Residual risk not applicable field GRC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-19-2022 12:58 PM
Hi All,
In what situations I should be selecting Residual Risk not applicable when performing the residual risk assessment?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-20-2022 12:37 AM
Hi MK,
Residual assessments enable us to identify and assess risks that exist after any controls are identified. If there are no controls that are identified, then the residual risk is the same as an inherent risk.
So the residual risk is, what the risk score will be after controls are implemented. The inherent is the risk without any form of controls or mitigating actions.
I hope this would help you to decide.
Thanks,
Srini
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-23-2022 03:39 PM
Hi MK,
One situation I can think of is if at the time of assessing the risks if there are no mitigating controls to assess then you might want to skip doing the residual risk assessment.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-24-2022 05:39 AM
All of the items above are true, but here is one other consideration: if you are assessing an "object" versus a "risk" then there are no controls that will mitigate the risk of the object. Or at least in ServiceNow there are no control relationships. So frequently, when assessing an object the RAM will only be set up for an inherent assessment.
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-12-2024 01:57 AM
Hello @Jan Spurlin ,
We are trying to hide the option 'Residual Assessment not applicable' on the assessment record, but for some reason we are not able to do so. Do you know, where can we hide it?