Residual Risk and Calculated Score
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2022 08:22 AM
Inherent risk = the amount of risk that exists in the absence of controls. In other words, before an organization implements any countermeasures at all, the risk they face is inherent risk.
Residual Risk = the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions.
IN SERVICENOW RISK MANAGEMENT- When a risk response is set to accept, and there are NO controls aligned to help mitigate or lower the risk calculated score, the calculated score = residual score if the residual is configured on the risk. I verified this is the case, via testing, and via the scripts in Riskutilsbase and riskutilsbase2 and as per the documentation here:https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0692108
This makes ABSOLUTELY no sense that the calculated score = residual score when NO CONTROLS are applied. Why is this the case? it defies logic.
- Labels:
-
Risk Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2022 01:45 PM
There are two key points here: