citations directly.
Why?
Because Risks are ephemeral and Citations aren't.
A Risk can (in theory) pop up, then disappear as the underlying Entity drives its lifecycle. If you linked them together directly, you could have poor quality metrics as a result of this.
Far better would be to link the Citation to the Risk Statement(s) (using Related Lists, available via ootb Configure>Related Lists on the Citation form) then derive the relationship's outcome (the current, dynamic level of Risk for a given Citation) by using PA/Reporting.
I built this a number of years ago to do exactly that.
HTH
R
If this reply assisted you, please consider marking it ????Helpful or ✅Correct.
This enables other customers to learn from your thread.