Residual risk not applicable field GRC

MK36 · ‎07-19-2022

Hi All,

In what situations I should be selecting Residual Risk not applicable when performing the residual risk assessment?

Srinivasulu Lag · ‎07-20-2022

Hi MK,

Residual assessments enable us to identify and assess risks that exist after any controls are identified. If there are no controls that are identified, then the residual risk is the same as an inherent risk.

So the residual risk is, what the risk score will be after controls are implemented. The inherent is the risk without any form of controls or mitigating actions.

I hope this would help you to decide.

Thanks,

Srini

Sean Walters · ‎07-23-2022

Hi MK,

One situation I can think of is if at the time of assessing the risks if there are no mitigating controls to assess then you might want to skip doing the residual risk assessment.

Hope that helps.

Jan Spurlin · ‎07-24-2022

All of the items above are true, but here is one other consideration: if you are assessing an "object" versus a "risk" then there are no controls that will mitigate the risk of the object. Or at least in ServiceNow there are no control relationships. So frequently, when assessing an object the RAM will only be set up for an inherent assessment.

Jan

Gabi3 · ‎03-12-2024

Hello @Jan Spurlin ,

We are trying to hide the option 'Residual Assessment not applicable' on the assessment record, but for some reason we are not able to do so. Do you know, where can we hide it?