Is it possible to connect Citations to Risks?

Go to solution
Andrew Rigsby
Tera Contributor

‎07-29-2022 01:13 PM

Hello,

I am wondering if it is possible / recommended to build a direct relationship between Citations and Risks. I understand that this is different from baseline functionality, which is to use the built-in relationships from Citations > Controls > Risks. However, there are needs to be able to see Risks directly on the Citations and vice versa when there may not be a control in place. I think this can be done through a related list but wanted to get more insight into the pros and cons.

Thanks!

0 Helpfuls
  • 1,315 Views
2 ACCEPTED SOLUTIONS

Go to solution
Richard Taylor
Tera Expert

‎08-01-2022 03:38 PM

Andrew,

I wouldn't recommend linking Risks to Citations directly.

Why?

Because Risks are ephemeral and Citations aren't.

A Risk can (in theory) pop up, then disappear as the underlying Entity drives its lifecycle. If you linked them together directly, you could have poor quality metrics as a result of this.

Far better would be to link the Citation to the Risk Statement(s) (using Related Lists, available via ootb Configure>Related Lists on the Citation form) then derive the relationship's outcome (the current, dynamic level of Risk for a given Citation) by using PA/Reporting.

I built this a number of years ago to do exactly that.

HTH

R

If this reply assisted you, please consider marking it ????Helpful or ✅Correct.
This enables other customers to learn from your thread.

View solution in original post

Go to solution
UTKARSH JAIN
ServiceNow Employee
ServiceNow Employee

‎08-02-2022 07:04 AM

Hi Andrew,

As Richard recommended, from a data model perspective we will also recommend to link citations to Risk Statements. Risks is a transactional data while risk statements and citations are master data and therefore make sense to link the 2. From a product standpoint, we will definitely look to prioritise this on the roadmap in the future releases too. 

Regards,

Utkarsh

View solution in original post

6 REPLIES 6

Go to solution
Community Alums
Not applicable

‎07-30-2022 04:35 AM

Hi @Andrew Rigsby ,

Citations usually aren't directly related to a Risk - at least not in the ServiceNow application.

Citations are related to Policy Statements (aka Control Objectives/Control Templates). The Policy Statements are related to Entity Types - which have individual Entities.  Those are used to generate Controls for each Entity.

Do not get confused with using Risk event with Risks ,which could be seen in the related list for a citation.

To understand the Relationship of risk events to risk : Consider relating risk events to risks if you use the Risk Management application. This relationship provides data for future risk assessment and is also useful for accurate reporting. For example, if the management of an organization wants to know the total loss incurred due to internal fraud, it can only be reported if all the risks are related to the internal fraud risk event. To relate risks events to risk, set the Make risk event to risk relationship mandatory property to Yes. By default, this property is not turned on.

Mark my answer correct & Helpful, if Applicable.

Thanks,

Sandeep

Go to solution
Community Alums
Not applicable
In response to Community Alums

‎08-03-2022 12:10 AM

Hi @Andrew Rigsby ,

Glad to see my answer helped You. 
Kindly mark the applicable answer as Correct & Helpful both such that others can get help.

Thanks,
Sandeep

0 Helpfuls

Go to solution
Community Alums
Not applicable
In response to Community Alums

‎08-07-2022 08:24 PM

Hi @Andrew Rigsby ,

Any update to this ?Any follow-up required? if not

Kindly mark the answer as Correct & Helpful both such that others can get help.

Thanks,
Sandeep

0 Helpfuls

Go to solution
Richard Taylor
Tera Expert

‎08-01-2022 03:38 PM

Andrew,

I wouldn't recommend linking Risks to Citations directly.

Why?

Because Risks are ephemeral and Citations aren't.

A Risk can (in theory) pop up, then disappear as the underlying Entity drives its lifecycle. If you linked them together directly, you could have poor quality metrics as a result of this.

Far better would be to link the Citation to the Risk Statement(s) (using Related Lists, available via ootb Configure>Related Lists on the Citation form) then derive the relationship's outcome (the current, dynamic level of Risk for a given Citation) by using PA/Reporting.

I built this a number of years ago to do exactly that.

HTH

R

If this reply assisted you, please consider marking it ????Helpful or ✅Correct.
This enables other customers to learn from your thread.