Requesting a Risk Assessment on a Policy Exception

Noelinho1 · ‎09-13-2022

Hi community,

I am a bit perplexed with respect to how the Policy Exception record/app works in ServiceNow.

My GRC knowledge tells me that when a Policy Exception (PER) is requested against a Policy, a Risk Assessment would need to be conducted, but that Risk Assessment would need to be tied to an Entity. Is that the logic in how PER works?

PS: I see the 'Risk' tab, but there is nothing on the tab which eludes to a Risk Manager doing any sort of Risk Assessment. There is the 'Risk Assessment' tab but the docs.servicenow.com page describes a 'Business Impact Analysis' tab (which I think they did not update to state 'Risk Assessment') - and includes some details that I do not see in my Toyko version of Policy Assessment.

PSS: This is without activating the Advanced Risk Assessment plugin.

Thanks in advance for your help.
NN

Noelinho1 · ‎09-15-2022

So I figured this out... you need to activate the Compliance Manager workspace and then ensure that the Risk Assessment Methodology is setup to allow Risk Assessments on 'Object' pointing to the 'sn_compliance_policy_exception' table (alongside all the different assessments you want done - control effectiveness, inherent risk, residual risk).

You do see the 'Risk Assessment' > 'New' button on the Platform UI but when you click on it, it does nothing or rather loads up a screen that is non-functional. On the Compliance Manager Workspace, the experience is different.

The docs.servicenow.com website makes no mention of this specifically.

View solution in original post

Noelinho1 · ‎09-15-2022

So I figured this out... you need to activate the Compliance Manager workspace and then ensure that the Risk Assessment Methodology is setup to allow Risk Assessments on 'Object' pointing to the 'sn_compliance_policy_exception' table (alongside all the different assessments you want done - control effectiveness, inherent risk, residual risk).

You do see the 'Risk Assessment' > 'New' button on the Platform UI but when you click on it, it does nothing or rather loads up a screen that is non-functional. On the Compliance Manager Workspace, the experience is different.

The docs.servicenow.com website makes no mention of this specifically.

Wence · ‎11-17-2022

Thanks for sharing! But I don't see a 'New' button in the 'Risk Assessment' tab for the policy exception under the Workspace UI. Could you please share a screenshot where you can click the 'New' button?

Noelinho1 · ‎11-17-2022

Hi @Wence - here's what you have to do.

Firstly, Advanced Risk Assessment needs to be activated

There should be a Risk Assessment Methodology (RAM) on an object pointing to the Policy Exception table

Then when you get a Policy Exception request, you open that up in the Compliance Workspace - choose the approver and then under Risk Assessment, set it to 'Take a Risk Assessment'. Click on Save. Then you will see the 'Assess' button.

Let me know if that works for you.

Wence · ‎11-18-2022

Hi @Noelinho1

I appreciate your instructions! I have published the RAM pointing to the policy exception table, then submitted an exception and have put in an approver. But I don't see the 'Take a Risk Assessment' option under Risk Assessment (Attached a screenshot)

.