Risk assessment at Policy Exceptions

Go to solution
Kristoffer Pari
Tera Expert

‎09-25-2019 11:26 PM

Hi Community,

could someone explain why the "original" risk scores seems to be saved to related risks when Requesting Risk Assessment on a Policy Exception. 

There seems to be following fields (not visible on form) in the risk table that i can not figure out the usage for:

  • original_calculated_ale
  • original_calculated_score 
  • original_inherent_ale
  • original_inherent_aro
  • original_inherent_sle
  • original_residual_ale
  • original_residual_aro
  • original_residual_score 
  • original_residual_sle
  • original_response
  • original_score 

Than you in advance,

Kristoffer

0 Helpfuls
  • 2,148 Views
1 ACCEPTED SOLUTION

Go to solution
Phil Swann
Tera Guru
Tera Guru

‎10-19-2019 02:37 PM

Risk Assessment within Policy Exception is a bit abstract, at first...

 

Before you begin, you must imagine that you are fairly mature with both Controls and Risks - else, this feature is not really going to be of significant value.

 

So lets envisage a Profile/Entity of London Data Centre

 

You have several risks:

- Fire

- Flood

- Airplane disaster

 

 

Linked to the Fire risk, you have several controls:

- Fire extinguishers

- Training

- Fire drills

- Sprinklers

- Posters

 

 

Now, perhaps at this site - you have realised that the sprinklers are not working but you are due to repair them as part of a renovation project over the next 3 months. You need temporary relief on this control. Thus, Policy Exception (PER) comes into play. 

Perhaps an Issue is raised you cannot remediate, you need to accept the issue. Now we have a perfect entry point into PER.

The issue is directly related to a Control, which is tied to a Control Objective (nee Policy Statement).

 

upon selecting this issue, it populates the statement and also populates the impacted controls related list...

this then displays in the risk section, all risks which are associated with the control (Fire)

and then, in the mitigating controls related list you will see the OTHER controls for that risk, which provide protection against that risk.

 

great, so you can see the coverage. but you want to utilise risk assessment within PER, what does it do?

 

because the risk of Fire was assessed and scored based on ALL controls being implemented; or rather those controls are mitigating this risk - now we are asking for temporary relief, this means the control is not really implemented... we should probably re-assess the risk, taking account of the fact that this risk no longer has full coverage....

it will snapshot the scores as it stands, and then be re-assessed for the duration of the PER.

once PER is closed, it reverts back to original scores....

 

for me there are some nuances in this lifecycle, such as automated triggering of assessment process which perhaps should be refined. and this topic is very broad such that it is rarely covered even in the CIS exam.

 

I have a lot of conversations around this topic, and rarely are organisations quite ready to adopt it in full. But Risk Assessment in the context of PER, is all about assessing the existing Risks based on the approved gap in coverage, which is the net effect of the PER being approved. It makes total sense, but requires a fair amount of maturity upfront to be effective.

View solution in original post

15 REPLIES 15

Go to solution
Phil Swann
Tera Guru
Tera Guru

‎07-09-2020 12:46 AM

Hi All, just to be aware on this - V10.1 has seen marked improvements to Policy Exception process. 

 

I am not 100% what this will mean for Risk Assessment, check the docs:

https://docs.servicenow.com/bundle/orlando-governance-risk-compliance/page/Chunk2057442794.html#mana... 

Note: In versions prior to Version 10.1, the Risk assessment related list was called Business Impact Analysis and required that the GRC: Risk Management application be activated. Starting in Version 10.1, the dependency on Risk Management has been removed and the associated field names have changed.

0 Helpfuls