Risk and compliance relation

ANKITA_CHARAYA · ‎10-20-2023

I wanted to check that in my business case, we have Risks on the top and to mitigate those risks we have controls in place and if control fails/not compliant, issues are created , could you give me idea as per best practice how I should map this as per ServiceNow IRM process , we have policies on the top I think , then control objectives , controls and then risk statements , risks are generated for those entities , I need to get the idea how i should make best use using recommended practice of ServiceNow.

Jan Spurlin · ‎10-21-2023

Think of Control objectives as a template for controls. When you scope the control objective with an entity type or specific entities it generates controls.

The Risk statement works the same way. It is a template for risks.

If you relate a Risk Statement and Control Objective AND scope them with the same entity types/entities - then the relationship between the underlying controls and risks will automatically be generated.