- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-13-2022 05:22 PM
Hi community,
I am a bit perplexed with respect to how the Policy Exception record/app works in ServiceNow.
My GRC knowledge tells me that when a Policy Exception (PER) is requested against a Policy, a Risk Assessment would need to be conducted, but that Risk Assessment would need to be tied to an Entity. Is that the logic in how PER works?
PS: I see the 'Risk' tab, but there is nothing on the tab which eludes to a Risk Manager doing any sort of Risk Assessment. There is the 'Risk Assessment' tab but the docs.servicenow.com page describes a 'Business Impact Analysis' tab (which I think they did not update to state 'Risk Assessment') - and includes some details that I do not see in my Toyko version of Policy Assessment.
PSS: This is without activating the Advanced Risk Assessment plugin.
Thanks in advance for your help.
NN
Solved! Go to Solution.
- Labels:
-
Policy and Compliance Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-15-2022 10:37 AM
So I figured this out... you need to activate the Compliance Manager workspace and then ensure that the Risk Assessment Methodology is setup to allow Risk Assessments on 'Object' pointing to the 'sn_compliance_policy_exception' table (alongside all the different assessments you want done - control effectiveness, inherent risk, residual risk).
You do see the 'Risk Assessment' > 'New' button on the Platform UI but when you click on it, it does nothing or rather loads up a screen that is non-functional. On the Compliance Manager Workspace, the experience is different.
The docs.servicenow.com website makes no mention of this specifically.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-15-2022 10:37 AM
So I figured this out... you need to activate the Compliance Manager workspace and then ensure that the Risk Assessment Methodology is setup to allow Risk Assessments on 'Object' pointing to the 'sn_compliance_policy_exception' table (alongside all the different assessments you want done - control effectiveness, inherent risk, residual risk).
You do see the 'Risk Assessment' > 'New' button on the Platform UI but when you click on it, it does nothing or rather loads up a screen that is non-functional. On the Compliance Manager Workspace, the experience is different.
The docs.servicenow.com website makes no mention of this specifically.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-17-2022 02:42 PM
Thanks for sharing! But I don't see a 'New' button in the 'Risk Assessment' tab for the policy exception under the Workspace UI. Could you please share a screenshot where you can click the 'New' button?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-17-2022 02:47 PM
Hi @Wence - here's what you have to do.
Firstly, Advanced Risk Assessment needs to be activated
There should be a Risk Assessment Methodology (RAM) on an object pointing to the Policy Exception table
Then when you get a Policy Exception request, you open that up in the Compliance Workspace - choose the approver and then under Risk Assessment, set it to 'Take a Risk Assessment'. Click on Save. Then you will see the 'Assess' button.
Let me know if that works for you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-18-2022 09:48 AM
Hi @Noelinho1
I appreciate your instructions! I have published the RAM pointing to the policy exception table, then submitted an exception and have put in an approver. But I don't see the 'Take a Risk Assessment' option under Risk Assessment (Attached a screenshot)
 
.