Requesting a Risk Assessment on a Policy Exception

Noelinho1
Mega Guru

Hi community,

I am a bit perplexed with respect to how the Policy Exception record/app works in ServiceNow.

My GRC knowledge tells me that when a Policy Exception (PER) is requested against a Policy, a Risk Assessment would need to be conducted, but that Risk Assessment would need to be tied to an Entity. Is that the logic in how PER works?

PS: I see the 'Risk' tab, but there is nothing on the tab which eludes to a Risk Manager doing any sort of Risk Assessment. There is the 'Risk Assessment' tab but the docs.servicenow.com page describes a 'Business Impact Analysis' tab (which I think they did not update to state 'Risk Assessment') - and includes some details that I do not see in my Toyko version of Policy Assessment.

PSS: This is without activating the Advanced Risk Assessment plugin. 

Thanks in advance for your help.
NN

1 ACCEPTED SOLUTION

Noelinho1
Mega Guru

So I figured this out... you need to activate the Compliance Manager workspace and then ensure that the Risk Assessment Methodology is setup to allow Risk Assessments on 'Object' pointing to the 'sn_compliance_policy_exception' table (alongside all the different assessments you want done - control effectiveness, inherent risk, residual risk).

You do see the 'Risk Assessment' > 'New' button on the Platform UI but when you click on it, it does nothing or rather loads up a screen that is non-functional. On the Compliance Manager Workspace, the experience is different.

The docs.servicenow.com website makes no mention of this specifically.

View solution in original post

7 REPLIES 7

Noelinho1
Mega Guru

@Wence anytime. You should see it under the 'details' tab under the 'Risk Assessment' section. Also, check and see if you have an update to ARA via plugins. Hit me back up when you do the aforementioned.

Wence
Tera Contributor

Woo hoo!! Now I do see it under the 'details' tab. Thanks so much!! @Noelinho1 

@Wence nice! - the thing that I did not see on the docs website is the fact that you cannot do an ARA using the Platform UI (unless it was hidden somewhere). So in essence, if a Compliance Manager wants the Risk Team to do an Advanced Risk Assessment for a PER, they would need to initiate that via the Compliance Workspace.