Residual risk not applicable field GRC

MK36
Tera Contributor

Hi All,

In what situations I should be selecting Residual Risk not applicable when performing the residual risk assessment?

7 REPLIES 7

Srinivasulu Lag
ServiceNow Employee
ServiceNow Employee

Hi MK,

Residual assessments enable us to identify and assess risks that exist after any controls are identified. If there are no controls that are identified, then the residual risk is the same as an inherent risk.

So the residual risk is, what the risk score will be after controls are implemented. The inherent is the risk without any form of controls or mitigating actions.

I hope this would help you to decide.

 

Thanks,

Srini

Sean Walters
Tera Expert

Hi MK, 

One situation I can think of is if at the time of assessing the risks if there are no mitigating controls to assess then you might want to skip doing the residual risk assessment.

Hope that helps.

Jan Spurlin
ServiceNow Employee
ServiceNow Employee

All of the items above are true, but here is one other consideration: if you are assessing an "object" versus a "risk" then there are no controls that will mitigate the risk of the object. Or at least in ServiceNow there are no control relationships. So frequently, when assessing an object the RAM will only be set up for an inherent assessment.

Jan

Gabi3
ServiceNow Employee
ServiceNow Employee

Hello @Jan Spurlin ,

We are trying to hide the option 'Residual Assessment not applicable' on the assessment record, but for some reason we are not able to do so. Do you know, where can we hide it?

 

Gabi3_0-1710233805593.png