Risk and Control Self Assessment
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-23-2017 04:50 AM
Hello,
I am trying the build a proof of concept for risk and control self assessment (RCSA) on ServiceNow. I understand some of the functionality is available out of box but i am having difficulty in connecting it all together for the RCSA.
RCSA process flow:
1) Identify assets (Servers/databases etc.)
2) Assign risks to the assets
3) Perform Inherent risk assessment
4) Pick controls to address the risks
5) Check for control effectiveness
6) Calculate residual risk
7) Document findings
😎 Create/trigger remediation tasks
Any inputs on this would be very helpful.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-07-2017 03:35 AM
Hi Dhruvin,
The basic steps you'll need to follow are as follows, based on your RSCA process-flow:
1) create profile-types based on your assets > profiles will be auto-generated
2) create a risk framework + associated risks > assign risk framework to profile type > individal risks will be auto-generated
3) open each individual Risk to perform the inherent risk assessment
4) create controls to mitigate the risk (either from Policy&compliance module or directly from risks) > link controls to risks
5) Control effectiveness can be assessed/checked by creating indicators and linking them to the controls. Setting the type to either manual or basic.
6) Residual risk will be calculated automatically based on the input from #3
7) Findings are registered in the issues module. They are generated either automatically (based on indicator results) or manually.
😎 Remediation tasks are registered in the issues as well, see the different tabs in the records form.
You can find many of the instructions for the above tasks in the Docs-pages : https://docs.servicenow.com/bundle/helsinki-it-business-management/page/product/grc-enterprise/refer...
Governance, Risk, and Compliance (GRC)
Hope this helps!