Relationship between control and risk

rajeeshraj
Tera Guru

‎02-02-2022 07:45 PM

How are controls and Risks related in ServiceNow. We have a process to implement where I am trying to

  1. Map compliance obligations to business processes
  2. Identify and categorize inherent risk of non compliance
  3. Create assessments for compliance risk
  4. Assess residual risk of non-compliance

I am thinking of linking control objective to a risk statement, but not sure if this is the right approach.

Thanks

Labels:
0 Helpfuls
  • 2,853 Views
4 REPLIES 4

Randal
Tera Contributor

‎02-03-2022 06:59 AM

rajeeshraj, I think this cross reference already exists in the OOTB Control Objective and Risk Statement records. Same for Citations for your compliance obligations. Though, there isn't an existing business process component, the Entities component, depending on how your Entities are set up, might at least get you to the business unit performing the process. Once all of your data is in place, you would then go through the typical risk management functions to perform the other items on your list. Just my high level thoughts. 

Ahmed Drar
Tera Guru
Tera Guru

‎02-04-2022 09:58 AM

Hi Rajeeshraj,

if your business processes exist in the CMDB, you can define your business processes as an entity type and then applied entity type to your control objectives and risk statements. You can always relate Risk to Controls using Risk to control many to many table sn_risk_m2m_risk_control  and Risk Statement to Control objectives using Risk Statement to Control objectives sn_risk_m2m_risk_definition_policy_statement m2m table.

 

 

 Example of how a business process such as employee recruitment is defined, its relationships with the associated risks and controls are established, and how it helps to derive the risk rating of the process.

https://docs.servicenow.com/bundle/sandiego-governance-risk-compliance/page/product/grc-risk/concept...

find_real_file.png

 

 

Please mark my answer as ✅ Correct / Helpful based on the Impact

Preview file
43 KB
Preview file
595 KB
Preview file
83 KB

rajeeshraj
Tera Guru
In response to Ahmed Drar

‎02-06-2022 10:36 AM

So if I create an entity type of Business Process, do I

Option 1: link the Entity type to both Control Objective and Risk Statement

Option 2: link the Entity type to only the Risk Statement and then link Control Objective to Risk Statement

Option 3: link the Entity type to only the Control Objective and then link Risk Statement to Control Objective

 

Thanks

0 Helpfuls

Ahmed Drar
Tera Guru
Tera Guru
In response to rajeeshraj

‎02-07-2022 04:55 AM

if you need to generate controls /risks based on a library then you need to apply your entity type to both risk statement and controls objectives. after that link, Risks to controls using the m2m table

here is an explanation:

when Entity type is applied to risk statements and control objectives - This is entity scoping: control objectives and risk statements are scoped with entity types.

When they are applied, controls/risks are automatically generated for each individual entity based on the applied control objective or risk statement.

after that, you can link controls undertaken to reduce exposure to risk using the m2m table

 

I hope this helps.