Risk assessment at Policy Exceptions

Go to solution
Kristoffer Pari
Tera Expert

‎09-25-2019 11:26 PM

Hi Community,

could someone explain why the "original" risk scores seems to be saved to related risks when Requesting Risk Assessment on a Policy Exception. 

There seems to be following fields (not visible on form) in the risk table that i can not figure out the usage for:

  • original_calculated_ale
  • original_calculated_score 
  • original_inherent_ale
  • original_inherent_aro
  • original_inherent_sle
  • original_residual_ale
  • original_residual_aro
  • original_residual_score 
  • original_residual_sle
  • original_response
  • original_score 

Than you in advance,

Kristoffer

0 Helpfuls
  • 2,146 Views
1 ACCEPTED SOLUTION

Go to solution
Phil Swann
Tera Guru
Tera Guru

‎10-19-2019 02:37 PM

Risk Assessment within Policy Exception is a bit abstract, at first...

 

Before you begin, you must imagine that you are fairly mature with both Controls and Risks - else, this feature is not really going to be of significant value.

 

So lets envisage a Profile/Entity of London Data Centre

 

You have several risks:

- Fire

- Flood

- Airplane disaster

 

 

Linked to the Fire risk, you have several controls:

- Fire extinguishers

- Training

- Fire drills

- Sprinklers

- Posters

 

 

Now, perhaps at this site - you have realised that the sprinklers are not working but you are due to repair them as part of a renovation project over the next 3 months. You need temporary relief on this control. Thus, Policy Exception (PER) comes into play. 

Perhaps an Issue is raised you cannot remediate, you need to accept the issue. Now we have a perfect entry point into PER.

The issue is directly related to a Control, which is tied to a Control Objective (nee Policy Statement).

 

upon selecting this issue, it populates the statement and also populates the impacted controls related list...

this then displays in the risk section, all risks which are associated with the control (Fire)

and then, in the mitigating controls related list you will see the OTHER controls for that risk, which provide protection against that risk.

 

great, so you can see the coverage. but you want to utilise risk assessment within PER, what does it do?

 

because the risk of Fire was assessed and scored based on ALL controls being implemented; or rather those controls are mitigating this risk - now we are asking for temporary relief, this means the control is not really implemented... we should probably re-assess the risk, taking account of the fact that this risk no longer has full coverage....

it will snapshot the scores as it stands, and then be re-assessed for the duration of the PER.

once PER is closed, it reverts back to original scores....

 

for me there are some nuances in this lifecycle, such as automated triggering of assessment process which perhaps should be refined. and this topic is very broad such that it is rarely covered even in the CIS exam.

 

I have a lot of conversations around this topic, and rarely are organisations quite ready to adopt it in full. But Risk Assessment in the context of PER, is all about assessing the existing Risks based on the approved gap in coverage, which is the net effect of the PER being approved. It makes total sense, but requires a fair amount of maturity upfront to be effective.

View solution in original post

15 REPLIES 15

Go to solution
PrudeAnurag
ServiceNow Employee
ServiceNow Employee
In response to Kristoffer Pari

‎10-01-2019 01:08 AM

Ohh.. Now I understand what the issue is. ServiceNow hasn't designed it the way of scoring to be copied to original fields differentiating if its a Policy Exception or not. Only the recalculation takes part if the Policy is not under Policy Exception. 

The reason is to keep the flow simple without making a lot of scenarios in the system. So the basic flow runs same only the recalculation part changes based on the exception or not.

 

0 Helpfuls

Go to solution
Eric Feron
Moderator
Moderator

‎09-30-2019 03:26 PM

Hello community, any more help for Kristoffer?

Thanks.

0 Helpfuls

Go to solution
chooi
Tera Expert

‎10-18-2019 06:36 PM

I'm also interested to find out the purpose of the "original_" fields.

I'm planning to add a "Target score" field to Risk and may need to also add a "original_target_score" field and functionality to save/restore depending on purpose of these fields.

On London I note the following business rules calls RiskResponseBase.saveRiskScoring or RiskResponseBase.restoreRiskScoring which saves and restores to the "original_" fields values.

Hoping someone can provide more information.  

0 Helpfuls

Go to solution
Phil Swann
Tera Guru
Tera Guru
In response to chooi

‎10-21-2019 01:02 AM

Hi, i hope my answer was helpful - but with regard to 'target' score - please also check out what is happening in New York around Advanced Risk.

 

Unless this is a 3rd dimension of scoring - in which case, there is quite a bit of work to do AND there may be something beyond New York which could help there. 

0 Helpfuls

Go to solution
Phil Swann
Tera Guru
Tera Guru

‎10-19-2019 02:37 PM

Risk Assessment within Policy Exception is a bit abstract, at first...

 

Before you begin, you must imagine that you are fairly mature with both Controls and Risks - else, this feature is not really going to be of significant value.

 

So lets envisage a Profile/Entity of London Data Centre

 

You have several risks:

- Fire

- Flood

- Airplane disaster

 

 

Linked to the Fire risk, you have several controls:

- Fire extinguishers

- Training

- Fire drills

- Sprinklers

- Posters

 

 

Now, perhaps at this site - you have realised that the sprinklers are not working but you are due to repair them as part of a renovation project over the next 3 months. You need temporary relief on this control. Thus, Policy Exception (PER) comes into play. 

Perhaps an Issue is raised you cannot remediate, you need to accept the issue. Now we have a perfect entry point into PER.

The issue is directly related to a Control, which is tied to a Control Objective (nee Policy Statement).

 

upon selecting this issue, it populates the statement and also populates the impacted controls related list...

this then displays in the risk section, all risks which are associated with the control (Fire)

and then, in the mitigating controls related list you will see the OTHER controls for that risk, which provide protection against that risk.

 

great, so you can see the coverage. but you want to utilise risk assessment within PER, what does it do?

 

because the risk of Fire was assessed and scored based on ALL controls being implemented; or rather those controls are mitigating this risk - now we are asking for temporary relief, this means the control is not really implemented... we should probably re-assess the risk, taking account of the fact that this risk no longer has full coverage....

it will snapshot the scores as it stands, and then be re-assessed for the duration of the PER.

once PER is closed, it reverts back to original scores....

 

for me there are some nuances in this lifecycle, such as automated triggering of assessment process which perhaps should be refined. and this topic is very broad such that it is rarely covered even in the CIS exam.

 

I have a lot of conversations around this topic, and rarely are organisations quite ready to adopt it in full. But Risk Assessment in the context of PER, is all about assessing the existing Risks based on the approved gap in coverage, which is the net effect of the PER being approved. It makes total sense, but requires a fair amount of maturity upfront to be effective.